Using agentic AI workflows in Now Assist for Security Incident Response

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
  • Use the Security Incident Response AI agentic workflows to complete your tasks autonomously.

    Agentic workflows and their AI agents use role masking to determine which users can access them. Ones installed with Now Assist applications have specific roles that come included with the application. If you select Users with specific roles for user access, you must configure the security controls to include these roles. For the instructions to change the security controls, see Define security controls for an agentic workflow.

    Note:
    Depending on your license, you will have access to certain application features, generative AI skills, agentic workflows, and AI agents. For more information, see ServiceNow product tiers.
    Important:
    Some Now Assist skills, agents, and agentic workflows are turned on by default. The default behavior works as follows:
    New customers
    When you install a Now Assist product, designated skills, agents, or agentic workflows are turned on automatically.
    Existing customers who are upgrading (starting with Australia Patch 4)
    There is no change to skills, agents, or agentic workflows that are currently enabled and customized.

    An AI asset is turned on if:

    • The Now Assist plugin is installed, but the asset was never turned on.
    • An admin has never adjusted roles for the skill.
    An AI asset is not turned on if:
    • The asset was previously turned on, and then turned off again.
    • An admin has adjusted roles for the asset.
    Table 1. Available agentic workflows for AI agents for Security Incident Response
    Agentic workflow name Description Available AI agents
    Wrap up security incident This agentic workflow helps the security analysts to close a security incident using natural language in the Now Assist panel. Security incident wrap-up generator AI agent
    Analyze security operations metrics

    This agentic workflow helps a security operations center (SOC) manager analyze their security analysts' performance.

    Metrics are generated for security incident response (SIR) records for case volume, mean time to assign (MTTA), and mean time to resolve (MTTR).

    • Security incident retrieval AI agent
    • Security metrics analysis AI agent
    Resolve security incident This agentic workflow helps the security analysts to identify a security incident resolution path. This workflow also assist the security analysts to close a security incident using natural language in the Now Assist panel.
    • Security incident resolution AI agent
    • Exchange online integration handling AI agent
    • Security incident wrap up generator AI agent
    • Observable analysis AI agent
    • Security incident activities handling AI agent
    • EDR AI agent
    Generate SIR Shift Handover Report This agentic workflow adds details of a security incident to the shift handover report. The agent populates the different sections of the shift handover with appropriate content by identifying the relevant details from the security incident. Security incident shift handover AI agent
    Important:
    By default, all agentic workflows and AI agent records are read-only.

    To modify an agentic workflow, you must first duplicate the agentic workflow. If required, you can add a trigger to invoke the workflow automatically.

    There might be AI agents installed with the Now Assist application that are not used in agentic workflows. To learn how to see all agents that are available to you, see Find AI agents.