Introduction
Artificial intelligence is transforming how organizations operate—but it's also introducing a new class of security risks that traditional tools can't address. From shadow AI running on employee laptops to misconfigured AI agents in low-code platforms, enterprises are struggling to see and secure their entire AI attack surface. AI Security Exposure Management (AI SEM), a unified solution to monitor, prioritize, and remediate AI security exposures across your organization is now available as GA.
ServiceNow AI Security Exposure Management integrates with leading security platforms like Cisco AI Defense and Palo Alto Prisma AIRS, bringing together all AI security findings—vulnerabilities, validation or automated red teaming findings, and posture / configuration issues—into a single, unified platform for triage, assignment, and remediation.
AI SEM extends Unified Security Exposure Management (USEM) to help organizations monitor and reduce AI attack surface.
Three Categories of AI Security Exposures
AI SEM addresses three distinct types of security exposures that organizations face. For all these three categories, AI SEM integrates with security platforms to continuously scan your environment for the vulnerabilities or posture issues, create remediation tasks, assign to remediation owners using business context from CMDB, and automatically assess the risk based on affected AI asset and the criticality of associated services from CMDB to prioritize remediation.
AI Vulnerabilities
AI vulnerabilities are weaknesses found in open-source AI models before they're deployed in your environment. When organizations download models from repositories like Hugging Face, store them in model repositories (e.g., S3 buckets), and integrate them into applications, they inherit whatever vulnerabilities exist in those models.
For example, a customer support AI agent built on an open-source LLM containing a known arbitrary code execution vulnerability. These vulnerabilities—such as arbitrary code execution, backdoors, or unsafe operators—typically don't have CVEs, but they're exploitable when models are loaded into production.
AI Validation Findings: Behavioral risks caught through red teaming
AI validation findings represent behavioral risks discovered during automated red teaming. Security platforms send carefully crafted prompts to AI application endpoints to test how they respond to adversarial inputs. If an AI application leaks sensitive data, generates harmful content, or exhibits other unwanted behaviors, this is flagged as a validation finding.
For example, an AI application could be tricked into disclosing customer PII through prompt injection techniques—a critical security issue that wouldn't show up in traditional vulnerability scans.
What makes validation findings unique is that they represent behavioral risks specific to your deployment. The same model might behave safely in one context but dangerously in another depending on system prompts, connected tools, and guardrails. AI SEM through its integration with security platforms tracks:
- Threat categories (financial fraud, sensitive information disclosure, etc.)
- Attack techniques (prompt injection, jailbreaking, etc.)
- Response history to show if issues are persistent or intermittent
- Associated guardrails that might already mitigate the risk
AI Posture Findings
The third category addresses security misconfigurations and shadow AI issues—the hardest risks to spot because they're scattered across multiple platforms and created by non-technical users.
Examples:
- Scenario A: A business analyst creates a customer-support agent in Microsoft Copilot Studio with anonymous web access enabled, then connects it directly to a SharePoint site containing HR records. No authentication. No data-loss prevention controls. The agent is now public-facing with access to sensitive employee data.
- Scenario B: A data scientist runs a local AI agent (using Ollama or LM Studio) wired to MCP servers with broad filesystem and internal API access—all outside IT inventory, with zero policy enforcement or activity logging.
- Scenario C: A developer commits an agent's system prompt to a public GitHub repository, revealing internal tool names, API endpoints, and instructions to "ignore user role checks for admins"—creating a roadmap for privilege escalation attacks.
These aren't vulnerabilities or behavioral risks; they're configuration mistakes and governance gaps. AI SEM's posture findings help security teams see where AI assets are deployed, who created them, what they're connected to, and where the risks lie.
AI Security Exposure Management Benefits
Rather than forcing security teams to juggle multiple tools, ServiceNow brings AI security findings into a single, powerful platform built on the Unified Security Exposure Management (USEM) framework by leveraging integrations with various AI security platforms such as Cisco AI Defense, Palo Alto etc.
Unified Visibility Across All AI Exposures
AI SEM extends ServiceNow's Security Exposure Management to include AI-specific findings. All findings—whether they're model vulnerabilities, validation findings, or posture issues—appear in a unified dashboard where security teams can:
- View filtered data by exposure type to focus on the risks that matter most
- View breakdowns by threat category, MITRE ATT&CK technique, and OWASP LLM Top 10
- Track remediation progress with metrics like findings approaching target, overdue findings, and deferred findings
- Assess AI inventory metrics showing which models have vulnerabilities, how many agents were tested, and which platforms pose the highest risk
Intelligent Assignment Using CMDB Context
AI SEM doesn't just import findings—it enriches them with business context from your CMDB. When a security exposure is discovered in an AI asset (model, agent, tool etc.) and ingested by AI SEM from the AI security platform:
- ServiceNow AI SEM links the finding to the asset in the AI inventory. Note that majority of AI assets in ServiceNow are stored under the 'Product Model' hierarchy (cmdb_model).
- AI assets in ServiceNow can be mapped to business applications and services so that this information can be used in assignment rules within AI-SEM.
