How NetSafe Built a 120-Site Asset-Tracking Platform With AI and No Passwords
A construction-materials producer had high-value equipment spread across roughly 120 sites with no single system of record. NetSafe built a custom asset-tracking platform on Microsoft Azure, directed by a human and constructed by an AI coding agent, with no passwords anywhere in the system.
What Was the Problem?
The client owns a lot of valuable equipment. Plant machinery, tooling, and instruments were spread across dozens of physically separate sites, and there was no single system of record tying it together. Nobody could answer the basic questions cleanly: what do we own, where is it right now, what is it worth, and who touched it last.
What they had was a spreadsheet per site or a generic, off-the-shelf asset package that did not match how the business actually works. This is a location-first operation. Equipment lives at a plant, a yard, or a quarry, and it moves between them. A tool that treats assets as a flat list, with location as an afterthought, fights the business instead of fitting it.
They needed one source of truth, designed around their sites, that their own team could trust and that could grow into more than just an asset register over time.
Built by an AI Coding Agent, Directed by a Human
The most important part of this project is not the asset tracker. It is how it was produced. A NetSafe engineer set the intent and the hard security rules, and an AI coding agent did the construction: the database, the application programming interface, the user interface, and the cloud wiring.
The division of labor was deliberate:
The human owned intent and the non-negotiables
One system of record across about 120 sites, as the first feature of a platform, with a security model stated up front as hard requirements: sign in with Microsoft Entra ID only, no passwords anywhere, database access by managed identity, and secrets in a key vault.
The AI owned the construction
Because the security rules were stated as requirements from the start, the agent generated code that was passwordless and identity-only on the first pass, rather than bolting security onto a working-but-insecure prototype later.
The human owned every irreversible step
Anything that touched the client’s live cloud tenant, creating the sign-in registration, assigning roles, granting database access, pushing a deployment, was confirmed and run by the engineer. The agent prepared the exact commands; the human pulled the trigger.
What We Built
A cloud-native platform that matches how the business thinks, running entirely inside the client’s own Microsoft environment:
- Location-first navigation. Browse by site, with live counts per location and drill-down into each one, because that is how the team finds things.
- The asset register. Every high-value asset with its tag, serial, model, status, value, and current location.
- Movement that mirrors reality. Transfer between sites, check out to a person, check back in, and confirm with a physical audit. Every one of those actions writes a permanent record of who did it and when.
- Printable QR labels. Scan a label and, after signing in, land straight on that asset’s page.
- A live dashboard. Totals, total value, breakdown by status, top locations, value by category, and recent activity at a glance.
- Bulk import. Load existing records from a spreadsheet using a downloadable template, with clear per-row error reporting.
It runs on serverless Azure services, so the cost scales toward zero when the tool is idle, which suits an internal system used in bursts across the business day.
Security: No Passwords Anywhere
The whole system was designed around a single idea: the safest credential is the one that does not exist. There is no application password to store, reset, or leak, and no database login to compromise.
Sign in with Microsoft Entra ID only
The client’s existing multi-factor authentication and Conditional Access policies apply automatically. A user who has not been granted a role cannot even reach the application.
The database accepts identity, not passwords
The application connects using a managed identity issued by Azure. There is no connection string and no database login anywhere in the system.
Every request is checked
The server validates each caller’s identity and role on every request, and records the verified user on every change in an audit log that is never edited or deleted.
Onboarding is an identity-team action
Granting or removing access is assigning or removing a role, handled by the same process the client already uses for the rest of their Microsoft environment.
Why This Approach Matters
Three choices made this both fast to build and safe to run.
AI built it, a human steered it
A custom line-of-business application no longer needs a long, expensive development cycle. An AI agent does the construction while a NetSafe engineer owns the intent, the security model, and every change to the live tenant.
Security designed in, not bolted on
Stating the security rules as hard requirements up front meant the system was passwordless and identity-only from the first version, never a retrofit onto an insecure prototype.
A platform, not a one-off
The asset register is the first feature. Roles, sign-in, and data plumbing were built to carry the next features, so maintenance, audits, and reporting plug in without rebuilding the foundation.
The result is a system of record the client actually trusts, with a meaningfully smaller security surface than a traditional build, delivered on a timeline and at a cost that a custom application usually cannot reach.
Frequently Asked Questions: AI-Built Internal Software
Can AI really build a business application?
Yes, when the work is directed properly. A NetSafe engineer sets the goal and the security requirements and reviews the result, while an AI coding agent does the construction. The engineer keeps control of anything that touches your live environment. The result is a real, working application built far faster than a traditional development cycle.
Is a system with no passwords actually secure?
It is more secure, not less. Removing application passwords and database logins removes the things attackers target most. Sign-in uses Microsoft Entra ID, so your existing multi-factor authentication and access policies apply, and the database is reached by a managed identity rather than a stored credential. There is simply less to steal.
What does “location-first” mean for asset tracking?
It means the system is organized the way the business is: by site. You browse plants, yards, and quarries, see what is at each one, and move equipment between them, instead of forcing a location onto a flat list of assets as an afterthought.
Who can sign in, and how is access controlled?
Only people you grant a role to. Access is managed in your existing Microsoft environment by assigning a role, and a user with no role cannot reach the application at all. Removing access is the same process you already use when someone leaves.
Can the platform grow beyond asset tracking?
Yes. It was built as the first feature of a platform, so the sign-in, roles, and data foundation already support future features such as maintenance scheduling, physical audits, and financial reporting without rebuilding the core.
Could NetSafe build a custom internal tool for my business?
If you have a process running on spreadsheets or a generic tool that does not fit, very likely yes. NetSafe Solutions provides a free assessment for businesses across the Charlotte metro area and both Carolinas.
Have a process stuck in spreadsheets?
If a core part of your business runs on spreadsheets or a generic tool that does not fit, we can build a custom application that does, on your own Microsoft environment, with no passwords to manage and security built in from the start. Free assessment.
Or call us:
(704) 333-0404