Multi-Source CMDB Reconciliation

Multi-Source CMDB Reconciliation: Why Last-Scan-Wins Destroys Data Quality

ByTeam Virima

Most CMDBs you’ll see in production run on a quiet failure mode called last-scan-wins. And the fix? It’s multi-source CMDB reconciliation. The gap between the two is where your bad changes, broken dependencies, and corrupted audit trails come from.

Your CMDB says the production database server lives in Rack 12. Your agent-based discovery scan ran at 2:00 AM and confirmed it.

Then at 3:00 AM, an agentless network scan ran. It got the server’s location wrong. The switch port mapping it used hadn’t been updated in six months. So by 3:01 AM, your CMDB says Rack 18.

Next, your change advisory board approves a power maintenance window for Rack 18. Engineers cut power the next morning. Production goes dark. The post-mortem traces back to a CMDB record that was right at 2:00 AM and wrong by sunrise.

Nobody changed the server. Nobody filed a ticket. Nothing was misconfigured. Your ITIL change management process ran exactly as designed. However, the CMDB just trusted the wrong source. The rule behind that choice was the laziest one available: whichever scan ran most recently.

That’s last-scan-wins reconciliation. It’s the default behavior in most CMDBs running today. And it’s one of the most common reasons your CMDB data quality erodes the longer the system runs.

What multi-source CMDB reconciliation actually is

Your CMDB is rarely fed from one source. After all, a CMDB without discovery is just a database. Even a small environment usually pulls from many:

  • Agent-based IT discovery (deep visibility, slower cadence)
  • Agentless network discovery (broad coverage, surface-level accuracy)
  • Cloud provider APIs (trusted for cloud-native objects)
  • ITSM ticket data (trusted for ownership, service mapping)
  • Manual edits by humans (trusted when nothing else is)
  • Third-party feeds (vendor inventories, IoT/OT scanners, security tools)

Each of these sources knows something the others don’t. None of them knows everything. So what is reconciliation? It’s the layer that decides what your CMDB actually believes when two sources disagree about the same CI. (If you want the broader picture first, our complete CMDB guide for IT teams covers the fundamentals.)

Done well, reconciliation stays invisible. Engineers, auditors, and AI agents read a clean CMDB and trust it. Done badly, it’s an arms race. The loudest, most recent, or most aggressive source overwrites whatever was there before. The bad version even has a name in the industry: last-scan-wins.

Why last-scan-wins became the default

Because it’s easy.

First, a discovery tool scans your environment. It writes its observation into the CMDB. Five hours later, another tool scans the same item and writes a different observation. Now the CMDB has two records for the same CI and needs to decide what to do.

Last-scan-wins says: take the newest one. Overwrite the previous one. Move on.

It needs no rules, no source ranking, no attribute-level logic, no human review. As a result, it scales to millions of CIs without anyone tuning anything. From a system architect’s perspective, it’s the path of least resistance. The problem is that “newest” and “most accurate” are not the same thing. They almost never are.

The four ways last-scan-wins quietly destroys CMDB data quality

1. It treats every source as equally authoritative

A vendor-specific cloud API is the ground truth for the cloud instance it describes. A general-purpose network scanner is making educated guesses. Last-scan-wins doesn’t know the difference. Furthermore, if the scanner runs after the API sync, the scanner’s guess overwrites the API’s truth.

That’s the cheap version of the multi-source authority problem. The expensive version: you don’t know it’s happening. Your CMDB doesn’t show which source contributed which attribute. So when a record is wrong, you have no audit trail to follow.

2. It operates at the record level, not the attribute level

Your sources are not uniformly good or bad. An agentless scanner might be great at IP and MAC addresses. But it’s mediocre at hostnames and unreliable on owner. Meanwhile, an ITSM import might be trusted for owner and business service. But it’s irrelevant for OS patch level.

Last-scan-wins doesn’t care. When a source writes a record, it writes every attribute. That includes the ones it was guessing about. As a result, a good attribute gets overwritten by a bad attribute from the next scan.

The right model is attribute-level reconciliation. For each field on each CI, your CMDB knows which source is authoritative for that field. The CMDB treats other sources as supporting evidence, not ground truth.

3. It rewards aggressiveness over accuracy

Whichever discovery tool scans most frequently wins, full stop. Picture this. Your agentless network scan runs every hour. Your trusted cloud API sync runs every six hours. So the network scan’s data dominates your CMDB for five out of every six hours.

The fix isn’t to slow down the network scan. Instead, stop assuming frequency equals authority. Frequency is a recency signal. Authority is a different signal entirely.

A mature reconciliation engine reads both. It weights them separately. And it resolves conflicts based on source-attribute authority, not scan cadence.

4. It hides conflicts instead of surfacing them

The most dangerous failure mode is the silent one. When two sources disagree and last-scan-wins picks the newer one, the disagreement disappears from the record. There’s no flag, no exception queue, no review.

As a result, the CMDB looks clean. Then the downstream consumers trust what they read. That includes change management, service mapping, and AI agents acting on CI data.

A CMDB that’s a real source of truth surfaces conflicts. It tells you that source A and source B disagreed about the OS version on this server. Then it shows you which one it picked and why.

That’s not noise. That’s the audit trail every regulated industry already requires for the rest of their data. It’s also the foundation under any AI agent that’s going to take action against your CMDB.

What proper multi-source CMDB reconciliation looks like

Strip away the vendor marketing. Reconciliation that actually works has five characteristics.

Good reconciliation records source attribution per attribute, not per record. Each field on each CI carries metadata about which source contributed it, when, and with what confidence. For example, the CMDB knows the hostname came from agent-based discovery at 02:14 with 99% confidence. Meanwhile, the location came from the network scanner at 03:01 with 70% confidence.

