Why machine identity matters more than ever
In today’s hyperconnected cloud environments, machine identities—those assigned to APIs, services, and non-human entities—are everywhere. They’re the glue that holds secure integrations together. But when mismanaged, they become a risk vector.
We’ve seen it too often:
- Service accounts used by both humans and APIs
- Basic authentication credentials floating around in plaintext
- No clear way to audit who (or what) is doing what
That’s why we built Machine Identity Console—to bring clarity, control, and confidence to how you manage inbound API integrations.
What is a machine identity at ServiceNow?
In the context of our Machine Identity Console, a machine identity specifically refers to a service account used for inbound API integrations. We provide visibility into these identities by showing all accounts that have 'Web Service Access Enabled' set to true and/or that have accessed an API. These identities are essential for automation, integration, and secure communication but they’re often invisible and unmanaged.
Machine Identity Console: Built for real-world use
The console is your single view into all inbound integrations. It helps you detect and manage API connections with actionable insights and an intuitive UI.
Key features include:
- Improve security: Identify risks and follow recommendations and improve your machine identity security step with easy-to-follow steps.
- Visualize usage: See which machine identities accessed which APIs in the last 7 days.
- Track authentication methods: Know which identities are using basic auth, OAuth, or other methods and get recommendations to upgrade insecure configurations.
- Create new inbound integrations with OAuth in just a few clicks. The UI guides you through grant types and scopes, making it easier than ever to move from basic auth to OAuth.
Security findings and risk scoring
The console calculates a Machine Identity Security Score based on four key findings:
- Accounts with no login for 100 days
- Accounts using Basic Authentication
- Integration accounts with Web Service Access disabled
- Accounts performing both UI and API logins
This score helps you identify high-risk identities and take preventative action. For example if you have an integration that has not been used in over 100 days, the console will suggest you deactivate it.
Security recommendations that drive action
Visibility is just the beginning. The console provides real, actionable recommendations to resolve each finding. Whether it’s removing unused accounts or upgrading authentication methods, you’ll get clear next steps to harden your integrations and improve your security posture.
No more dual-purpose service accounts
One of the biggest risks we see is service accounts being used by both people and APIs. It’s a recipe for confusion, over-privilege, and audit nightmares.
With the new console, we’re making it easier to separate concerns:
- Human identities should be tied to people.
- Machine identities should be scoped to APIs and services.
Keeping service accounts separate from human user accounts isn’t just a best practice, it’s crucial for compliance, security, and operational transparency. When an account is used both by a person and for integrations, it becomes difficult to track who performed which actions. Clear separation ensures you always know who did what, and that every account has only the access it truly needs.
Let’s talk about basic authentication (and why it’s time to move on)
Basic authentication might feel familiar, but it’s outdated. It sends credentials in plaintext, lacks granularity, and doesn’t support modern security practices like token expiration or scope-based access.
OAuth, on the other hand, is built for today’s security landscape:
- Token-based: No passwords flying around
- Scoped access: You define exactly what an identity can do
- Revocable and auditable: You can track, expire, and revoke tokens easily
If you’re still using basic auth, it’s time to rethink. The console not only flags accounts using basic auth, it also simplifies the process of creating new OAuth-based integrations with our new inbound integration experience learn more here.
Machine Identity Access Controls
To further secure your environment, ServiceNow provides Machine Identity Access Controls: a way to define which inbound APIs can access specific resources, under what conditions. Learn more here.
These controls help enforce least privilege and contextual security, ensuring that service accounts only do what they’re supposed to.
What’s next?
We’re just getting started. As we continue to evolve the console, we’re focused on:
- Automating identity lifecycle management
- Surfacing insights about risky or overprivileged identities
- Helping teams adopt OAuth with confidence
If you’re curious, skeptical, or just ready to clean up your service accounts, we’d love to hear from you.
Our team has rolled out some fantastic new features in this Zurich release—visit our blog to discover all the details. Don’t miss our upcoming webinar on the Machine Identity Console and the other latest updates:
- What's new in the Zurich release for Platform Security & ServiceNow Vault: October 8, 2025 at 8 AM PT | 11 AM ET | 5 PM CEST
