The real problem in AI risk management is not counting assets, but connecting those assets to meaningful vulnerability data before the paper trail outgrows the threat.