You configure authority per source per attribute. Your cloud API owns cloud instance type, region, and tags. Your ITSM owns owner, business service, and criticality. Your agent-based discovery owns installed software and patch level. And the rules stay explicit, reviewable, and version-controlled.

The engine scores recency, never assumes it. A four-hour-old reading from a trusted source beats a four-minute-old reading from a low-confidence one. The reconciliation engine weighs both signals. Then it chooses based on the combined score.

The engine surfaces conflicts. It never buries them. When sources disagree on an attribute that matters, the disagreement lands in a queue you can review. The CMDB still picks a value to display so downstream consumers don’t break. However, the engine logs the conflict, lets you file exceptions, and records the decision in the audit trail.

The whole chain stays explainable. An auditor, SRE, or AI agent might ask, “Why does the CMDB say this?” Then the answer is a traceable lineage. Source, timestamp, confidence, authority rule, conflict history. Not a black box.

Why this matters more now: AI agents are reading your CMDB

Until recently, CMDB data quality was a back-office concern. The consumers were humans. Change managers, auditors, capacity planners. They could spot-check, file exceptions, and override bad data when they noticed it.

That’s changing fast. AI agents now consume CMDB data. They make recommendations, trigger workflows, and increasingly take action under governance frameworks. At ServiceNow’s Knowledge 2026 event, the company made governed AI agent action mainstream. Action Fabric and AI Control Tower were the headline announcements. Consequently, the new question every IT leader needs to answer is: governed action on what state?

Here’s the trap. Workflow context is the history of every decision your business has made. Runtime truth is something different. Runtime truth is what actually exists right now, how it’s connected, and what will break if it changes.

Therefore, an AI agent reading a CMDB poisoned by last-scan-wins isn’t acting on runtime truth. It’s acting on whichever scan finished most recently, including the scans that were wrong.

A governed action on stale or wrong state is still a wrong action. The governance layer doesn’t save you. The audit trail just documents the mistake more thoroughly.

Multi-source CMDB reconciliation is the layer underneath all of it. Without trusted reconciliation, every layer above it compounds the underlying error. That includes your ITSM, AIOps, dependency mapping, and agentic IT.

How Virima approaches CMDB conflict resolution

We built Virima around multi-source authority from the start. That’s why the reconciliation model is attribute-level, not record-level.

Your CI attributes can carry source attribution, confidence, and timestamp metadata. As a result, you can see which source contributed each field. You can also configure authority rules per source per attribute. So your cloud API can own region and instance type. Your agent-based discovery can own installed software. And your ITSM can own owner and business service, without those sources overwriting each other.

Additionally, Virima scores recency separately from authority. So frequent low-confidence scans don’t trample less frequent trusted ones.

When sources disagree on an attribute that matters, the reconciliation engine takes over. It resolves the conflict using the rules you’ve set. Then the engine logs the disagreement with full source lineage. Engineers and auditors can review, override, or refine the rules over time.

Just as important: your Virima discovery data is portable. The same trusted multi-source data feeds your ITSM platforms via bidirectional sync. Examples include ServiceNow, Ivanti, Halo, Xurrent, Jira Service Management, and TeamDynamix. So your reconciliation quality isn’t locked behind any single vendor’s roadmap. If your ITSM strategy changes, your operational truth doesn’t have to start over.

This is the foundation of runtime truth. It’s trusted, multi-source, attribute-resolved data about what actually exists. You see how everything’s connected. And you can trace every field back to its source. For ServiceNow-specific guidance on this problem, see our deep dive on ServiceNow CMDB accuracy.

Next steps: how to start fixing CMDB data quality this quarter

You don’t have to rip out your CMDB to start fixing this. The first moves are diagnostic.

First, pull your top 20 most-referenced CIs in change management over the last quarter — that’s the most direct way to determine CMDB accuracy at the level that matters. Then for each one, ask three questions:

  • Which source most recently wrote each attribute?
  • When was the last time those attributes disagreed across sources?
  • Was that disagreement ever surfaced anywhere a human could review it?

For most teams, the answers to the second and third questions will be uncomfortable. Disagreements happen constantly. They’re almost never surfaced. The CMDB just absorbs whichever signal arrived last and presents the result as ground truth.

That gap is real. It sits between what the CMDB shows you and what was actually true at any moment. And it’s the operational debt last-scan-wins has been quietly accruing. The longer the CMDB runs under that model, the deeper the debt gets. Consequently, your downstream systems (change management, AIOps, AI agents) inherit it.

Multi-source CMDB reconciliation isn’t a feature. It’s a posture. So build your CMDB around four things: attribute-level authority, source attribution, recency scoring, and surfaced conflicts. That’s the only kind of CMDB built to carry governed AI action. Everything else is performative compliance.

The good news: this is fixable. The work is mostly housekeeping. You name authoritative sources per attribute. You set reconciliation rules explicitly. And you put conflict review on someone’s desk. The infrastructure to do it exists today.

The bad news: every week you wait, last-scan-wins is overwriting truth you’ll need later. The next audit, the next incident, the next AI agent action? They all read the CMDB you’ve got. Not the one you’re planning to have.

Move faster, act safely. That’s only possible on a CMDB that actually knows what it knows, and why.

Get runtime truth with a multi-source CMDB. Book a Virima walkthrough and bring your top 20 change-heavy CIs. We’ll show you exactly where last-scan-wins is leaking. And we’ll show you what attribute-level reconciliation looks like against your environment.

Similar Posts