With growing number of assets (hosts, groups, users, ...) there is no easy way to guarantee a specific configuration design.
I used to think this could be a task for auto-registration together with network discovery. But these are obviously more intended for initial setup and not for automating configuration in general.
My first thought was writing a daemon by myself with its own UI that periodically checks and updates assets according to its rule database via API.
On my second thought it tastes a bit like doing it the Nagios/Icinga way.
I believe for large environments there is a need for assuring some settings by a kind of configuration policies.