Identity and Access Management (IAM) traditionally centers on safeguarding human identities by implementing measures like Single Sign On (SSO), Multi-factor authentication (MFA), and scheduled access reviews. While this is critical, one area often receives less attention — Machine identities.
Machine identities represent accounts that enable communication between applications, services, and systems. In the context of Servicenow, Machine identity refers to a service account, which is specifically created to allow secure authentication and authorization for an inbound integration.
Unlike user accounts tied to individual employees, Machine identities are linked to workloads or applications. These identities have their own credentials and are granted permissions required for the integration — from simple read-only access to elevated administrative privileges.
Because they run unattended, service accounts power critical automations and data flows but are easy to forget, misconfigure, or leave active even when unused — creating security and compliance risks.
ServiceNow’s Machine Identity Console solves this challenge by providing a single place to discover, secure, and manage service accounts in ServiceNow which are used for inbound API integrations. It guides you through three key stages:
- Discover – Identify all service accounts used for inbound API integration, how they authenticate and what they access.
- Assess Risk – Identify risky machine identities such as dormant accounts, those using Basic Authentication, and accounts with Web Service Access disabled.
- Remediate – Follow actionable recommendations to reduce risk.
Let’s take a closer look at each stage
Step 1: Discover – Identify all the Service Accounts
The first step to securing machine identities is achieving visibility into which accounts are being used for inbound API integrations. The Machine Identity Console finds machine identity by finding accounts that meet this criteria:
- Accounts with Web Service Access Enabled – Any user with web_service_access_only = true is considered a machine identity.
- Accounts with API Activity – Even if not explicitly marked as service accounts, any account that has made API calls is considered a machine identity.
To view these accounts in machine identity console: Navigate to Overview → Total Machine Identity (Integration) Accounts.
The Machine Identity Console provides detailed visibility into the unique API calls made by each machine identity, allowing you to see which APIs are being accessed and the authentication methods used for those calls.
To view this information: Navigate to Overview → Unique API Calls – Last 7 Days.
Step 2: Assess Risk – Identify risky machine identities
Once you have full visibility into your machine identities, the next step is to evaluate their security posture. Machine Identity Console analyses each identity and flags potential risks, such as:
- Accounts with no login for 100 days – Service accounts that have not logged in or made API calls for 100 days
- Accounts using Basic Authentication– Accounts still using Basic Auth, which transmits credentials in plaintext and lacks modern security features like token expiration or scoped access.
- Integration accounts with Web Service Access only Flag disabled – Integration accounts that have Web Service Access turned off, allowing them to log in through the UI instead of being restricted to API access.
- Accounts performing both UI and API logins– Accounts performing both UI and API logins, increasing the misuse of machine identities.
The console presents these findings in a risk dashboard and calculates a Machine Identity Security Score to help you prioritize remediation efforts.
To view the Machine identity security score: Navigate to Overview > Machine Identity Security Score.
You can view the accounts flagged for risk in each of the four categories by clicking on the corresponding category. For example, click on ‘Accounts using Basic Authentication’ to see all accounts still using username+ Password to access APIs.
Step 3: Remediate – Reduce Risk
After identifying risky accounts, the next step is remediation. The Machine Identity Console provides actionable recommendations to help reduce risk, such as:
- Disabling unused accounts – Remove accounts that are no longer needed to minimize exposure.
- Updating authentication methods – Move to modern, secure standards like OAuth.
- Enabling Web Service Access only flag – Restrict accounts to API-only access and prevent UI logins.
- Separating UI and API logins – Accounts performing both UI and API logins. should be reviewed. Consider creating separate accounts: one exclusively for UI access and another solely for integration.
Following these recommendations ensures that machine identities are secure, compliant, and properly managed, reducing the risk of misuse or unauthorized access.
To view detailed remediation recommendations: Navigate to the relevant risk category and select the account name.
Effective management of machine identities is critical for maintaining secure and compliant API integrations. By using the Machine Identity Console to discover all service accounts, assess their risk, and remediate vulnerabilities, organizations can reduce exposure from dormant accounts, weak authentication methods, and improper configurations. The console provides visibility into account activity, highlights risky behaviors, and offers recommendations, making it easier to maintain secure integrations and ensure that machine identities are properly managed throughout their lifecycle.
If you’re curious, skeptical, or just ready to clean up your service accounts, we’d love to hear from you.
Our team has rolled out some fantastic new features in this Zurich release—visit our blog to discover all the details.
If you loved this blog, be sure to check out Introducing Machine Identity Console
