Governance for agentic development

  • Release version: Zurich
  • Updated June 5, 2026
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Governance for agentic development

    Agentic development on the ServiceNow AI Platform accelerates application creation by generating code and configurations from natural language prompts. Governance ensures that this speed does not compromise security, compliance, and maintainability. It embeds security controls, compliance checks, and audit trails directly into the AI-driven development workflow, so AI-generated applications automatically meet enterprise standards.

    Show full answer Show less

    Governance addresses risks, quality assurance, and visibility by enforcing access control, validating security, and maintaining lifecycle transparency. This integrated approach prevents shadow IT and ensures that AI-generated apps comply with organizational policies before deployment.

    Key Features

    • Embedded security and compliance: Build Agent automatically generates Access Control Lists (ACLs), performs security vulnerability checks, and applies code optimizations during code generation.
    • Scoped applications: AI-generated apps inherit the same platform controls as traditional scoped apps, including update sets and application scope boundaries.
    • Human review: While automated testing (ATF), security scans, and compliance validation catch many issues, human judgment is required for apps accessing sensitive data, modifying roles or ACLs, or integrating with external systems.
    • Lifecycle and approval management: Use App Engine Management Center (AEMC) to approve app ideas, manage collaborators, and enforce governance checkpoints before promotion to production.
    • AI asset monitoring: AI Control Tower registers AI-generated apps and agents as assets, tracking their lifecycle, security posture, compliance status, and risk classification in a centralized workspace.
    • Risk and compliance frameworks: Integration with AI Risk and Compliance allows evaluation against frameworks like NIST AI Risk Management and the EU Artificial Intelligence Act.
    • Release and development controls: ReleaseOps manages update sets and metadata pipelines for version control and automated deployment, while Developer Sandboxes enable isolated experimentation aligned with Git-style branching.
    • Testing and validation: Automated Test Framework (ATF) supports functional and regression testing, with Build Agent automatically resolving some test failures.

    Governance Checklist for AI-Generated Apps

    • App idea approved in App Engine Management Center.
    • Appropriate ACLs and security roles applied.
    • Code reviewed, optimized, and tested through ATF with passing results.
    • Release pipeline validated for deployment readiness.
    • Generated documentation, including summaries and flow explanations.
    • Compliance and audit logs updated for traceability.

    Governance Tools and Resources

    • App Engine Management Center: Central hub for app approvals and governance monitoring.
    • AI Control Tower: Monitors AI-generated assets’ security, compliance, and risk.
    • ServiceNow Vault: Protects sensitive data used by AI-generated apps.
    • ReleaseOps Toolkit: Automates update sets and metadata pipeline deployments.
    • Automated Test Framework (ATF): Enables automated functional and regression testing of apps.
    • Developer Sandboxes: Isolated environments for secure app development and testing.

    Practical Guidance

    When using agentic development, customers should embed governance requirements directly into natural language prompts to ensure generated apps comply with security, compliance, and quality standards. Reviewing AI-generated outputs, especially for sensitive or critical functionality, is essential before deployment. Leveraging the integrated governance tools and following the recommended workflows ensures AI-assisted apps are secure, compliant, and maintainable throughout their lifecycle.

    Agentic development on the ServiceNow AI Platform accelerates application development by using AI to generate code and configurations from natural language prompts. However, speed must not compromise security, compliance, and maintainability.

    Governance addresses the following:
    • Risk and compliance: AI-generated apps meet enterprise security standards and regulatory requirements.
    • Quality assurance: Automated code is validated through testing and review.
    • Visibility and control: Prevents shadow IT and enforces lifecycle transparency.
    ServiceNow embeds security and governance directly into the agentic development workflow, so AI-generated applications meet enterprise standards by default. Build Agent automatically generates Access Control Lists (ACLs) that enforce role-based access, validates scripts for security vulnerabilities, and applies code optimization during generation. Every app that's vibe coded and developed with AI on the ServiceNow AI Platform includes audit trails, security controls, and compliance checks without requiring explicit prompts for these features.
    Note:
    Build Agent requires the admin role.

    Governance in an agentic development workflow

    AI-generated code and configurations can be produced faster than traditional development cycles, which compresses the window for review. When you describe an outcome and the AI generates the implementation, the resulting code, scripts, business rules, and access control configurations may not be immediately visible to the developer who prompted them. Governance practices fill that gap by making the outputs of agentic development auditable, testable, and aligned with organizational policy before apps reach production.

