Updated March 2026
Why This Map Needed to Evolve
When I first published this IAM capability map in early 2024, most enterprise IAM programs were still centered around a single key principle: human employees accessing corporate applications. The map reflected that reality. Identity Lifecycle Management was linked to HR events. Access requests moved through approval workflows. Passwords were managed centrally. Compliance responses involved periodic recertification campaigns. That model is no longer enough. Three major changes have occurred.
First, the identity surface area has expanded significantly. Enterprises now manage not only employee identities but also service accounts, API keys, robotic process automation bots, and increasingly, autonomous AI agents that request access, invoke APIs, and chain tools without human intervention. Although the original map recognized some of these identity types, it didn’t implement governance for them.
Second, the threat landscape has shifted to focus on identity. Identity-based attacks, such as credential theft, lateral movement via compromised service accounts, and session hijacking, are now the primary vectors for breaches. The original map included compliance controls and audit reporting but lacked a domain for real-time detection and response to identity-specific threats.
Third, static governance methods are no longer scalable. Quarterly access recertification campaigns cannot keep pace with environments where permissions are constantly changing. Veza’s 2026 State of Identity report provides data on this issue: the average enterprise worker holds around 96,000 entitlements, 38% of IdP accounts are inactive, and only 55% of permissions are secure and compliant. These issues cannot be solved solely through quarterly reviews. The updated capability map addresses all three shifts.
What does the Veza Acquisition mean for ServiceNow and this Map?
ServiceNow’s acquisition of Veza, which closed in early March 2026, is directly relevant to several of these new domains. Veza’s core technology is an Access Graph that maps and analyzes access relationships across human, machine, and AI identities, essentially providing the identity intelligence layer that the original map lacked.
Specifically, Veza brings capabilities in identity security posture management (ISPM), non-human identity security, AI agent security, and next-generation IGA — all grounded in an access graph that provides cross-platform entitlement visibility. KuppingerCole characterized the acquisition as moving ServiceNow “from an identity-adjacent platform into a credible identity player.” That framing is fair. ServiceNow’s workflow engine and CMDB were always strong foundations for IAM orchestration, but the platform lacked native identity workflows. Veza closes that gap.
For IAM practitioners, the practical question is how Veza’s capabilities will integrate with existing ServiceNow IAM patterns — particularly around CSDM, IRM, SecOps, and HRSD products already mapped in this framework. That integration story is still unfolding. What I can say is that the capability map is designed as a planning framework, not a product datasheet. It describes what capabilities an enterprise IAM program needs, and isn't focused on the specifics of any single vendor.
Here’s what has changed and why it is important for practitioners planning IAM programs in 2025–26:
New Domain: Non-Human & Agentic Identity Governance.
This is the most significant structural addition. The original map focused on human lifecycle patterns. That gap is now closed. The new domain includes sub-capabilities for NHI discovery and inventory, ownership attribution and accountability mapping, delegated authority management (tracking scope chains when one agent invokes another), runtime behavioral policy enforcement, ephemeral credential lifecycle, dormancy detection, and agent scope and permission boundary enforcement.
Planning implication: If your IAM program doesn’t have a distinct workstream for non-human identities, this domain gives you the capability taxonomy to stand one up. Start with NHI discovery and ownership attribution. Most organizations don’t know how many service accounts and API keys they have, let alone who owns them.
New Domain: Entitlement Management
This directly addresses one of the most common questions I received on the original article — where entitlements are stored and how to get visibility across applications. If you’re dealing with role explosion or permission sprawl in SaaS and cloud environments, this domain frames the capabilities you need.
Integrated Domain: Identity Threat Detection & Response (ITDR)
The original map had no domain for runtime identity threat detection. The new ITDR domain covers identity-based anomaly detection, compromised identity response workflows, authentication pattern analytics, lateral movement detection via identity signals, session hijacking detection and revocation, and integration with SOC/SIEM/XDR platforms.
