An asset that processed sensitive data doesn't exit your security scope when you power it off. It exits when its media is sanitized or destroyed — with documentation. Until then, the retirement pile is an unmonitored collection of data-bearing assets.
Look at that storage room the way an assessor does: no active monitoring, often no inventory, frequently no dedicated lock. By that standard, it may be the least protected data repository in your entire environment — and facility walk-throughs find it every time.
Three moves fix it fast: move staged equipment into locked, access-limited storage with a sign-out log; track disposition states in your asset inventory; and put a standing destruction cadence on the calendar so the backlog never re-forms.
The guide's scoping section walks the full lifecycle view — and the checklist's five-minute self-audit starts with exactly this walk-through.