    Apps built through agentic development on the ServiceNow AI Platform are scoped applications and inherit the same platform controls as any other scoped app, including ACLs, update sets, and application scope boundaries. This means governance is not an additional layer applied after the fact, but part of the development environment from the start. The tools listed in this topic connect those controls to a review and approval workflow.

    Human review responsibilities

    Automated checks in the agentic development workflow, including ATF tests, security scans, and compliance validation, catch many issues before deployment. However, some decisions require human judgment that automated tools cannot replace.

    Review AI-generated output directly before deployment when any of the following are true.

    • The app accesses sensitive tables, personally identifiable information, or regulated data.
    • The app includes scripts, business rules, or integrations with external systems.
    • The app creates or modifies roles, ACLs, or cross-scope privilege records.
    • The generated output has not been tested against your organization's specific data or configuration.

    For apps generated by Build Agent, check the session summary and any generated documentation to understand what was built before promoting the app from a sandbox to a higher environment. Use AEMC to require approvals at key lifecycle stages.

    Governing apps built with AI Control Tower

    Apps and agents generated through agentic development are registered as AI assets in AI Control Tower, where AI stewards can track lifecycle progression, review security posture, and assess compliance from a single workspace. Registration happens as part of the development process, so governance visibility is established before an app reaches production.

    From the AI asset record in AI Control Tower, stewards can see governance health, evaluation scores, and risk classification for each generated app or agent. Security considerations specific to AI-generated assets are surfaced automatically, including agents with elevated permissions, agents that experience access-related errors, and agents that have been inactive for more than 90 days but still retain active permissions.

    If your organization uses AI Risk and Compliance, apps built through agentic development can be evaluated against regulatory frameworks such as the NIST AI Risk Management Framework and the EU Artificial Intelligence Act. Risk classification and compliance posture are available on the Risk and Compliance tab of each AI asset record.

    For more information, see AI Control Tower.

    Core governance principles

    1. Approval and oversight:
      • Use App Engine Management Center (AEMC) to approve app ideas and manage collaborators.
      • Require governance checkpoints before moving from sandbox in Developer Sandboxes to production.
    2. Controlled release management with ReleaseOps implementation practices:
      • Update sets and update set automation for version control.
      • Metadata-as-code pipelines for automated deployments.
    3. Secure development practices:
      • Enforce ACLs and role-based access for generated apps, which Build Agent can do.
      • Validate AI-generated scripts for security vulnerabilities.
      • Apply code optimization and review before publishing.
      • Create Cross-Scope Privileges to control which tables, scripts, and resources one scoped application can access from another. Use Cross-Scope Privileges to diagnose and resolve operation not allowed errors between scoped apps.
      • While creating agents and skills, Build Agent asks which users and roles it should operate as, as well as which users are allowed to access the agents or skills.
    4. Support for testing and validation:
      • Use Automated Test Framework (ATF) for functional and regression testing.
        Note:
        If you're using Build Agent, it automatically updates failing metadata to resolve ATF test failures, without you needing to manually run ATF tests.
      • Include peer review for critical workflows and integrations.
    5. Isolation of work with Developer Sandboxes:
      • Experiment and develop in Developer Sandboxes to avoid impacting production.
      • Align with Git-style branching for concurrent development.

    Governance checklist for apps built with AI assistance

    1. App idea approved in AEMC.
    2. ACLs and security roles applied.
    3. Code reviewed and optimized.
    4. ATF tests executed and passed.
    5. Release pipeline validated.
    6. Documentation generated (such as summaries and flow explainers).
    7. Compliance and audit logs updated.

    Governance tools and resources

    Table 1. Tools and resources for governance
    Tool Description More information
    App Engine Management Center Governance hub for approvals and monitoring. App Engine Management Center
    AI Control Tower Monitors AI agent behavior, enforces guardrails, tracks AI-generated code changes, and provides dashboards showing which apps were created by Build Agent, what data they access, and how they comply with organizational policies. AI Control Tower
    ServiceNow Vault Discovers and protects sensitive data across workflows, so AI-generated apps handle confidential information appropriately. ServiceNow Vault
    ReleaseOps Toolkit Update set automation and metadata pipelines. ReleaseOps
    Automated Test Framework Automated testing for ServiceNow apps. Automated Test Framework (ATF)
    Developer Sandboxes Develop in a secure, isolated Developer Sandboxes environment. Developer Sandboxes
    Knowledge Base articles Data handling and AI usage guidelines. Knowledge Management

    Governance general guidelines

    When using agentic development, prompts should not only describe functionality but also embed governance requirements. This helps generated apps comply with security, compliance, and quality standards.

    See Example prompts for vibe coding and AI-assisted development for example prompts for governance.