TL;DR: ServiceNow’s acquisition of Veza changes the evaluation for teams that used the platform’s access graph for cloud entitlement analysis and its newer IGA functions for lifecycle workflows, while early access features and roadmap control now sit inside a larger integration process, according to Zluri. The key issue is no longer feature parity alone, but whether identity governance can still be proven in production before organisational accountability is absorbed into a platform transition.
NHIMG editorial — based on content published by Zluri covering the ServiceNow acquisition of Veza: what it means for identity teams
By the numbers:
- Veza added JML workflow capability in 2024 and Access AuthZ launched in November 2025, one month before the acquisition.
- Zluri says its JML automation covers 300+ integrations with 1,500+ granular provisioning actions.
Questions worth separating out
Q: Should identity teams replace access graphs with full IGA platforms?
A: Not automatically. Access graphs and full IGA platforms solve different problems: one explains effective permissions, while the other governs joiner-mover-leaver workflows, reviews, and remediation. Teams should replace a point capability only when they can prove the new platform covers both visibility and closed-loop execution at the same operational depth.
Q: Why does a platform acquisition matter for identity governance programmes?
A: Because ownership change can alter roadmap priority, support model, and integration speed, all of which affect whether controls keep working in production.
Q: How should security teams evaluate early access IGA features?
A: Treat them as maturity questions, not feature checkboxes.
Practitioner guidance
- Reassess control ownership across visibility and remediation Separate entitlement intelligence from lifecycle execution in your architecture review.
- Pressure-test newly added governance functions in production-like scenarios Before relying on early-access or recently launched IGA features, run simultaneous onboarding, mover, and offboarding scenarios with real exception paths.
- Map discovery coverage beyond the IdP Inventory SaaS signups, OAuth-connected apps, and tools outside SSO so you can see whether your discovery model covers hidden identity activity.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Side-by-side feature breakdowns for access graph, lifecycle automation, access reviews, and deployment scope
- Customer examples and implementation outcomes that show how the platform behaves in production
- Detailed comparison points around discovery methods, write-back coverage, and connector depth
- The acquisition-specific roadmap and support implications that shape buying decisions
👉 Read Zluri's analysis of the ServiceNow-Veza acquisition and identity team implications →
ServiceNow-Veza acquisition: what it means for identity teams?
Explore further
Platform consolidation changes identity governance from a product choice into a control continuity test. When a specialist access-intelligence platform moves under a larger operational vendor, the question is no longer only what the tool can see. The question becomes whether the control remains independently governable through roadmap shifts, support changes, and integration work. For identity teams, that means the assurance model must survive ownership change, not just feature comparison.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- A separate finding from our research says only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which shows the confidence gap is still structural.
A question worth separating out:
Q: What is the difference between identity discovery and access remediation?
A: Discovery tells you what identities, apps, and entitlements exist. Remediation changes them when access is wrong, stale, or excessive. Many programmes stop at visibility, which leaves the governance gap unresolved. Effective identity control requires both a complete view of the environment and a reliable way to act on it.
👉 Read our full editorial: ServiceNow-Veza acquisition shifts the identity tooling calculus