The CMDB question that decides everything

Last week I argued that your AI agents are a regulated product now.

This week, the harder follow-up.

Your CMDB is the foundation that makes that argument true or empty.

I keep watching teams sprint to inventory their AI agents, classify them against Annex III, and instrument logging. They are doing the right work. And almost all of them are building it on top of a CMDB that cannot support the weight.

It is the unglamorous problem that breaks the whole program.

Why the CMDB became a regulatory artifact

The EU AI Act does not contain the word "CMDB." It does not need to.

Article 10 of the AI Act sets data governance requirements for high-risk AI systems. Training, validation, and testing data must be relevant, representative, and to the best extent possible free of errors and complete in view of the intended purpose. Data governance practices must cover collection processes, origin of data, data preparation, assumptions about what the data measures, and bias examination.

Article 11 requires technical documentation that demonstrates how the system was built and what data it relied on.

Article 12 requires logging that allows traceability across the system's lifetime.

When your AI agent inside ServiceNow makes a decision, it pulls from the CMDB and the CSDM. It uses CI relationships, ownership, lifecycle states, and policy data to inform what it does. That data is the agent's operational ground truth.

If your CMDB cannot answer which CIs are in scope, who owns them, and what policy applies, your agent cannot answer it either. The agent inherits the data quality you give it. The regulator does not care which system was at fault.

The three CMDB problems I see in almost every DACH estate

The good news is that ServiceNow has named these problems precisely. The CMDB Health Dashboard measures three things: Completeness, Correctness, and Compliance. The 3Cs.

In the field, here is how each one actually fails.

Completeness. Required fields blank. CI Owner missing. Lifecycle state set to a default that has not been touched in three years. Recommended fields like Location, Serial Number, and Business Service ignored because nobody made them mandatory. The result: the agent does not know what it is looking at, who is accountable, or whether the CI is even live.

Correctness. Orphan CIs that exist with no relationships. Duplicate records created by uncoordinated discovery feeds. Stale CIs that were last updated when the previous CIO was still in post. Wrong classifications because the IRE rules were never tuned. The result: the agent acts on a phantom version of reality.

Compliance. This one is usually empty in the dashboards I see. No Desired State audits configured. No relationship rules. No scripted audits. The dashboard shows 100% because nothing has been measured. The result: there is no evidence the CIs match policy, even when they do.

If a regulator asks what data your AI agent relied on to deny a credit application, refuse a hire, or trigger a maintenance action, "we have a 100% compliance score" is not the answer that helps you. "Here is the audit trail showing the CI state at the time of the decision, the policy it was checked against, and the human who approved the deviation" is.

What to clean first

You cannot clean everything before August. Do not try.

Pick the use cases first, the data second. The order matters.

1. Start from the agents most likely to be Annex III. Hiring workflows in HRSD. Credit and underwriting flows in CSM. Anything connected to critical infrastructure in ITOM. These are the agents whose data foundation is going to be examined hardest.
2. For each, walk the CIs they touch. What classes? What relationships? What attributes do those agents read? This is your scoped CMDB cleanup target. Not the whole estate. The slice the agent actually uses.
3. Run CMDB Health on that slice. Required fields populated. Owners assigned. No orphans. No duplicates. Lifecycle state accurate. Use Now Assist for CMDB if you have it; the AI-driven remediation is genuinely faster than manual cleanup at scale.
4. Configure at least one Desired State audit per scoped class. This is the move most teams skip. Without it, your Compliance score is meaningless.
5. Document the cleanup itself. When the BNetzA, BaFin, or your sector regulator asks how your data foundation supports the agent's decisions, the answer is the documentation, not the data.

What to leave alone

Everything outside the agent's scope can wait. The temptation is to do a full CMDB transformation because the foundation is shaky everywhere. Resist it. A perfect CMDB in 2027 is worth less than a defensible CMDB slice for your three highest-risk agents in August 2026.

Discovery feeds for non-AI-touched CI classes can be improved later. Custom fields with no business owner can be retired in a normal lifecycle. Your CSDM maturity journey from Crawl to Walk to Run can take its time.

The AI Act does not require a perfect CMDB. It requires a defensible one for the systems in scope.

How to know when it is good enough

Three tests. If you can answer yes to all three for an agent's scope, you are ready.

1. The lineage test. Can you show, for any decision the agent made in the last 30 days, which CIs informed that decision and what state they were in at the time?
2. The accountability test. For every CI in the agent's scope, is there a named owner who can be reached, and a policy the CI is supposed to comply with?
3. The audit test. Can you produce a report from the CMDB Health Dashboard, scoped to the classes the agent uses, showing Completeness, Correctness, and Compliance scores trending over time?

If yes to all three, your foundation will hold. If no to any, that is your first cleanup target.

The wider point

The AI agent inventory I wrote about last week is the right starting move. But it is the visible half of the problem.

The invisible half is underneath. Your CMDB and CSDM determine whether your agent classification work is built on rock or sand. The teams that get this right will spend the autumn defending well-grounded decisions to regulators. The teams that skip it will spend the autumn explaining why their compliance evidence does not match their agent behavior.

This is the boring problem that decides everything.

If you want a sanity check

The Moch.IT team works with platform owners and ITSM leaders across DACH on CMDB readiness for AI agent compliance. Ninety minutes. We walk one agent's data foundation end to end. You leave with a scoped cleanup plan, the three audits to configure first, and the documentation outline a regulator would actually accept.

Book a consultation at moch-it.com.

Until next week.

— Michael

This article is commentary, not legal advice. For compliance decisions, work with qualified legal counsel.