Build Agent governance

  • Release version: Australia
  • Updated April 1, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Build Agent governance

    Build Agent governance in ServiceNow ensures that AI-generated applications and agents comply with organizational standards for code quality, security, and regulatory requirements. It integrates with AI Control Tower and App Engine Management Center, leveraging the ServiceNow AI Platform's identity framework to enforce policies throughout the app lifecycle. This governance framework provides automated safeguards to prevent development issues, enhance visibility, and maintain compliance.

    Show full answer Show less

    Key Features

    • Risk and Compliance Management: Ensures AI-generated apps meet enterprise security standards and regulatory frameworks, with integration into AI Control Tower for lifecycle tracking, security posture monitoring, and compliance assessment.
    • Quality Assurance: Validates AI-generated code through automated testing, security vulnerability checks, and code optimization before publishing.
    • Access Control and Security: Automatically generates Access Control Lists (ACLs) enforcing role-based access, supports Security Attributes for attribute-based access control, and applies Security Data Filters for row-level data restrictions, enabling layered security within applications.
    • Cross-Scope Privileges: Automatically creates Cross-Scope Privilege records to control inter-application access, facilitating secure interactions between scoped applications and resolving "operation not allowed" errors.
    • Agent and Skill Access Management: During creation, Build Agent requests specification of operating users and roles to ensure proper permission assignment and access limitations.
    • Audit Trails and Compliance Checks: Every AI-generated app includes built-in audit trails and security controls without needing explicit prompts.
    • AI Control Tower Integration: Agents registered as AI assets enable stewards to monitor governance health, evaluate risk classifications, visualize access relationships, and assess impact before changes.
    • Regulatory Framework Support: Integration with AI Risk and Compliance allows evaluation against standards such as NIST AI Risk Management Framework and EU Artificial Intelligence Act.

    Practical Benefits for ServiceNow Customers

    • Ensures AI-generated applications adhere to strict security and compliance standards automatically, reducing manual oversight and risk.
    • Improves transparency and control over AI agents and apps, preventing shadow IT and enabling lifecycle visibility.
    • Facilitates secure collaboration between scoped applications through cross-scope privilege management.
    • Provides centralized monitoring and governance through AI Control Tower, enabling proactive risk management and compliance assessment.
    • Enables customers to confidently use AI-generated applications knowing they conform to organizational policies and regulatory requirements.

    Governance controls in Build Agent help with code quality, security, and compliance when generating applications. The Build Agent automated safeguards prevent common development issues and enforce organizational standards.

    Every app and AI agent generated with Build Agent inherits the governance of AI Control Tower and App Engine Management Center, plus the same identity framework as the rest of the ServiceNow AI Platform®. Use the governance tools to monitor agents, manage app lifecycle, and enforce policy.

    Governance addresses the following:
    • Risk and compliance: AI-generated apps meet enterprise security standards and regulatory requirements.
    • Quality assurance: Automated code is validated through testing and review.
    • Visibility and control: Prevents shadow IT and enforces lifecycle transparency.

    Build Agent automatically generates Access Control Lists (ACLs) that enforce role-based access, validates scripts for security vulnerabilities, and applies code optimization during generation. Every app that's vibe coded and developed with AI on the ServiceNow AI Platform includes audit trails, security controls, and compliance checks without requiring explicit prompts for these features.

    Build Agent supports the full set of native ServiceNow security controls, not only ACLs and roles. For example, Build Agent can create Security Attributes for attribute-based access control and Security Data Filters for row-level data restriction.
    • Security Attributes control access based on properties assigned to users and resources, instead of role membership alone. For more information on Security Attributes, see Security Attributes.
    • Security Data Filters restrict which rows a user can see on a table, for example, so that managers see only their team's records.
    All four security metadata types can be combined in a single application for layered access control.
    Some ways that Build Agent enforces governance include:
    • Enforce ACLs and role-based access for generated apps, which Build Agent can do.
    • Validate AI-generated scripts for security vulnerabilities.
    • Apply code optimization and review before publishing.
    • Create Cross-Scope Privileges to control which tables, scripts, and resources one scoped application can access from another. Use Cross-Scope Privileges to diagnose and resolve operation not allowed errors between scoped apps.
    • While creating agents and skills, Build Agent asks which users and roles it should operate as, as well as which users are allowed to access the agents or skills.

    AI Control Tower

    Agents generated by Build Agent are registered as AI assets in AI Control Tower, where AI stewards can track lifecycle progression, monitor security posture, and assess compliance. From the AI asset record, stewards can review governance health, evaluation scores, and risk classification for each agent without leaving the workspace.

    AI Control Tower identifies specific security considerations for generated agents, including agents with elevated permissions, agents that experience access-related errors, and agents that have been inactive for more than 90 days but still retain active permissions. The access map visualizes relationships between agents, agentic workflows, and the tools they use, which helps stewards assess dependencies and potential impact before making changes.

    If your organization uses AI Risk and Compliance, generated agents can be evaluated against organizational policies and regulatory frameworks such as the NIST AI Risk Management Framework and the EU Artificial Intelligence Act. Risk classification and compliance posture are surfaced on the Risk and Compliance tab of each AI asset record.

    For more information, see AI Control Tower.

    For more information on governance, vibe coding and other ServiceNow development tools, see Governance for agentic development.

    Cross-scope privileges

    Build Agent can create Cross-Scope Privilege records to control which tables, scripts, and resources one scoped application can access from another. If a scoped app needs to read a table or call a script include from a different scope, Build Agent generates the appropriate privilege records. Cross-Scope Privileges are also useful for diagnosing and resolving operation not allowed errors between scoped apps.