AI and Platform Security Zurich Innovations

If you've been scrolling TikTok over the summer then you know that "nothing beats a Jet2 holiday" - except for maybe the new Platform and AI Security features in the Zurich release! We’re excited to share our latest innovations to help you safeguard sensitive data, strengthen access controls, and improve security operations—while making it easier for admins to manage it all. Make sure to check out our Discover What's New in ServiceNow Zurich Release for AI and Platform Security webinar on October 8 to hear directly from the Product Management team.

AI & Platform Security Foundational Updates

• Controlling data access for integrations is just as critical as managing access for human users. Previously, admins had to search across multiple locations to identify which integrations were running, often relying on user-focused controls that didn’t suit machine accounts—and frequently without visibility into whether these integrations were securely configured. Machine integrations require their own dedicated approach. With the Zurich release, we’ve introduced Machine Identity Console, providing clear visibility into inbound integration accounts across the ServiceNow AI Platform. The console highlights security findings, such as integrations using basic authentication or those inactive for over 100 days, and delivers actionable recommendations to strengthen integration security. This helps admins quickly improve security and make informed decisions about how machine accounts are set up.
• Machine Identity Console is accompanied by a new type of ACL for inbound API integrations - Machine Identity Access Control, which lets admins define user access profiles to govern exactly what inbound machine integrations can access. Instead of giving blanket API permissions, admins choose specific REST or SOAP endpoints or tables that each integration user can interact with—helping ensuring tighter governance and reducing security risk
• We introduced mandatory Multi-Factor Authentication in the Yokohama release to raise the bar for platform security. Not all authentication factors are created equal—FIDO2 is the gold standard for a second factor, but it isn’t always practical for every user. Admin accounts, however, hold the keys to your platform and demand the strongest protection. With Zurich, you can now enforce an MFA policy that requires FIDO2 for admins, even if your end users use other methods.
• Just as machine integrations require different controls than human users, scripts running on the ServiceNow AI Platform also need their own governance. That’s why we introduced the Scripting Governance tool, enforcing a deny-by-default approach to scripting permissions. This helps admins restrict unauthorized or risky scripts, giving tighter control over script usage and strengthening overall platform security.
• We recommend that you visit Security Center regularly to keep tabs on the state of your instance. Sometimes when you're there, you find work that needs to be done. In the Zurich release, we've added Security Tasks to monitor, prioritize, and assign all your security-related tasks in one place.

ServiceNow Vault and Domain Separation

• ServiceNow Vault Console provides a guided experience for discovering and classifying sensitive data within CSM and FSO workflows. It offers recommendations for protecting newly discovered sensitive data, plus customizable dashboards to track key metrics. It integrates with Now Assist to form a foundation for AI-powered governance and compliance—shifting from disconnected point solutions to a workflow-focused approach to safeguarding data. For example, an admin working with sensitive CSM workflows can auto-classify sensitive data, get insights into user activity and risk, and act on recommendations—all without deep security expertise.
• Now Assist for Vault brings generative AI to Vault, simplifying the process of protecting sensitive data. It can generate custom regex patterns, schedule and summarize data discovery jobs, and show who has access to encryption keys—all from the Vault Console. A platform admin preparing to clone an instance simply asks Now Assist to run a data discovery job. Fewer clicks, faster setup, and one pane of glass for administration.
• Platform admins use Data Discovery  in ServiceNow Vault's Data Privacy to find sensitive information accidentally entered into the wrong fields—like credit card numbers typed into a case description during a billing dispute. We've improved the data discovery framework in two keys ways. First, we have introduced policies made up of active patterns and target tables, enabling users to select specific columns for scanning. Second, we've also added flexibility to perform either incremental scans for speed or comprehensive full instance scans, which are valuable for audits.
• While the ServiceNow AI Platform offers many built-in patterns to detect common sensitive data, admins often need custom rules for unique cases. Writing these rules typically requires regular expression expertise, which not everyone has. So, we've added a simple text-to-regex feature as part of Now Assist for Vault for admins to simply describe the pattern they want in plain language, then the AI Platform automatically generates the matching regex—making custom data discovery easier and more accessible.
• Data Discovery customers could already find unstructured data like names, addresses, and locations that don’t follow standard patterns using NER (Named Entity Recognition) for real-time anonymization. However, as part of this release we added model-based detection (NER) of sensitive data to scheduled data discovery jobs as well.
• Data Discovery now supports detecting sensitive data in .xls, .xlsx and .csv formats to discover and handle hidden data in those formats.
• There are also some exciting updates to Data Anonymization with the introduction of recurring anonymization. Anonymization jobs can now be scheduled on a recurring basis (weekly or monthly) where each recurrence works incrementally to pick up modified or new records. Customers gain efficiency by configuring scans to run periodically while reducing scan times for subsequent job runs while still supporting comprehensive protection.
• Another exciting and impactful update is that customers can now anonymize encrypted fields, combining anonymization and encryption to achieve defense in depth for sensitive data protection. This empowers customers to comply with privacy regulations like the right to be forgotten and adds an extra layer of assurance, even when encryption alone may not suffice.
• Speaking of encryption, for customers requiring advanced data-at-rest encryption, ServiceNow Vault's Platform Encryption helps demonstrate compliance by encrypting both the entire storage volume and specific field values within the database. In this release, we’ve expanded encryption backed access control to include row conditions—allowing you to apply different encryption keys to fields on a per-row basis. This granular control lets you tailor encryption to specific data contexts, such as encrypting sensitive fields differently for HR cases versus general cases, enhancing security and compliance flexibility.
• ServiceNow Vault's Code Signing helps ensure that only trusted, verified scripts run on your MID server, protecting against unauthorized or tampered code. In the Zurich release, we’ve introduced quorum-controlled certificate revocation, allowing admins to invalidate compromised or outdated certificates. To avoid accidental revocations, quorum control now requires approval from multiple authorized admins before a certificate can be revoked. We also added the Code Signing health and status dashboard—a centralized, user-friendly interface that highlights configuration settings, monitors key components, and provides actionable guidance to help resolve issues quickly. These enhancements boost your control and visibility over the code signing environment.
• Domain Separation, which is not part of the ServiceNow Vault product line, introduces delete by domain - empowering domain admins to securely remove data specific to a customer or domain within a domain-separated instance. Prior to Zurich customers could not completely delete customer specific data or domains which caused issues with data governance guidelines. This new capability helps reduce storage usage and supports data lifecycle management by enabling targeted deletion without impacting other domains. With built-in safeguards and audit tracking, delete by domain streamlines data governance and helps meet compliance while maintaining isolation between domains.