Updated March 2026
Why This Map Needed to Evolve
When I first published this IAM capability map in early 2024, most enterprise IAM programs were still centered around a single key principle: human employees accessing corporate applications. The map reflected that reality. Identity Lifecycle Management was linked to HR events. Access requests moved through approval workflows. Passwords were managed centrally. Compliance responses involved periodic recertification campaigns. That model is no longer enough. Three major changes have occurred.
First, the identity surface area has expanded significantly. Enterprises now manage not only employee identities but also service accounts, API keys, robotic process automation bots, and increasingly, autonomous AI agents that request access, invoke APIs, and chain tools without human intervention. Although the original map recognized some of these identity types, it didn’t implement governance for them.
Second, the threat landscape has shifted to focus on identity. Identity-based attacks, such as credential theft, lateral movement via compromised service accounts, and session hijacking, are now the primary vectors for breaches. The original map included compliance controls and audit reporting but lacked a domain for real-time detection and response to identity-specific threats.
Third, static governance methods are no longer scalable. Veza's 2026 State of Identity & Access report makes the scale concrete: the average enterprise worker holds around 96,000 entitlements, NHIs outnumber humans 17 to 1, 0.01% of those NHIs control 80% of cloud resources, and 824,000 orphaned accounts (8% of all accounts) retain live entitlements with no human owner. Quarterly recertification cannot keep pace. The updated capability map addresses all three shifts.
What does the Veza Acquisition mean for ServiceNow and this Map?
ServiceNow's acquisition of Veza, which closed in early March 2026, adds the identity intelligence layer that the original map lacked. Veza's Access Graph maps access relationships across human, machine, and AI identities; it will integrate into the ServiceNow Context Graph for enterprise context, with the AI Control Tower orchestrating governance actions across SecOps, IRM, Technology Operations, and HRSD. That triad of identities, risk posture, and orchestration is the architecture to track as the integration matures.
Specifically, Veza brings capabilities in identity security posture management (ISPM), non-human identity security, AI agent security, and next-generation IGA - all grounded in an access graph that provides cross-platform entitlement visibility. KuppingerCole characterized the acquisition as moving ServiceNow “from an identity-adjacent platform into a credible identity security player.” That framing is fair. ServiceNow’s workflow engine and CMDB were always strong foundations for IAM orchestration, but the platform lacked native identity workflows. Veza serves ~150 enterprise customers, including ~60 joint with ServiceNow, and manages 30+ billion permissions and 20+ million identities, helping close part of that gap. The harder governance work - policy conflicts, SoD, legacy on-prem, privilege sprawl, still rests with IAM practitioners.
For IAM practitioners, the practical question is how Veza’s capabilities will integrate with existing ServiceNow IAM patterns — particularly around CSDM, IRM, SecOps, and HRSD products already mapped in this framework. That integration story is still unfolding. What I can say is that the capability map is designed as a planning framework, not a product datasheet. It describes what capabilities an enterprise IAM program needs, and isn't focused on the specifics of any single vendor.
Here’s what has changed and why it is important for practitioners planning IAM programs in 2025–26:
New Domain: Non-Human & Agentic Identity Governance.
This is the most significant structural addition. NHIs now outnumber humans 17 to 1, and 0.01% of them control 80% of cloud resources, yet the tooling built for joiner-mover-leaver was never designed to discover, attribute, or govern them at that scale. The new domain covers NHI discovery and inventory, ownership attribution and accountability mapping, delegated authority management (tracking scope chains when one agent invokes another), runtime behavioral policy enforcement, ephemeral credential lifecycle, dormancy detection, and agent scope and permission boundary enforcement.
Planning implication: If your IAM program doesn’t have a distinct workstream for non-human identities, this domain gives you the capability taxonomy to stand one up. Start with NHI discovery and ownership attribution. Most organizations don’t know how many service accounts and API keys they have, let alone who owns them.
New Domain: Entitlement Management
This addresses one of the most common questions in the original article: where entitlements live and how to gain visibility across applications. The average worker now holds around 96,000 entitlements, of which only 55% are safe and compliant. The root cause is structural: every application stores entitlements in its own format, with no common language across SaaS, cloud, and on-prem. If you're dealing with role explosion or permission sprawl, this domain frames the capabilities you need.
Integrated Domain: Identity Threat Detection & Response (ITDR)
The original map had no domain for runtime identity threat detection. Around 90% of organizations now experience identity-related breaches, with credential compromise the leading access vector. The root cause is the seam: IAM is preventative, not designed to spot in-flight attacks on existing identities; SOC tooling lacks the identity context to recognize them. The new ITDR domain covers identity-based anomaly detection, compromised identity response workflows, authentication pattern analytics, lateral movement detection via identity signals, session hijacking detection and revocation, and integration with SOC/SIEM/XDR platforms.
