Implement access control in Now Assist AI agents

  • Release version: Zurich
  • Updated September 11, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Implement access control in Now Assist AI agents

    This guidance explains how to implement security controls for Now Assist AI agents and agentic workflows on the ServiceNow AI Platform using access control lists (ACLs), user identities, and role masking. These controls ensure that only authorized users can invoke AI agents and workflows, and that agents operate with appropriate permissions during execution.

    Show full answer Show less

    Access Control Components

    • Access Control Lists (ACLs): ACLs specify which user roles are required to invoke specific agentic workflows, AI agents, or certain AI tools. Each component requires individual ACL configuration to control invocation permissions. Note that ACLs only govern who can start an agent or workflow, not the permissions the agent or workflow has during execution.
    • User Identity (Run as): Defines the user context under which an AI agent or workflow runs, determining data access and actions based on assigned roles. Two configurations exist:
      • Dynamic User: Runs the agent or workflow as the invoking user, dynamically inheriting that user’s roles. This is the default setting and suits most scenarios.
      • AI User: Runs the agent or workflow as a dedicated service user with fixed roles, useful for elevated privileges or actions that the invoking user may not have. AI users must be created in the User [sysuser] table with the AI user identity type.
    • Role Masking: Applies only when running as a dynamic user to restrict the roles available to the agent during execution, adding an extra layer of permission control.

    Execution Flow and Security

    During execution, ACLs are checked against the invoking user’s identity before applying the component’s run as user identity. For downstream components, ACLs are checked against the run as identity of the preceding component, ensuring consistent, hierarchical security enforcement. Tools like Now Assist Skills always run as dynamic users. Automated triggers invoke agents without a conversational user context but still apply role masking within a system session.

    Supervised Execution Mode

    To enhance security for AI agents performing sensitive or critical actions, tools can be configured to require human approval before execution by enabling supervised mode. This mode is set during tool creation in the AI agent guided setup, for example, when adding a catalog item tool configured to run in supervised mode.

    Practical Benefits for ServiceNow Customers

    • Control which users can invoke AI agents and workflows securely using ACLs.
    • Define precise execution permissions by choosing appropriate user identities—dynamic or AI users—based on your security needs.
    • Leverage role masking to limit permissions when running as dynamic users.
    • Use supervised mode to add human oversight for sensitive agent actions, reducing risk.
    • Ensure a secure, flexible, and auditable AI agent environment aligned with enterprise access policies.

    Implement security controls for AI agents and agentic workflows through access control lists (ACLs), user identities, and role masking to implement the access control-based security measures in the agentic system.

    Security for AI agents overview

    Access controls for agentic AI on the ServiceNow AI Platform comprises the major aspects: determining which users can access agentic AI resources, and what access each of those resources has once invoked. These aspects are controlled through three main components: access control lists (ACLs), user identities and role masking. The interaction between these components at the agentic workflow, AI agent, and tool levels within the AI Agent Studio influences their overall security and functionality.

    Access control lists

    The access control lists (ACLs) in Now Assist AI agents determine which role(s) a user must have to be allowed to invoke an agentic workflow or an AI agent. ACLs must be configured individually for each agentic workflow, AI agent, and certain AI agent tools.

    The ACLs added to an AI agent and agentic workflow are available in the respective related lists for reference.

    Important:
    ACLs configured in AI Agent Studio only determine the roles required for users to invoke an agentic workflow or an AI agent. They don't determine the access that the agentic workflow or an AI agent has once it’s invoked.

    User identity

    The user identity determines which user the AI agent or an agentic workflow operates as during execution, and therefore the data it can access and the actions it can take, depending on the roles assigned to the user identity.

    After configuring the access control lists (ACLs), you must configure the User identity (also called as Run as) which the AI agent or agentic workflow will run as during execution.
    Note:
    Each agentic workflow and AI agent has its own user identity configuration.
    There are two possible user configurations to select from:
    • Dynamic user: The user identity of the person or resource (automated trigger/agentic workflow/parent agent) invokes the execution of an AI agent or an agentic workflow. The roles assigned to the agentic workflow or AI agent will change dynamically depending on the identity of the invoking user.
      Note:
      Dynamic user is the default user identity, and you can use the dynamic user unless there's a specific need that justifies an AI user.
    • AI user: A dedicated user identity that the AI agent or an agentic workflow runs as during execution, which has assigned roles that remain consistent regardless of who or how the execution is invoked. For example, an AI agent or an agentic workflow may need to be run with elevated privileges that the dynamic user might not have. If configured as a dynamic user, the execution would fail. However, if the AI agent or agentic workflow is configured to run as an AI user that has the elevated roles assigned to it, the execution will succeed even when invoked by a user with lower privileges.

    If you don't have a suitable AI user but want to use the AI user identity, you must create a record on the User [sys_user] table. See Create a user and select AI user as the identity type.

    Note:
    • Role masking limits which roles an AI agent can use during execution. It only applies when the agent runs as a dynamic user — not when it runs as an AI user. The key difference: AI users determine the identity the agent runs as and role masking narrows the roles available to an agent that run as a dynamic user.
    • For each component’s execution, the ACL is checked against the invoking user identity, and if passed, the component’s run as user identity is applied. Any downstream components’ ACLs are checked in comparison to the run as user identity of component directly before it in the agentic hierarchy, and their run as user identities are passed down to the next downstream component’s ACLs.
      Note:
      • Now Assist Skills and other tools of AI agents always run as Dynamic Users.
      • This flow applies to user-invoked agents. Agents with automated triggers operate without a conversational user; role masking still applies, but the invoking context is a system session rather than an individual user.

    Supervised execution mode for AI agents

    Configuring AI agents' tools to run in supervised mode is another way to minimize the potential negative impact of an AI agent that is not executing as expected. This will require human approval for the tool's actions before it executes. You can use the Supervised mode to enhance security for agents with the capability to perform sensitive or critical actions.

    You can set the supervised execution mode when creating a tool in the AI agent guided setup. For example, choose Supervised as the Execution mode when adding a catalog item tool. For reference, see Add a catalog item to an AI agent.