Assuming you have Servers brought in manually or through Asset Management, you should be able to get what you are looking for by looking at the Discovery Source and the Most recent discovery fields.  If Discovery source is SN Asset Management or Unknown or null (or if you've been around prior to New York it could be "Duplicate") then that means that no IRE-enabled discovery source has updated the CI.  If the "Most recent discovery" field is empty or longer than some threshold, then it hasn't been getting discovered.

This can depend on what you mean by not scanned by discovery. If you are looking for servers where IP based or ACC discovery has not occurred, but you are bringin it in from other sources via IRE, it may be possible to use Multisource CMDB reports (or CMDB 360) - BUT, that is assuming that you are using SG connectors to import data from others sources like SCCM, JAMF, Intune etc.

The other option is a little more manual, where you need to compare your list of discovered CI's to external data sources. Bit more fiddly, but auditing is a huge part of any configuration management process and is crucial to ensuring that your CMDB is accurate. The more you can audit within ServiceNow, the easier it is, but sometimes you have to do things the harder way.

Exports from your cloud providers, or maybe from Vcenter, IBM HMC etc are a great source. Maybe some security scanning tools, AV tools etc. As mentioned above, Asset Management data will be useful also