What happens when the fastest-growing “workforce” has no employees and yet holds keys to critical systems, sensitive datasets, and production workflows that now run on autopilot as AI agents multiply across the enterprise. In that world, identity becomes the fulcrum of trust, and access turns into the master switch for risk and value. That is the backdrop to reports that ServiceNow is nearing a deal valued at more than $1 billion for identity security startup Veza.
The stakes extend beyond a headline number. The reported acquisition would hand ServiceNow the authorization layer its platform has lacked—scoped access, real-time policy checks, and auditable trails for non-human actors. If confirmed as early as next week, the move would signal a shift from AI as novelty to AI with governed autonomy, where agents do not simply answer questions but take actions within clear, provable boundaries.
Provide essential background to explain why this topic matters
ServiceNow has been on a visible AI arc. After acquiring Moveworks for $2.85 billion, the company sharpened its assistants and enterprise search capabilities and began rolling out thousands of agents across IT, HR, customer service, and security operations. Those agents are now crossing from suggestion engines into task execution, a transition that changes the risk profile overnight.
That transition widens the trust gap. Enterprises need controls over what data an agent can see and which actions it can take, continuously aligned to policy and demonstrable to auditors. Traditional identity tools, built around people, struggle to model the sprawl of tokens, service accounts, API keys, and machine identities now powering automation. Veza targets that gap by focusing on effective permissions—what an identity can actually do—across cloud, SaaS, and internal systems.
There is also a relationship foundation. ServiceNow Ventures invested in Veza in 2023, and the companies reportedly share more than 250 joint customers. That overlap could accelerate integration if a deal closes, shortening the distance from strategic intent to operational reality.
Break the main topic into distinct, informative sections
At the center of Veza’s approach sits the Authorization Graph, a model that maps permissions across heterogeneous systems to show not just assigned roles but the effective privileges of every identity in context. By translating complex entitlements into concrete capabilities, it helps teams answer the hardest question in audits and incidents: who or what can do what, where, and when. Veza says it manages more than 20 billion permissions for customers such as Blackstone, Expedia, and Workday, backed by roughly $235 million raised since 2020 and a team of about 190 employees.
That capability fills a strategic gap for ServiceNow. Pairing workflow automation and generative interfaces with real-time authorization turns chat into policy-aware execution. Agents could discover identities, map access, request just-in-time elevation, and enforce least privilege at runtime—while generating the evidence trails compliance teams demand. It is a progression from clever assistants to accountable operators.
For customers, the practical path would likely be phased. New modules could arrive first, followed by deeper wiring into ITSM, SecOps, HR, and customer workflows. Licensing and packaging would evolve, raising questions about standalone Veza support and parity for third-party integrations with Okta, SailPoint, CyberArk, and cloud IAM. Clear guidance on openness and standards would be essential to avoid friction.
Security and risk operations stand to see early impact. AI-driven incident response depends on scoped, time-bound, and logged access that aligns to policy in the heat of containment. Real-time authorization can minimize privilege escalation and lateral movement while closing cross-system blind spots. When minutes matter, guardrails are not a drag on speed—they are the precondition for safe speed.
The market will not stand still. Platform convergence—workflow, AI agents, and native identity controls—is fast becoming table stakes. Identity vendors face pressure to deepen partnerships or add authorization intelligence of their own, while rivals like Microsoft, Salesforce, and Oracle will likely bind access metadata into agent orchestration to keep pace. The center of gravity is shifting from disconnected tools to integrated platforms.
Include quotes, research findings, or expert opinions to enhance credibility
Talks between ServiceNow and Veza were described as advanced but not final, according to The Information, and the timeline could still move pending closing steps. That caveat matters because the identity layer touches systems across the enterprise; haste without design invites complexity that lingers.
Industry analysts have been blunt about the bottleneck. “Governance is the new performance metric for AI,” said one analyst at a recent conference. “Organizations are not waiting on better models—they are waiting on enforceable guardrails and auditability.” Security leaders echoed a related point: non-human identities now outnumber humans in many environments, yet legacy IAM lacks visibility into machine-to-machine access paths that drive real risk.
Operational signals reinforce the trend. ServiceNow has publicly cited deployments of thousands of agents across customers, while Veza reports its Authorization Graph managing tens of billions of permissions across diverse systems. A composite of practitioner anecdotes shows a clear pattern: mean time to contain correlates with how quickly teams can authorize an agent to isolate assets without overreach, and audit leaders increasingly require end-to-end evidence showing which agent acted, under what policy, and with which effective rights.
Provide clear steps, strategies, or frameworks the reader can apply
A practical playbook starts with inventory. Build a single catalog of non-human identities—service accounts, tokens, API keys, workloads, and agents—spanning cloud, SaaS, and on-prem systems. Next, map effective permissions to reveal what each identity can actually do in specific data domains. From there, encode guardrails as policy: least privilege, time-bound access, segregation of duties, and break-glass paths for emergencies.
Then shift to runtime. Integrate authorization checks directly into workflow execution so agents query policy before every sensitive action. Instrument every decision with identity, policy version, approval context, and action outcome to create audit-grade evidence. Pilot in high-value scenarios—SecOps containment, IT change approvals, HR offboarding—where scoped actions and clear trails reduce risk without stalling the business.
Operating discipline ties it together. Establish a cross-functional identity review board spanning security, platform, data, and risk. Track KPIs such as the percentage of agent actions policy-checked at runtime, the reduction in over-privileged identities, the time to approve scoped access, and audit exception rates. Roll out in waves—read-only discovery, simulated policy, enforced policy, and finally autonomous action with continuous monitoring—so confidence grows with coverage.
Risks and constraints to watch
Even a strategically sound deal must navigate engineering reality. Embedding a high-scale authorization layer into a large platform raises questions about performance, uptime, and policy consistency across regions and products. Missteps could generate latency for agent decisions or create drift between intended policy and observed behavior.
Customer transition risk runs in parallel. Changes to licensing and product packaging can unsettle budgets if not communicated early and clearly. Organizations using Veza outside of ServiceNow will expect assurances on standalone roadmaps and support, while existing ServiceNow customers relying on other identity vendors will want proof of continued parity to avoid lock-in.
Trust across the ecosystem will hinge on openness. Support for authorization metadata APIs and policy-as-code standards, such as OPA/Rego along with SCIM and OAuth/OIDC, will influence whether enterprises view the platform as collaborative or closed. The more transparent the integration choices, the smoother the path from interest to adoption.
Conclusion
The reported deal placed ServiceNow on a path to pair conversational automation with enforceable control, transforming agents from helpful copilots into accountable operators under policy. By bringing Veza’s Authorization Graph and effective permissions model into the platform, the company stood to close the trust gap that kept many AI projects in pilot mode. The practical next steps were clear: communicate a phased roadmap, preserve openness with third-party stacks, and anchor value in early, high-impact use cases. If executed with discipline, the move would have nudged the market toward platforms where governance lived beside intelligence, and where speed and safety finally traveled in step.