Planning implication: ITDR bridges your IAM and security operations programs. If your organization treats identity governance and security monitoring as separate disciplines with separate toolchains, this domain maps the intersection and makes the case for connecting them.
Renamed: Adaptive Access & Authentication (was Authentication / Authorization)
This aligns the capability map with zero trust architecture principles, specifically the NIST SP 800-207 concept that access decisions should be re-evaluated continuously, not just at the authentication boundary. If your organization is pursuing zero trust, this domain provides the IAM-specific capability structure.
Renamed: Credential Management (was Password Management)
Password Management as a standalone domain was overweight relative to where the industry is heading. The renamed domain retains all existing password capabilities but adds API key and token lifecycle management, certificate and secret management, and passkey enrollment and management. This naturally accommodates non-human credential types alongside human ones.
Renamed: Compliance & Continuous Governance (was Compliance Management)
The original compliance domain was built around periodic controls — recertification cycles, SoD scanning, and policy violation detection. The expanded domain adds continuous compliance monitoring and real-time policy violation alerting with automated remediation. This reflects the shift from calendar-driven governance to event-driven governance.
Expanded: Reporting, Audit & Observability
The reporting domain now includes chain-of-custody logging for agent delegation chains (tracing any action back through the chain to an accountable human) and access decision audit trails that capture why access was granted, denied, or escalated. These additions are essential for organizations deploying agentic AI at scale.
What I’d Appreciate From You
The original version of this article generated good questions and great feedback. Those conversations made the map better. I’d like to continue that. Specifically, I’m looking for feedback on three things:
- Whether the new Non-Human & Agentic Identity Governance domain captures the right sub-capabilities for how you’re thinking about NHI governance
- Whether Entitlement Management as a standalone domain reflects a real planning need in your organization or whether it’s better integrated elsewhere
- Whether the ITDR domain adequately bridges the gap between your IAM and security operations teams.
The map is a living artifact. If your experience tells you something is missing, misplaced, or overstated, I want to hear it. Drop a comment below or reach out directly.
For assistance, contact your ServiceNow Client team, Impact team, or implementation partner(s).
____________________________________
Initial Article:
Wikipedia describes identity and access management (IAM or IdAM, also known simply as Identity management) as a framework of policies and technologies to ensure that the right users (that are part of the ecosystem connected to or within an enterprise) have the appropriate access to technology resources.
IAM Challenges
Many organizations typically begin their identity management using readily available tools such as spreadsheets and email. Over time, this approach evolves into a more mature system where individual departments purchase specific solutions to address their unique challenges. However, these solutions often lack a comprehensive, enterprise-wide strategy.
While these department-specific processes may function well on their own, they often require significant manual effort, including the use of email, spreadsheets, or even expensive external consultants, to integrate into end-to-end value streams. Moreover, Identity and Access Management (IAM) risk data is frequently isolated, necessitating manual processing to integrate and contextualize it within the broader business impact.
Today, many organizations are shifting towards a strategic, integrated approach that considers the entire organization. Instead of asking, “What’s best for a specific department?” they are now asking, “What’s best for the entire organization in terms of serving the business?”.
Cyber Risk Control Tower
ServiceNow offers a comprehensive platform that brings together all components of Identity and Access Management (IAM). This integration simplifies processes, reduces complexity, and bolsters security. With ServiceNow’s workflow capabilities, organizations can automate various IAM processes. This includes everything from user onboarding, managing ongoing access requests and approvals throughout the user’s access journey, to user offboarding, all while preserving essential audit records.
Furthermore, ServiceNow’s Common Service Data Model (CSDM) enables organizations to keep track of entitlements for customers, employees, and vendors. This visibility facilitates the governance of access controls and compliance with automated user certifications, thereby minimizing unauthorized access.
For assistance, contact your ServiceNow Account team, Impact team, or implementation partner(s). We appreciate your feedback & questions! Share your thoughts below.
