Q1 2026 Release Highlights for Risk and Resilience

Welcome to the Q1 Release for ServiceNow Risk and Resilience!

 

This release delivers meaningful advances across AI governance, integrated risk management, privacy, third-party risk, and sustainability - all designed to help organizations manage complexity, strengthen compliance, and move faster. Whether you're a risk manager, compliance officer, or privacy professional, here's what you need to know.

 

Smarter Assessments, Faster Results

 

Two updates to Smart Assessment Engine make day-to-day risk work significantly easier. Granular delegation lets assessment owners assign specific sections to subject matter experts while retaining full ownership and submission control. No more reassigning entire assessments just to get input from the right people. Meanwhile, quick edit allows teams to fix typos and phrasing errors in assessment templates without creating new versions. Changes apply immediately across past, in-progress, and future assessments, with a full audit trail.

 

On the metrics side, advanced thresholds now support more than three risk levels with configurable ranges, so teams can detect risk escalation earlier and trigger automated workflows through Flow Designer when thresholds are breached.

 

AI Control Tower: Govern Any AI, Anywhere

 

As AI adoption accelerates, governance can't be an afterthought. The Q1 release introduces several new capabilities in AI Control Tower to help organizations manage AI risk at scale.

 

AI evaluation is a first step to monitor your AI agents’ performance, enables AI CoE to quickly see the health of your AI Systems using two Quality & Safety scoring. This scoring is enabled by span-to-session performance scoring for AI agents, making it possible to identify top performers to scale and under performers to fix, across all AI systems in runtime.

 

Risk-based classification and intake speeds AI deployment by pre-qualifying requests at submission and auto-approving low-risk systems, so governance teams can focus review effort where it matters most.

 

Anonymous reporting for AI cases lets employees report bias, discrimination, or security violations without fear of exposure, supporting EU AI Act readiness and capturing early-warning signals on misuse.

And with expanded coverage for Service Graph Connectors for AI discovery, organizations can now discover AI across 30+ systems including AWS Bedrock, Azure Foundry, Copilot Studio, GCP Vertex, Databricks,  n8n, and more, all in one inventory.

 

AI Gateway has expanded MCP server intake by connecting to the Anthropic-managed community MCP registry, giving product owners one-click access to vetted servers. The enforced approval mandates in ServiceNow AI Agent Studio, ensure builders can only select steward-approved MCP servers. The automated client registration lets a single CIMD-enabled credential cover all MCP servers on agent builder platforms like VSCode. Content scanning to block PII patterns in outgoing requests is available now.

 

Finally, new MCP server security metrics give teams real-time visibility into server registrations, usage patterns, and failed access attempts.

 

Integrated Risk Management

 

Several enhancements strengthen IRM workflows in this release. Control objective change management introduces a draft-and-approve workflow so updates can be reviewed before impacting compliance status, with changes classified as Major or Minor to trigger re-attestation when needed.

 

Compliance case anonymous reporting and compliance case summarization (powered by Now Assist) work together to surface issues faster: the former through confidential reporting with secure two-way communication, the latter by extracting key case information into AI-generated summaries so analysts can focus on investigation rather than documentation.

 

The risk identification agent has been enhanced to guide users through conversational AI that surfaces relevant risks from internal and external sources, while risk event dynamic user assignment ensures the right teams respond to every risk event by assigning ownership based on entity context and stakeholder personas. For federal and government customers, OSCAL AP support enables import/export of assessment plan data aligned with FedRAMP and NIST automation standards, with the flexibility to tailor controls post-selection.

 

Privacy Management

 

Privacy teams benefit from AI-driven case summarization (powered by Now Assist) that automatically generates summaries from documents, emails, and case history. New out-of-the-box regulatory content provides pre-mapped authority documents for GDPR, CCPA, LGPD, DPDPA, and NIST Privacy Framework, linked directly to control objectives and compliance baselines. Anonymous reporting and data lineage enhancements round out the privacy updates, making it easier to detect violations early and document data flows with activity-scoped views and geographic location tracking.

 

Third-party Risk Management

 

TPRM gets two notable upgrades. Third-party issue recommendations (powered by Now Assist) analyze historic issues and assessments to surface contextually relevant issue recommendations with rationalized summaries. Unified content management provides a centralized repository of pre-built smart assessment templates aligned with global regulatory frameworks, accelerating program deployment, and standardizing the experience.

 

Business Continuity & Sustainability

 

Digital resilience incident reporting export streamlines compliance to DORA and other regulations by enabling JSON export of action tasks, with automatic currency conversion for regulator-required reporting. And Operational Sustainability Management (formerly ESG Management) adds Socialsuite integration for CSRD-compliant double materiality assessments, advanced metric thresholds, and automated invoice-based metric extraction.

 

This is just a snapshot of what's new. To see these capabilities in action and explore the full release, join our upcoming Live on ServiceNow webinars for live demos, expert insights, and Q&A. Visit the Live on ServiceNow for GRC events page to reserve your spot. To see some demos of these features in action visit the “Risk feature demos in the Australia (Q1 26) release” blog post.

 

As always, feedback is welcome!