Approval recommendations using generative AI

  • Release version: Zurich
  • Updated May 26, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Approval recommendations using generative AI

    The Approval Recommendation generative AI skill in ServiceNow’s Vulnerability Response helps approvers handle exception and false positive requests more efficiently. It provides recommendations to approve or reject deferral or false positive requests for vulnerability findings, enabling faster and more consistent decisions while reducing manual analysis effort. This is particularly useful when remediation cannot be applied immediately, such as waiting for a patch or when a scanner flags a non-issue.

    Show full answer Show less

    Key Features

    • AI-driven recommendations: Provides approval or rejection suggestions, confidence scores, and supporting reasoning.
    • Data sources: Utilizes historical approval data, questionnaire responses (if enabled), prior approver comments, and general request details like risk rating, remediation status, and justification notes.
    • Comprehensive asset and vulnerability context: Considers detailed asset information (hosts, containers, applications) and vulnerability metrics such as severity, CVSS scores, exploit status, and vulnerability counts.
    • Integration with approval records: Recommendations are displayed directly on Change Approval (CA) records within the Security Exposure Management Workspace.

    Practical Benefits for ServiceNow Customers

    • Improved efficiency: Automates evaluation of exception and false positive approvals, reducing the time and effort spent by security teams.
    • Consistent decision-making: Leverages historical data and contextual inputs to standardize approval outcomes across multiple levels of review.
    • Enhanced security posture: Ensures that deferrals and false positives are carefully vetted with AI support, helping maintain accurate vulnerability management.
    • Configurable inputs: Supports optional questionnaire data and multiple approval levels, making it adaptable to your organization's processes.

    How to Use

    To enable AI-driven approval recommendations, activate the generative AI skill in your Security Exposure Management Workspace. The skill will analyze relevant data and present its recommendations on exception and false positive approval requests, streamlining your vulnerability response workflows.

    Learn more about the how the Approval Recommendation generative AI skill arrives at its approval recommendations and the sources it uses to generate them.

    Overview for the Approval Recommendation skill

    The Approval Recommendation generative AI skill provides exception and false positive approvers in Vulnerability Response with recommendations to help them make faster, more consistent decisions while reducing manual analysis effort.

    A finding (vulnerable item) is a vulnerability detected on an asset. Some findings don't require immediate remediation, for example, false positives or cases where a fix isn't yet available. From these types of findings and remediation tasks, users submit exception requests and ask for approval to defer remediation or indicate that a finding is a false positive. Users can request to defer the remediation of a finding or remediation task for a specified period.

    For example, an analyst might request a deferral for a finding that will be fixed with an upcoming patch that isn't currently available. A false positive might be a warning given by a scanner that is not actually an issue, for example, if a configuration item has been decommissioned but the scanner is still raising there is issue related to it.

    In some cases, the approval requests for these exceptions and false positives require multiple levels or review and approval and can be quite time consuming. The Approval Recommendation AI skill can help locate historical, asset, and vulnerability details for exception and false positive requests and provide approvers with the following information:
    • A recommendation to approve or reject the request.
    • A confidence score.
    • Supporting reasoning.

    Sources and input parameters used for the recommendations

    The Approval Recommendation generative AI skill considers information from following tables, data sources, and information to arrive at its approval recommendations.
    • See the following table for asset (configuration item) and vulnerability details.
    • Historical Approval data - Count totals for how many times similar request types for false positives and deferrals from a finding type (VIT, CVIT, AVIT, CTR) have been approved or rejected on records on the Change Approval [sn_sec_exception_change_approval] table.
    • Questionnaire responses (optional configuration) - If questionnaires are activated and available for exception requests, the questions and the remediation owner's answers are considered from records on the [sn_smart_asmt_question_instance] table. If questionnaires are not activated, this data is not considered.
    • Comments (justifications) from previous approvals - If multiple approval levels are configured, comments provided by approvers at earlier levels on records on the Change Approval [sn_sec_exception_change_approval] table are considered when generating a recommendation at the next level.
    • General request details - The following fields on records on the Change Approval [sn_sec_exception_change_approval] table are considered:
      • Risk rating
      • Until date (how long the exception is being requested for)
      • Remediation status (in-flight, no target)
      • Assignment group
      • Reason / justification notes (why a request is submitted)
      • Work notes
      • Request type
      • Compensating control (if available)

    Asset and Vulnerability details

    Table 1. Asset (configuration item) details
    Application Source table Description
    Vulnerability Response (Host) Configuration item (CI) [cmdb_ci] table records for Host assets Total number of assets, business criticality, environment, internet-facing, and external-facing status.
    Container Vulnerability Response (CVR) Discovered Item (Container) [sn_vul_container_image] table records for Container assets Total number of assets, business criticality, environment, internet-facing, and external-facing status status.
    Application Vulnerability Response (AVR) Discovered Item (Application) [sn_vul_app_release] records for Application Vulnerability Response Total number of applications, business criticality, active/inactive status.
    Configuration Compliance CC Test Results [sn_vulc_result] table for Configuration Compliance Total number of assets, business criticality, environment, internet-facing, and external-facing status status.
    Table 2. Vulnerability details
    Application Vulnerability details
    Vulnerability Response (Host VR) Total counts of vulnerabilities, normalized severity, CVSS scores, CISA exists, active exploit, preferred solution, EPSS percentile.
    Container Vulnerability Response (CVR) Total counts of container vulnerabilities, normalized severity, CVSS scores, CISA exists, active exploit, preferred solution, EPSS percentile.
    Application Vulnerability Response (AVR) Total counts of application vulnerabilities, normalized severity, CVSS scores, active exploit, preferred solution, EPSS percentile, and if threat exists.
    Configuration Compliance (CC) Test result data is used instead of vulnerability data. Total counts of tests, test source category, test subcategory, criticality, and technology.

    The Approval Recommendation generative AI skill provides its suggestions and is visible on approval request records (CA)s. For more information about how to invoke the agent and get the recommendations, see Generate approval recommendations with generative AI.