Governance for agentic development

  • Release version: Australia
  • Updated June 5, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Governance for agentic development

    Agentic development on the ServiceNow AI Platform accelerates application creation by generating code and configurations from natural language prompts. To ensure rapid development does not compromise security, compliance, and maintainability, ServiceNow integrates governance directly into the agentic development workflow. This governance ensures AI-generated applications meet enterprise standards by default, embedding controls such as Access Control Lists (ACLs), security validations, audit trails, and compliance checks automatically during app creation.

    Show full answer Show less

    Governance in Agentic Development Workflow

    AI-generated code is produced faster than traditional development, which shortens review time. Governance practices make these outputs auditable, testable, and aligned with organizational policies before production deployment. Agentic development apps are scoped applications inheriting standard platform controls such as ACLs, update sets, and application scope boundaries, ensuring governance is embedded from the start. Automated tools perform security scans, testing (including Automated Test Framework - ATF), and compliance validations, but human review remains essential for sensitive data access, role or ACL modifications, external integrations, or untested organizational contexts.

    Human Review Responsibilities

    • Review AI-generated outputs before deployment when sensitive or regulated data is involved.
    • Validate any scripts, business rules, or integrations with external systems.
    • Verify changes to roles, ACLs, or cross-scope privileges.
    • Check session summaries and documentation from Build Agent prior to promoting apps.
    • Use App Engine Management Center (AEMC) to enforce approval workflows at key lifecycle stages.

    Governing AI-Generated Apps with AI Control Tower

    Agentic development assets are registered in AI Control Tower, providing AI stewards with a centralized workspace to monitor lifecycle status, security posture, compliance, and risk classification. The platform automatically highlights security considerations such as elevated permissions, access errors, and inactive agents with active permissions. Integration with AI Risk and Compliance enables evaluation against frameworks like NIST AI Risk Management and the EU Artificial Intelligence Act, with risk and compliance data visible in asset records.

    Core Governance Principles

    • Approval and Oversight: Use AEMC to approve ideas, manage collaborators, and require governance checkpoints before production.
    • Controlled Release Management: Employ ReleaseOps for update set automation, version control, and metadata-as-code pipelines for automated deployment.
    • Secure Development Practices: Enforce ACLs and role-based access, validate AI-generated scripts for vulnerabilities, optimize code, and manage cross-scope privileges to control resource access between scoped apps.
    • Testing and Validation: Utilize Automated Test Framework (ATF) for functional and regression testing; Build Agent automates resolution of ATF failures. Include peer reviews for critical workflows and integrations.
    • Isolation and Concurrent Development: Use Developer Sandboxes for isolated development and align with Git-style branching for concurrent work.

    Governance Checklist for AI-Assisted Apps

    • App idea approved in AEMC.
    • ACLs and security roles applied.
    • Code reviewed and optimized.
    • ATF tests executed and passed.
    • Release pipeline validated.
    • Documentation generated (summaries, flow explainers).
    • Compliance and audit logs updated.

    Governance Tools and Resources

    ServiceNow provides integrated tools to enforce governance during agentic development:

    • App Engine Management Center (AEMC): Central hub for approvals and monitoring.
    • AI Control Tower: Monitors AI agent behavior, enforces guardrails, and tracks compliance and security posture.
    • ServiceNow Vault: Discovers and protects sensitive data used by AI-generated apps.
    • ReleaseOps Toolkit: Automates update sets and metadata pipelines for deployment.
    • Automated Test Framework (ATF): Facilitates automated functional and regression testing.
    • Developer Sandboxes: Provides isolated environments for secure development and experimentation.

    Additionally, Knowledge Base articles offer guidelines on data handling and AI usage to support governance.

    Best Practices for Prompts in Agentic Development

    When using natural language prompts for AI-assisted development, embed governance requirements within the prompts themselves. This practice helps ensure that generated apps comply with your organization’s security, compliance, and quality standards from the outset.

    Agentic development on the ServiceNow AI Platform accelerates application development by using AI to generate code and configurations from natural language prompts. However, speed must not compromise security, compliance, and maintainability.

    Governance addresses the following:
    • Risk and compliance: AI-generated apps meet enterprise security standards and regulatory requirements.
    • Quality assurance: Automated code is validated through testing and review.
    • Visibility and control: Prevents shadow IT and enforces lifecycle transparency.
    ServiceNow embeds security and governance directly into the agentic development workflow, so AI-generated applications meet enterprise standards by default. Build Agent automatically generates Access Control Lists (ACLs) that enforce role-based access, validates scripts for security vulnerabilities, and applies code optimization during generation. Every app that's vibe coded and developed with AI on the ServiceNow AI Platform includes audit trails, security controls, and compliance checks without requiring explicit prompts for these features.
    Note:
    Build Agent requires the admin role.

    Core governance principles

    1. Approval and oversight:
      • Use App Engine Management Center (AEMC) to approve app ideas and manage collaborators.
      • Require governance checkpoints before moving from sandbox in Developer Sandboxes to production.
    2. Controlled release management with ReleaseOps implementation practices:
      • Update sets and update set automation for version control.
      • Metadata-as-code pipelines for automated deployments.
    3. Secure development practices:
      • Enforce ACLs and role-based access for generated apps, which Build Agent can do.
      • Validate AI-generated scripts for security vulnerabilities.
      • Apply code optimization and review before publishing.
      • While creating agents and skills, Build Agent asks which users and roles it should operate as, as well as which users are allowed to access the agents or skills.
    4. Support for testing and validation:
      • Use Automated Test Framework (ATF) for functional and regression testing.
        Note:
        If you're using Build Agent, it automatically updates failing metadata to resolve ATF test failures, without you needing to manually run ATF tests.
      • Include peer review for critical workflows and integrations.
    5. Isolation of work with Developer Sandboxes:
      • Experiment and develop in Developer Sandboxes to avoid impacting production.
      • Align with Git-style branching for concurrent development.

    Governance checklist for apps built with AI assistance

    1. App idea approved in AEMC.
    2. ACLs and security roles applied.
    3. Code reviewed and optimized.
    4. ATF tests executed and passed.
    5. Release pipeline validated.
    6. Documentation generated (such as summaries and flow explainers).
    7. Compliance and audit logs updated.

    Governance tools and resources

    Table 1. Tools and resources for governance
    Tool Description More information
    App Engine Management Center Governance hub for approvals and monitoring. App Engine Management Center
    AI Control Tower Monitors AI agent behavior, enforces guardrails, tracks AI-generated code changes, and provides dashboards showing which apps were created by Build Agent, what data they access, and how they comply with organizational policies. AI Control Tower
    ServiceNow Vault Discovers and protects sensitive data across workflows, so AI-generated apps handle confidential information appropriately. ServiceNow Vault
    ReleaseOps Toolkit Update set automation and metadata pipelines. ReleaseOps
    Automated Test Framework Automated testing for ServiceNow apps. Automated Test Framework (ATF)
    Developer Sandboxes Develop in a secure, isolated Developer Sandboxes environment. Developer Sandboxes
    Knowledge Base articles Data handling and AI usage guidelines. Knowledge Management

    Governance general guidelines

    When using agentic development, prompts should not only describe functionality but also embed governance requirements. This helps generated apps comply with security, compliance, and quality standards.

    See Example prompts for vibe coding and AI-assisted development for example prompts for governance.