Planning implication: ITDR bridges your IAM and security operations programs. If your organization treats identity governance and security monitoring as separate disciplines with separate toolchains, this domain maps the intersection and makes the case for connecting them.
Renamed: Adaptive Access & Authentication (was Authentication / Authorization)
Static authentication at the perimeter no longer maps to how access unfolds: identities operate across cloud, SaaS, and on-prem with permissions and risk that shift mid-session. This aligns the map with zero-trust principles, specifically, NIST SP 800-207's premise that access decisions should be re-evaluated continuously, not just at the authentication boundary. If you're pursuing zero trust, this domain provides the IAM-specific capability structure.
Renamed: Credential Management (was Password Management)
Password Management as a standalone domain was overweight relative to where the industry is heading. Most enterprise credentials are now non-human: API keys, tokens, certificates, secrets - the password-only framing offered no governance for them. The renamed domain retains all password capabilities and adds API key and token lifecycle, certificate and secret management, and passkey enrollment. It accommodates non-human credential types alongside human ones.
Renamed: Compliance & Continuous Governance (was Compliance Management)
The original compliance domain was built around periodic controls — recertification cycles, SoD scanning, and policy violation detection. The expanded domain adds continuous compliance monitoring and real-time policy violation alerting with automated remediation. This reflects the shift from calendar-driven to event-driven governance, what DORA (in force since January 2025) and NIS2 now expect of regulated firms: continuous oversight of identity and access, not point-in-time attestation.
Expanded: Reporting, Audit & Observability
As agents act on behalf of humans and chain into other agents, traditional audit logs lose the line of accountability, and regulators (the EU AI Act and SEC cyber disclosure rules among them) increasingly expect organizations to prove who authorized what, when, and why. Legacy logging captured the action, not the delegation chain that produced it. The domain now adds chain-of-custody logging for agent delegation chains (tracing any action back to an accountable human) and access decision audit trails that capture why access was granted, denied, or escalated. These additions are essential for organizations deploying agentic AI at scale.
What I’d Appreciate From You
The original version of this article generated good questions and great feedback. Those conversations made the map better. I’d like to continue that. Specifically, I’m looking for feedback on three things:
- Whether the new Non-Human & Agentic Identity Governance domain captures the right sub-capabilities for how you’re thinking about NHI governance
- Whether Entitlement Management as a standalone domain reflects a real planning need in your organization, or whether it’s better integrated elsewhere
- Whether the ITDR domain adequately bridges the gap between your IAM and security operations teams.
The map is a living artifact. If your experience tells you something is missing, misplaced, or overstated, I want to hear it. Drop a comment below or reach out directly.
For assistance, contact your ServiceNow Client team, Impact team, or implementation partner(s).
____________________________________
Initial Article:
Wikipedia describes identity and access management (IAM or IdAM, also known simply as Identity management) as a framework of policies and technologies to ensure that the right users (that are part of the ecosystem connected to or within an enterprise) have the appropriate access to technology resources.
IAM Challenges
Many organizations typically begin their identity management using readily available tools such as spreadsheets and email. Over time, this approach evolves into a more mature system where individual departments purchase specific solutions to address their unique challenges. However, these solutions often lack a comprehensive, enterprise-wide strategy.
While these department-specific processes may function well on their own, they often require significant manual effort, including the use of email, spreadsheets, or even expensive external consultants, to integrate into end-to-end value streams. Moreover, Identity and Access Management (IAM) risk data is frequently isolated, necessitating manual processing to integrate and contextualize it within the broader business impact.
Today, many organizations are shifting towards a strategic, integrated approach that considers the entire organization. Instead of asking, “What’s best for a specific department?” they are now asking, “What’s best for the entire organization in terms of serving the business?”.
Cyber Risk Control Tower
ServiceNow offers a comprehensive platform that brings together all components of Identity and Access Management (IAM). This integration simplifies processes, reduces complexity, and bolsters security. With ServiceNow’s workflow capabilities, organizations can automate various IAM processes. This includes everything from user onboarding, managing ongoing access requests and approvals throughout the user’s access journey, to user offboarding, all while preserving essential audit records.
Furthermore, ServiceNow’s Common Service Data Model (CSDM) enables organizations to keep track of entitlements for customers, employees, and vendors. This visibility facilitates the governance of access controls and compliance with automated user certifications, thereby minimizing unauthorized access.
For assistance, contact your ServiceNow Account team, Impact team, or implementation partner(s). We appreciate your feedback & questions! Share your thoughts below.
