ServiceNow AI breach: are your agent authorization controls enough?

TL;DR: A ServiceNow vulnerability let an attacker abuse a prebuilt Now Assist agent to create data anywhere in the platform and gain persistent admin access, showing that agentic systems need layered tool and data authorization, per P0 Security and AppOmni. The breach exposes an assumption collapse: access review and role scoping fail when an agent can be invoked broadly and then write across the estate within the same interaction.

NHIMG editorial — based on content published by P0 Security covering the ServiceNow AI breach: The ServiceNow AI breach: Why agentic access requires layered defense

Questions worth separating out

Q: How should security teams govern AI agents that can call powerful business tools?

A: Security teams should govern AI agents by separating which tools they can see from which data and actions they can execute.

Q: Why do AI agents complicate traditional IAM and access review processes?

A: AI agents complicate traditional IAM because they can select actions at runtime and complete them before periodic reviews ever see the access in use.

Q: What breaks when an agent has broad write access across business systems?

A: Broad write access turns a helpful agent into a platform-wide escalation path.

Practitioner guidance

• Split tool scope from data scope Inventory every agent-facing tool, then map each tool to the exact data objects and write actions it can reach.
• Add approval gates for high-impact agent actions Route sensitive actions such as record creation, permission changes, and bulk updates through explicit human approval before the action is committed.
• Audit for create-anywhere capabilities Find agents or service roles that can create records, objects, or workflows across multiple business domains.

What's in the full article

P0 Security's full analysis covers the operational detail this post intentionally leaves for the source:

• The exact agent authorization flow that allowed broad invocation before policy enforcement
• The P0 enforcement pattern at the MCP layer, including request-time checks and approval routing
• Detailed examples of tool-level and data-level policy separation for sensitive agent actions
• The audit context that shows what the agent accessed, for whom, and why

👉 Read P0 Security's analysis of the ServiceNow AI breach and layered agent authorization →

ServiceNow AI breach: are your agent authorization controls enough?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →