No matter how advanced we get the trials and tribulations of mapping IT apples to apples is still a quandry.

As the CMDB process owner I have operated under the notion of that which I have read regarding standing up and managing a CMDB - You do NOT want to boil the ocean.

The key is to understand best practices and stakeholder use cases and march forward with a defined policy. We stood up the Vulnerability Response module a while back and the VR uses a CI ownership field that is only managed for our Principal classes. Those classes are used in ITSM and to support a Service. The VR team has advised that if it's on the wire they want it managed in the CMDB but that seems like boiling the ocean.

I'm looking for some guidance on a sort of Asset vs. CI vs. Vulnerability Management eligibility matrix we can use to hold up our future policy statements for our ITAM program. 

Any thoughts or examples out there?