Notifications
Clear all
Topic starter
22/06/2026 3:43 pm
TL;DR: ServiceNow integrations can automate provisioning, approvals, recertification, and delegated administration, but the real security issue is whether those workflows enforce lifecycle control and zero-trust boundaries across accounts, roles, and tickets, according to EmpowerID. The operational lesson is that service management becomes an identity governance problem the moment access changes are tied to business workflows.
NHIMG editorial — based on content published by EmpowerID: ServiceNow identity governance integration and lifecycle automation
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
Questions worth separating out
Q: How should teams govern ServiceNow access when workflows drive account changes?
A: Treat ServiceNow as the orchestration layer, not the source of truth.
Q: Why do service management workflows create identity governance risk?
A: They can separate the request, approval, and actual access change across different systems.
Q: What breaks when privileged ServiceNow access is permanent?
A: Permanent privileged access breaks zero-trust assumptions because authority outlives the specific task or context.
Practitioner guidance
- Define a system of record for access state Make the IAM or identity warehouse the authoritative source for entitlements, then reconcile ServiceNow tickets against it so access changes do not exist only in the service desk.
- Eliminate standing ServiceNow administrator privilege Scope delegated administration to specific business units or tasks, require periodic recertification, and remove native admin access when the business need ends.
- Tie provisioning to lifecycle triggers Use HR or business change events to drive joiner, mover, and leaver actions so account creation, role changes, and deprovisioning follow the same policy path.
What's in the full article
EmpowerID's full post covers the operational detail this post intentionally leaves for the source:
- Workflow and connector configuration details for automating ServiceNow provisioning and deprovisioning across connected systems
- Examples of delegated administration design for business units, partner groups, and multitenant environments
- Attestation and recertification workflow mechanics for ServiceNow roles, groups, and separation-of-duties controls
- ServiceCatalog and orchestration pack examples showing how request fulfilment is synchronised into ServiceNow
👉 Read EmpowerID's analysis of ServiceNow identity lifecycle and governance integration →
ServiceNow identity governance: what IAM teams are missing?
Explore further
22/06/2026 3:48 pm
Service management does not reduce identity risk unless the entitlement state is authoritative. The article shows how provisioning, approvals, and recertification can be routed through ServiceNow, but the governance problem remains whether the identity system or the ticket owns the truth. When those states diverge, auditors see process activity while attackers or insiders still benefit from standing access. Practitioners should treat ticketing as evidence, not as control.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to our Ultimate Guide to NHIs.
A question worth separating out:
Q: What should organisations verify before relying on ServiceNow recertification?
A: They should verify that recertification updates the underlying entitlement state, not just the approval record. The control only works if revoked access is actually removed from connected systems, service accounts, and delegated admin paths. Without that reconciliation, certification becomes documentation rather than enforcement.
👉 Read our full editorial: ServiceNow identity governance gaps and what IAM teams need to know