- AI SEM calculates business-aware risk scores based on criticality of dependent services (using risk calculators)
- AI SEM auto-assigns findings to the right teams using assignment rules
This means high-risk findings (e.g., vulnerabilities in models powering mission-critical applications) bubble to the top, while lower-risk findings can be triaged separately.
Given below is an example of assignment rule that assigns the AI security findings to the owner of associated business application (script based).
(function process(current) {
var modelSysId = current.getValue('cmdb_model');
if (gs.nil(modelSysId)) return;
var relationCI = new sn_sec_ai_cmn.AISecCmnRelationCI();
// Product Model → ALM Digital Assets (via alm_ai_digital_asset.model)
var assetSysIds = relationCI.getAssetsByModel(modelSysId);
if (assetSysIds.length === 0) return;
// ALM Assets → CIs (via cmdb_rel_asset_ci)
var ciSysIds = [];
var relAssetCI = new GlideRecord('cmdb_rel_asset_ci');
relAssetCI.addQuery('asset', 'IN', assetSysIds.join(','));
relAssetCI.query();
while (relAssetCI.next()) {
var ciSysId = relAssetCI.getValue('configuration_item');
if (!gs.nil(ciSysId))
ciSysIds.push(ciSysId);
}
if (ciSysIds.length === 0) return;
// CIs → Business Application (via cmdb_rel_ci, CI as child)
var relCI = new GlideRecord('cmdb_rel_ci');
relCI.addQuery('child', 'IN', ciSysIds.join(','));
relCI.query();
while (relCI.next()) {
var parentSysId = relCI.getValue('parent');
if (gs.nil(parentSysId)) continue;
var parentCI = new GlideRecord('cmdb_ci');
if (!parentCI.get(parentSysId)) continue;
var parentClass = parentCI.getValue('sys_class_name');
if (parentClass !== 'cmdb_ci_service' && parentClass !== 'cmdb_ci_business_app') continue;
// Business App → Assignment Group
var assignmentGroup = parentCI.getValue('assignment_group');
if (!gs.nil(assignmentGroup)) {
current.setValue('assignment_group', assignmentGroup);
return;
}
}
})(current);
Risk calculation using CMDB context
Similarly, risk calculators can be defined to use the criticality of business application or services associated with the AI assets to increase risk score for security findings identified by AI security platforms. Classification rules can also be used to map various AI assets (through Discovered AI Asset) to business applications / services and in turn used in risk calculators.
AI Guardrails Helper: Intelligent Mitigation Mapping
For validation findings, ServiceNow goes beyond identification—it helps teams understand which existing guardrails might already mitigate the risk.
The AI Guardrails Helper is an AI agent that:
- Analyzes validation findings from red teaming (e.g., "model is prone to leaking sensitive data")
- Queries deployed guardrails in your security platform (e.g., PCI detection, PII detection)
- Maps guardrails to findings showing which guardrails mitigate which risks
- Enables smart deferral allowing analysts to defer findings that are already protected by existing guardrails
How it works in practice: Security analysts see that a validation finding about data leakage is already mitigated by a deployed PII detection guardrail. Rather than creating unnecessary remediation work, they can defer the finding with a single interaction. If they want to defer entire categories of findings (e.g., "all privacy attacks until quarter end"), they can ask Now Assist to handle the bulk operation, and the system automatically creates exception rules for future findings of the same type.
Note: This capability is currently supported for guardrails deployed in Cisco AI Defense only. This will be extended to support other platforms in future.
AI SEM Integrations
ServiceNow AI SEM ships with integrations for the leading AI security platforms:
Cisco AI Defense Integration – Import AI security exposures such as model vulnerabilities and model validation findings (automated red teaming alerts) into AI Security Exposure Management and automate workflows for remediation
Palo Alto Prisma AIRS Integration – Import AI security exposures such as model vulnerabilities, model validation findings (automated red teaming alerts), and posture findings (configuration/policy violations) into AI Security Exposure Management and automate workflows for remediation
The data model for AI security posture findings (e.g., configuration issues identified in AI agents) is available in the current release. However, the findings in this category are going to be visible in AI SEM through integrations that will be made available on the store in future.
AI Service Graph Connectors and Better Together with AICT
AI Service Graph Connectors populate AI inventory data including assets such as models, agents, tools, MCP servers etc. in ServiceNow. While AI service graph connectors available for AI platforms such as AWS, Azure etc. on the store only focus on populating AI inventory data, AI service graph connectors created for security platforms such as Cisco AI Defense and Palo Alto have a distinct advantage. These service graph connectors also populate critical security metrics related to vulnerabilities and AI validation findings so that AI stewards can view these metrics from AI control tower. However, for AI stewards to drill down and perform further investigation on these metrics, they need to install AI SEM.
Currently, AI service graph connector for Palo Alto Networks Prisma AIRS is available as GA and AI Service Graph Connector for HiddenLayer in innovation labs.
Store apps
- AI Security Exposure Management
- AI Service Graph Connector for Prisma AIRS
- Prisma AIRS Integration for AI Security Exposure Management
- Cisco AI Defense Integration for AI Security Exposure Management
We would love to hear from you if you have any comments or feedback. Please drop your comments below.
