TL;DR: A ServiceNow Virtual Agent integration flaw could let an unauthenticated attacker impersonate arbitrary users, including administrators, because a platform-wide trusted credential and weak email-based linking bypassed normal authentication checks, according to Aembit. The incident shows why agentic workflows need runtime identity controls, not shared trust shortcuts.
NHIMG editorial — based on content published by Aembit covering the ServiceNow impersonation flaw and agentic access risk
By the numbers:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- Only 5.7% of organisations have full visibility into their service accounts.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
Questions worth separating out
Q: What breaks when agentic workflows rely on shared integration credentials?
A: Shared integration credentials collapse attribution and expand blast radius because multiple tools can present the same trust signal.
Q: Why do agentic systems complicate identity governance more than traditional SaaS integrations?
A: Agentic systems complicate identity governance because they can initiate, sequence, and repeat actions across tools instead of waiting for a single user request.
Q: How do security teams know if workflow identity controls are actually working?
A: They are working if a workflow cannot impersonate another identity, cannot reuse a credential outside the intended task, and leaves an audit trail that names the actor, the context, and the action.
Practitioner guidance
- Separate every agent identity from the invoking user Assign distinct identities to integrations, service actors, and workflows so actions are not recorded under a human account.
- Remove shared credentials from multi-tool workflows Replace platform-wide secrets and reusable tokens with scoped credentials that are unique per integration and expire after the task.
- Enforce runtime policy before each privileged action Require an authorisation decision at execution time for record creation, access provisioning, and administrative changes.
What's in the full article
Aembit's full article covers the operational detail this post intentionally leaves for the source:
- The exact ServiceNow Virtual Agent trust chain and how the impersonation flaw worked in practice.
- The control patterns Aembit recommends for runtime policy enforcement and ephemeral credentials.
- The workflow monitoring and attribution details that matter when agent actions must be investigated.
- The vendor's implementation-oriented guidance for treating agents as non-human workloads.
👉 Read Aembit's analysis of the ServiceNow impersonation flaw and agentic access risk →
Agentic access and impersonation: what IAM teams are missing?
Explore further
Shared integration trust is no longer a safe control boundary: this incident shows what happens when a platform-wide credential is treated as an acceptable proxy for caller identity. That assumption was built for simpler SaaS integrations and fails when a system can act continuously across records, permissions, and downstream workflows. The implication is not just that one credential was weak, but that the trust model itself was overextended.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means many teams cannot even confirm where integration trust is concentrated.
A question worth separating out:
Q: Who is accountable when an integration can act as an administrator?
A: Accountability sits with the organisation that allowed shared trust to substitute for strong identity binding. Security, platform, and application teams all own different parts of the failure, but the governance standard should require distinct identities, runtime authorisation, and revocation that stops downstream actions before they complete.
👉 Read our full editorial: ServiceNow impersonation exposure shows agentic access is brittle