Agents Aren’t People: What the ServiceNow Vulnerability Reveals About Agentic AI Access Control

Enterprise security teams are beginning to encounter a category of access failure that feels unfamiliar only because its consequences arrive faster than expected. 

Systems that once required multiple steps, approvals, or manual intervention are now able to act continuously, across tools, and with little friction. In that environment, long-tolerated identity shortcuts, such as shared credentials or over-privileged tokens, become immediately problematic once execution begins.

That risk was underscored by the recent disclosure of a critical impersonation vulnerability in ServiceNow, the cloud-based workflow automation platform widely deployed by enterprises. Since patched, the flaw could have allowed an unauthenticated attacker to impersonate arbitrary users, including administrators. The issue originated in ServiceNow’s Virtual Agent integration, which exposes an API for third-party chat and automation tools. A platform-wide credential trusted by that API, combined with email-based account linking, bypassed standard authentication controls.

ServiceNow relied on a chain of assumptions that were already unsound: A shared credential was trusted across integrations. User identity could be asserted with little more than an email address. Once those assumptions were combined with agentic workflows capable of creating records and provisioning access, impersonation turned into persistence.

This outcome should not surprise anyone responsible for securing non-human access. Agentic systems remove much of the separation between authorization and execution. What made this vulnerability consequential was the absence of meaningful limits on who an agent could act as, what it was allowed to do, and how quickly that authority could be withdrawn once something went wrong.

What Enterprises Should Require Before Allowing Agentic Access

The ServiceNow incident fits a pattern already visible across SaaS platforms and internal tooling. Software actors inherit access patterns designed for people, and those patterns were never built to withstand continuous execution, delegation, or chaining across systems.

Enterprises deploying agentic workflows should insist on a small number of structural controls before granting access to sensitive resources.

• First, agents must have distinct identities that exist independently of the humans who invoke them. When agent activity is recorded under user credentials, attribution collapses and accountability becomes speculative. Where human context is relevant, it should be bound explicitly and narrowly to the agent’s execution context rather than assumed implicitly.
• Second, authorization must be enforced at runtime, not embedded in credentials handed to the agent. Agents should not receive long-lived keys, reusable tokens, or broad permissions that persist beyond the immediate task. Access should be evaluated at the moment of use and materialized as a short-lived credential that expires quickly and cannot be reused elsewhere.
• Third, enterprises need a reliable way to interrupt agent (mis)behavior. Revoking access by rotating credentials or disabling accounts is too slow once an agent is operating autonomously. Security teams need policy-driven controls that allow them to halt access immediately without dismantling infrastructure.
• Finally, audit records must reflect what actually happened. Each action should be traceable to a specific agent identity, the context under which it operated, and the resource it accessed. Without that clarity, incident response becomes guesswork and compliance reporting becomes defensive paperwork rather than evidence.

Agentic AI will continue to spread because it delivers real operational leverage. The question enterprises must answer is whether their identity architecture is designed with appropriate guardrails to handle software that acts continuously, independently, and at scale.

The ServiceNow vulnerability suggests that, in many environments, that answer remains uncomfortable and uncertain.

Platforms such as Aembit Workload IAM help apply the above principles by treating agents as non-human workloads, enforcing access through centralized policy, issuing ephemeral credentials at runtime, and preserving attribution across systems.

For more information or to talk to an engineer, visit aembit.io.