Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

ServiceNow AI breach: are your agent authorization controls enough?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: A ServiceNow vulnerability let an attacker abuse a prebuilt Now Assist agent to create data anywhere in the platform and gain persistent admin access, showing that agentic systems need layered tool and data authorization, per P0 Security and AppOmni. The breach exposes an assumption collapse: access review and role scoping fail when an agent can be invoked broadly and then write across the estate within the same interaction.

NHIMG editorial — based on content published by P0 Security covering the ServiceNow AI breach: The ServiceNow AI breach: Why agentic access requires layered defense

Questions worth separating out

Q: How should security teams govern AI agents that can call powerful business tools?

A: Security teams should govern AI agents by separating which tools they can see from which data and actions they can execute.

Q: Why do AI agents complicate traditional IAM and access review processes?

A: AI agents complicate traditional IAM because they can select actions at runtime and complete them before periodic reviews ever see the access in use.

Q: What breaks when an agent has broad write access across business systems?

A: Broad write access turns a helpful agent into a platform-wide escalation path.

Practitioner guidance

  • Split tool scope from data scope Inventory every agent-facing tool, then map each tool to the exact data objects and write actions it can reach.
  • Add approval gates for high-impact agent actions Route sensitive actions such as record creation, permission changes, and bulk updates through explicit human approval before the action is committed.
  • Audit for create-anywhere capabilities Find agents or service roles that can create records, objects, or workflows across multiple business domains.

What's in the full article

P0 Security's full analysis covers the operational detail this post intentionally leaves for the source:

  • The exact agent authorization flow that allowed broad invocation before policy enforcement
  • The P0 enforcement pattern at the MCP layer, including request-time checks and approval routing
  • Detailed examples of tool-level and data-level policy separation for sensitive agent actions
  • The audit context that shows what the agent accessed, for whom, and why

👉 Read P0 Security's analysis of the ServiceNow AI breach and layered agent authorization →

ServiceNow AI breach: are your agent authorization controls enough?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Agentic access control fails when teams treat tool invocation as the boundary. The ServiceNow case shows that a prebuilt agent can be safe in one layer and dangerous in the next if the surrounding policy model is too broad. Tool discovery, tool invocation, and underlying data access are separate controls, and collapsing them into one authorization decision leaves a structural gap. Practitioners should treat agent tool exposure as a distinct governance surface, not a proxy for overall safety.

A few things that frame the scale:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to the same research.

A question worth separating out:

Q: Who is accountable when an AI agent performs an unsafe privileged action?

A: Accountability should sit with the team that defined the agent’s permissions, the application owner that exposed the tool, and the governance function that approved the access model. For regulated environments, reviewers should be able to show why the action was allowed, who approved it, and which policy enforced the decision.

👉 Read our full editorial: ServiceNow AI breach exposes layered authorization gaps for agents



   
ReplyQuote
Share: