The enterprise identity control plane is here

Something fundamental shifted in enterprise security over the last 24 months. It didn't announce itself with a single breach or a splashy headline; it crept in through thousands of AI deployments, cloud migrations, and siloed software as a service (SaaS) implementations and upgrades—each adding new identities, fine-grained permissions and entitlements, access paths, and risks that legacy tools were never designed to manage.

The numbers tell the story. Credential abuse was the initial access vector in 22% of all breaches last year, and stolen credentials were involved in 88% of basic web application attacks, according to Verizon.¹ The takeaway is clear: Identity malfeasance is the dominant entry point for attackers across the enterprise.

At the same time, the identity attack surface itself has exploded: Machine identities now outnumber human ones by more than 80 to one, driven by cloud, AI, and automation. Nearly half of these machine identities have sensitive or privileged access rights that most organizations can't fully see or control.²

Moreover, as organizations scale agentic AI, each autonomous agent carries its own set of permissions, acting across data, derived insights, and systems further expanding the identity attack surface and injecting risk, often unseen, into the business.

The chief information security officers (CISOs) I talk to aren't losing sleep over whether they have identity tools. They have plenty. They're losing sleep over the gap between what those tools can see and what they can do about it. Most identity solutions stop at visibility and often can’t even see the whole picture. They surface a portion of the problem (users/groups), fundamentally lack the understanding of effective access paths (permissions), and leave the remediation to someone else.

That’s why leading companies such as Blackstone have already integrated Veza with ServiceNow, enabling them to make identity actionable and least privilege achievable. Starting today, Veza is part of ServiceNow, which means we can evolve from a technology integration partnership into a singular platform for autonomous identity and threat defense, powered by our exceptionally rich asset and access graphs.

Why Veza and why now?

Our security and risk business crossed $1 billion in annual contract value in Q3 2025. This is a milestone that reflects the trust customers place in our platform and the scope of the problems we're solving together.

Our vision is to give enterprises a complete picture of who and what have access across their digital assets. That includes human employees, machine identities, service accounts and, increasingly, AI agents—and then connect that picture to the workflows that autonomously eliminate all toxic combinations of entitlements and ensure a least privilege posture

Veza's Access Graph maps and analyzes permissions across identities, applications, data systems, and AI artifacts in a way that most legacy identity governance and administration (IGA) and privileged access management (PAM) tools can't approach. It doesn't just report who has access; it identifies and continuously prioritizes risk so that you know where to start remediation.

When an overprivileged account is flagged, the response can't be a ticket that sits in a queue for three weeks for another team to triage. It must trigger immediate, automated remediation with full enterprise context—the kind that the ServiceNow AI Platform was built to execute.

A bigger problem than most realize

The identity challenge enterprises are facing isn't a matter of scale—although the scale is staggering. It's a structural problem. The modern enterprise has identities living across multiple generations of technologies simultaneously: mainframes, on-premises directories, cloud-native infrastructure, SaaS platforms, and AI agents. Each layer has its own access model, permissions logic, and governance gaps.

Traditional IGA tools were designed for a world in which identities meant employees, and access meant network permissions. That world is gone. Today's enterprises need governance that spans human users, service accounts, bots, tokens, and autonomous AI agents—and that can reason across all of them in a unified way.

Veza was purpose-built for this reality. Its Access Graph spans human, machine, and AI agent identities—providing the cross-system visibility that CISOs and identity teams have been asking for. And now, combined with ServiceNow AI Control Tower and workflow automation, that visibility connects directly to action.

What this means for customers

For current Veza customers, nothing changes about your existing solutions, agreements, or support. The platform you rely on will continue to operate as it has. Its roadmap will now include the full weight of ServiceNow's brand, product and engineering organization, customer relationships, and global scale.

For ServiceNow customers, Veza's identity intelligence is being integrated into the ServiceNow AI Platform in phases. In the near term, you'll gain access to a best-in-class identity visibility and intelligence solution, optimized for rapid time to value.

As integration deepens, you’ll see identity governance capabilities embedded directly into your Security Operations, Integrated Risk Management, and AI Control Tower workflows—creating an end-to-end system that doesn't just surface identity risk, but also resolves it.

The combination of Veza's Access Graph with ServiceNow Configuration Management Database and AI Control Tower is architecturally significant. It creates a unified graph of your entire technology estate: what exists, who and what has access to it, and what's at risk. It then connects that intelligence to the remediation workflows that can act on it automatically.

Why our approach is different

ServiceNow's approach starts from a different premise. We have the platform where enterprise work actually gets done: 80 billion workflows per year, across every function, every industry, and every geography. Identity security posture, identity governance, and privileged access assurance that isn't connected to workflow execution is incomplete.

When Veza surfaces an overprivileged account, that signal flows directly into a ServiceNow workflow that can trigger an access review, notify the right approvers, document the remediation, and close the loop—automatically, at enterprise scale, and with a full audit trail.

The future of autonomous security

The security and risk solution we're building at ServiceNow has a clear North Star: autonomous, proactive security. This is security that sees risk before it becomes a breach, prioritizes what matters most, and acts through automated workflows without requiring manual intervention at every step.

Veza is a foundational piece of that. Identity is where most breaches begin, and it's where autonomous security has to start. With Veza's Access Graph powering identity intelligence across the platform, we're adding the visible layer that makes the rest of the system credible.

We're building toward a world where AI agents have both known and right-sized access—no more and no less—and where any deviation from least privilege triggers an immediate, automated response. Identity reviews happen continuously, not annually. Every access path in your environment is visible, every permission is justified, and every risk is connected to a workflow that can resolve it.

That's the vision. Officially bringing Veza into the ServiceNow AI Platform for autonomous defense and response is the next step.

Find out more about how ServiceNow helps put AI to work for risk and security.

¹ Verizon Business, 2025 Data Breach Investigations Report

² CyberArk, 2025 Identity Security Landscape