Governance for agentic development

  • Release version: Australia
  • Updated June 5, 2026
  • 5 minutes to read

    • Agentic development on the ServiceNow AI Platform accelerates application development by using AI to generate code and configurations from natural language prompts. However, speed must not compromise security, compliance, and maintainability.

    Governance addresses the following:
    • Risk and compliance: AI-generated apps meet enterprise security standards and regulatory requirements.
    • Quality assurance: Automated code is validated through testing and review.
    • Visibility and control: Prevents shadow IT and enforces lifecycle transparency.
    ServiceNow embeds security and governance directly into the agentic development workflow, so AI-generated applications meet enterprise standards by default. Build Agent automatically generates Access Control Lists (ACLs) that enforce role-based access, validates scripts for security vulnerabilities, and applies code optimization during generation. Every app that's vibe coded and developed with AI on the ServiceNow AI Platform includes audit trails, security controls, and compliance checks without requiring explicit prompts for these features.
    Note:
    Build Agent requires the admin role.

    Governance in an agentic development workflow

    AI-generated code and configurations can be produced faster than traditional development cycles, which compresses the window for review. When you describe an outcome and the AI generates the implementation, the resulting code, scripts, business rules, and access control configurations may not be immediately visible to the developer who prompted them. Governance practices fill that gap by making the outputs of agentic development auditable, testable, and aligned with organizational policy before apps reach production.

    Apps built through agentic development on the ServiceNow AI Platform are scoped applications and inherit the same platform controls as any other scoped app, including ACLs, update sets, and application scope boundaries. This means governance is not an additional layer applied after the fact, but part of the development environment from the start. The tools listed in this topic connect those controls to a review and approval workflow.

    Human review responsibilities

    Automated checks in the agentic development workflow, including ATF tests, security scans, and compliance validation, catch many issues before deployment. However, some decisions require human judgment that automated tools cannot replace.

    Review AI-generated output directly before deployment when any of the following are true.

    • The app accesses sensitive tables, personally identifiable information, or regulated data.
    • The app includes scripts, business rules, or integrations with external systems.
    • The app creates or modifies roles, ACLs, or cross-scope privilege records.
    • The generated output has not been tested against your organization's specific data or configuration.

    For apps generated by Build Agent, check the session summary and any generated documentation to understand what was built before promoting the app from a sandbox to a higher environment. Use AEMC to require approvals at key lifecycle stages.

    Governing apps built with AI Control Tower

    Apps and agents generated through agentic development are registered as AI assets in AI Control Tower, where AI stewards can track lifecycle progression, review security posture, and assess compliance from a single workspace. Registration happens as part of the development process, so governance visibility is established before an app reaches production.

    From the AI asset record in AI Control Tower, stewards can see governance health, evaluation scores, and risk classification for each generated app or agent. Security considerations specific to AI-generated assets are surfaced automatically, including agents with elevated permissions, agents that experience access-related errors, and agents that have been inactive for more than 90 days but still retain active permissions.

    If your organization uses AI Risk and Compliance, apps built through agentic development can be evaluated against regulatory frameworks such as the NIST AI Risk Management Framework and the EU Artificial Intelligence Act. Risk classification and compliance posture are available on the Risk and Compliance tab of each AI asset record.

    For more information, see AI Control Tower.

    Core governance principles

    1. Approval and oversight:
      • Use App Engine Management Center (AEMC) to approve app ideas and manage collaborators.
      • Require governance checkpoints before moving from sandbox in Developer Sandboxes to production.
    2. Controlled release management with ReleaseOps implementation practices:
      • Update sets and update set automation for version control.
      • Metadata-as-code pipelines for automated deployments.
    3. Secure development practices:
      • Enforce ACLs and role-based access for generated apps, which Build Agent can do.
      • Validate AI-generated scripts for security vulnerabilities.
      • Apply code optimization and review before publishing.
      • Create Cross-Scope Privileges to control which tables, scripts, and resources one scoped application can access from another. Use Cross-Scope Privileges to diagnose and resolve operation not allowed errors between scoped apps.
      • While creating agents and skills, Build Agent asks which users and roles it should operate as, as well as which users are allowed to access the agents or skills.
    4. Support for testing and validation:
      • Use Automated Test Framework (ATF) for functional and regression testing.
        Note:
        If you're using Build Agent, it automatically updates failing metadata to resolve ATF test failures, without you needing to manually run ATF tests.
      • Include peer review for critical workflows and integrations.
    5. Isolation of work with Developer Sandboxes:
      • Experiment and develop in Developer Sandboxes to avoid impacting production.
      • Align with Git-style branching for concurrent development.

    Governance checklist for apps built with AI assistance

    1. App idea approved in AEMC.
    2. ACLs and security roles applied.
    3. Code reviewed and optimized.
    4. ATF tests executed and passed.
    5. Release pipeline validated.
    6. Documentation generated (such as summaries and flow explainers).
    7. Compliance and audit logs updated.

    Governance tools and resources

    Table 1. Tools and resources for governance
    Tool Description More information
    App Engine Management Center Governance hub for approvals and monitoring. App Engine Management Center
    AI Control Tower Monitors AI agent behavior, enforces guardrails, tracks AI-generated code changes, and provides dashboards showing which apps were created by Build Agent, what data they access, and how they comply with organizational policies. AI Control Tower
    ServiceNow Vault Discovers and protects sensitive data across workflows, so AI-generated apps handle confidential information appropriately. ServiceNow Vault
    ReleaseOps Toolkit Update set automation and metadata pipelines. ReleaseOps
    Automated Test Framework Automated testing for ServiceNow apps. Automated Test Framework (ATF)
    Developer Sandboxes Develop in a secure, isolated Developer Sandboxes environment. Developer Sandboxes
    Knowledge Base articles Data handling and AI usage guidelines. Knowledge Management

    Governance general guidelines

    When using agentic development, prompts should not only describe functionality but also embed governance requirements. This helps generated apps comply with security, compliance, and quality standards.

    See Example prompts for vibe coding and AI-assisted development for example prompts for governance.