A month ago, I wrote about why we acquired Veza and about a structural problem that’s haunted enterprise security for years. As the chief information security officers (CISOs) I talk to know all too well, the gap between the cyber risks that most security tools can see and what these tools can do to remediate them is uncomfortably wide.
Today, with the close of the Armis acquisition, ServiceNow has taken another decisive step toward building an architecture for autonomous security, where the through line between cyber risk identification and remediation is continuous and is executed on at machine speed.
When I talk to CISOs, the conversation almost always starts with the same observation: Their technology estates and the prevalent threats they’re constantly subjected to are growing faster than the tools designed to protect them.
The identity problem I described in March has an asset visibility and security corollary that's equally urgent. The following are invisible to most incumbent security tools:
- The operational technology (OT) running manufacturing plants
- The medical devices connected to hospital networks
- The industrial controllers managing critical infrastructure
- The internet of things (IoT) devices across retail, logistics, and energy environments
- The physical AI systems increasingly embedded across the enterprise
These cyber assets don't have agents, don't show up in traditional asset inventories, and can't be patched through conventional IT workflows. And as enterprises accelerate agentic AI deployments, they're becoming entry points for attacks that combine identity exploitation with physical and virtual system access in ways that conventional security architectures were never designed to handle.
That gap between visibility and action is what allows breaches to occur. To close it, ServiceNow built something designed to do what point solutions alone typically can’t: a unified platform that connects real-time cyber asset discovery and identity intelligence to automated remediation workflows. This means security teams can see what's exposed, decide what matters, and act before attackers do.
When we acquired Veza, I described it as establishing the enterprise identity control plane—mapping every permission and access path held by every identity across the enterprise, continuously, in real time.
That strengthens the Decide layer in the Sense-Decide-Act-Secure architecture we've been building, the intelligence that helps determine what matters, what’s exploitable, and what action the platform should take.
Armis strengthens and extends the Sense layer. Its solution provides agentless discovery, protection, risk prioritization, and exposure management of connected cyber assets. It tracks nearly 7 billion devices in real time, including the OT, IoT, medical devices, physical AI, industrial controllers, building management systems, code, and cloud that traditional security tools were never built to reach.
Armis helps discover, protect, and monitor the cyber risk patterns and behaviors of connected cyber assets across the full technology estate.
Both Veza's Access Graph and Armis' Asset Intelligence Engine now connect to ServiceNow's Context Engine, the organizational intelligence layer that grounds AI action in business reality.
Context Engine is what makes this architecturally different from most other solutions available today. It knows which production line depends on a given device, which team owns it, which business processes run through it, and what the financial and operational impacts of downtime would be, as well as the proof behind every decision made. That organizational intelligence is what turns a signal into a governed action.
When Armis discovers a vulnerability on an unmanaged IoT device, that exposure flows into Context Engine with full business context attached. Simultaneously, Veza maps who and what has access to that device and the systems connected to it. ServiceNow then automatically prioritizes the risk based on business impact, triggers the appropriate remediation workflow, routes it to the appropriate team with the correct permissions, and tracks the resolution—all before an incident has a chance to occur.
This is the full loop: Sense. Decide. Act. Secure.
Armis sees it. Veza knows who can reach it. Context Engine tells you why it matters. The ServiceNow AI Platform acts on it automatically, with a full audit trail and policy boundaries at every step. That's security built into how work gets done, not assembled after the fact.
There’s no manual coordination across fragmented tools or alerts sitting in a queue waiting for someone to triage. Intelligent action occurs at machine speed, governed by unified policy, executed through the same workflow infrastructure that 80 billion enterprise workflows already run on every year.
For current Armis Centrix™ customers, the solution now operates with the full support of ServiceNow's product, engineering, and global go-to-market organization. It remains available both as part of the ServiceNow AI Platform and as a standalone solution.
For ServiceNow customers, ServiceNow and Armis plan to deliver integrations in phases. Customers of both companies can immediately begin using their combined capabilities, with broader availability coming soon.
As integration deepens, you’ll see Armis cyber asset intelligence embedded directly into Unified Security Exposure Management, Security Incident Response, Integrated Risk Management, and AI Control Tower. This will help create a continuously updated picture of your entire technology estate, connected to the remediation workflows that can act on it automatically.
Detection is a solved problem. Acting on it with the organizational context that makes action meaningful is not.
Intelligence that isn't grounded in organizational context isn't actionable; it's noise. With enterprise signals informed by identity, cyber assets, and operational context—including Veza, Armis, and the full ServiceNow AI Platform—the breadth and depth of context feeding real-time AI decisions sets this apart. Context Engine makes it possible.
Governance here isn't optional or additive. It's structural. Every action the platform takes is bounded by policy, logged for audit, and traceable to the business decision that authorized it. Governance is embedded at every step of the remediation workflow, not bolted on after the fact. That's what makes this architecturally durable.
In March, I described a world in which identity reviews happen continuously, access paths in your environment are visible, permissions are justified, and deviations from least privilege trigger an immediate, automated response. It’s a world where AI agents have both known and right-sized access, no more and no less.
With Armis now part of ServiceNow, that vision extends to the full technology estate, including every device, every system, and every cyber asset across IT, OT, IoT, physical AI, and the physical infrastructure that enterprises depend on—continuously mapped, governed, and remediated.
This is what autonomous, proactive security looks like:
- Risk remediated before it leads to a breach
- Exposures prioritized by what matters most
- Action taken through automated workflows
- Proof continuously documented as a byproduct of how the platform operates every day
The platform that makes this possible is here.
Find out more about how ServiceNow helps put autonomous security to work.
