ServiceNow acquires Veza to solve identity governance challenges blocking enterprise AI agents

ServiceNow's Amit Zavery explains why the company is buying identity management platform Veza | Fortune

ServiceNow President Amit Zavery says the company's acquisition of identity management platform Veza should give customers more confidence about deploying AI agents.Leigh Vogel -- Getty Images for Concordia Annual Summit ServiceNow announced earlier this week that it was acquiring Veza, a fast-growing cybersecurity software startup that makes what is known as an "identity and access management" platform for both humans and AI agents. Amit Zavery, who serves as ServiceNow's president, chief product officer, and chief operating officer, told Fortune that the acquisition will help ServiceNow provide something its customers had increasingly been demanding. He said chief information security officers -- which the company already served through products that helped them triage network alerts and deal with cybersecurity incidents -- have been asking for a way to control and track the data that people and AI agents access. "We've been thinking about how we really help our customers solve those complicated problems [around managing AI agents] and strengthen their ability to deliver on AI plans while having security and governance built in," he said. Zavery said Veza will provide a boost to ServiceNow's fast-growing cybersecurity offerings, which are currently generating more than $1 billion in annual sales for the SaaS giant.. The terms of the deal were not disclosed, but Veza, which is based in Los Gatos, Calif., was last valued at $808 million in a funding round in April and news reports suggested that ServiceNow paid more than $1 billion to buy the company. Identity and access management is a system for keeping track of who is accessing digital systems and what data they have permission to access. Such systems have always been an important aspect of cybersecurity. They are a way to limit the kinds of information a hacker who has stolen someone's credentials -- or that a rogue employee -- can access and potentially pilfer or damage. But these systems have taken on heightened importance as more and more companies begin allowing AI agents to perform actions, from simply fetching information to conducting transactions. Identity and access management platforms let information security and audit teams track what AI agents are doing and set rules that limit the potential risks that AI agents can pose. Prior to agreeing to buy Veza, ServiceNow had an integration with its product, but did not offer an access management solution of its own. "We were working with multiple providers, but we found Veza as probably the most advanced, especially in the AI native world," Zavery said. Founded in 2020, Veza says it helps secure millions of enterprise customers, including Blackstone, Wynn Resorts, and Expedia. Zavery said that ServiceNow was particularly impressed with what Veza calls its "Access Graph" technology -- a patented system that maps the relationships and access privileges across human, AI agent, devices, and data pools in real time. "I think the combination of here's what a human can do, what machines can do, as well as what AI agents can do, and bringing it into one platform so that you don't have fragmentation of access privileges" is critical to allowing companies to deploy AI agents without taking on too much security risk, Zavery said. He said that AI agents pose a particular challenge for access control because the same agent might need different network privileges depending on which employee the agent is working for and what task they are supposed to be handling. An AI agent querying an HR database, for instance, might be allowed access to sensitive salary data when working on behalf of a senior manager but only limited access to, say, basic employee benefit data, when working on behalf of a junior employee. And, in both cases, you might want to give the agent permission only to read from the database, while if it were working for someone from the HR department, it might need permission to write to the database as well. Zavery said that Veza's platform allows companies to write these kinds of complex access rules. He said that Veza's capabilities would be integrated into ServiceNow's AI Control Tower product, which is a platform for monitoring and governing AI agents that it launched earlier this year. The company has said it has been among its fastest growing offerings.

From 'AI platform' to 'AI control tower' - ServiceNow's Veza acquisition reveals identity governance as critical bottleneck for enterprise AI

ServiceNow has today announced that it intends to acquire Veza, a leader in identity security - in a move that signals the vendor's ambitions to further control and govern AI deployments in the enterprise. One only has to look at how ServiceNow is describing itself in its press materials for this announcement, compared to other releases this year. It calls itself "the AI control tower for business reinvention," rather than the "AI platform for business transformation" language it has used previously. The shift is subtle but significant - control, not enablement, is the emphasis. Acquiring Veza's Access Graph technology also highlights a technical challenge buyers are facing in ensuring their AI deployments are both successful and secure. As enterprises move from AI pilots to production, identity and access management has become the governance issue preventing autonomous agents from operating at scale. Without granular visibility into who and what can access systems and data - including AI agents themselves - deploying agentic AI becomes an unacceptable security risk that most CISOs won't sign off on. This is also ServiceNow's sixth acquisition this year, following Logik AI and Data.World. For a company that has historically preferred organic growth, six purchases in twelve months represents a notable shift. But this needs to be understood in context: AI innovation isn't following the measured, multi-year 'big noise' development cycles that defined the cloud era. Capabilities are evolving every few months (or weeks), and building everything internally means falling behind. The risk isn't integration complexity - it's missing the market window entirely. ServiceNow has built its reputation on organic growth and engineering discipline. While competitors assembled portfolios through acquisition - creating integration headaches - ServiceNow stuck with "one platform, one architecture, one data model." This discipline has given the company real advantages for AI orchestration. But the AI market doesn't move at the same pace as cloud infrastructure or SaaS applications did. Capabilities that seemed futuristic six months ago are expected features today. Building everything internally when the market shifts this quickly isn't principled - it's slow. Logik AI in March brought configure-price-quote capabilities ServiceNow needed for its CRM push. Data.World strengthened data cataloging and governance. Now Veza adds identity security and access governance. These fill specific technical gaps required for the agentic AI vision to work. Integration risks exist. Absorbing Veza's 230 employees and technical capabilities while keeping the unified architecture that's been ServiceNow's differentiator takes real engineering effort. But the Workflow Data Fabric, which appeared in 17 of the company's top 20 deals in Q2, shows ServiceNow can integrate new capabilities without breaking platform coherence. The question is whether the company can move fast enough to stay ahead of both buyer needs and competitive moves from vendors who aren't going to hand over the AI orchestration layer willingly. Veza addresses where enterprises are actually getting stuck with AI deployment. If AI agents are going to act autonomously - accessing data across systems, executing workflows, making decisions without human approval - then you need visibility and control over what each agent can access and do. Not high-level policies, but genuine granularity about permissions and access patterns. Veza's Access Graph maps these access relationships across human, machine, and AI identities. Without something like this, deploying agentic AI at any meaningful scale becomes a security risk that most CISOs won't accept. And this isn't theoretical - it's what's keeping organizations stuck in pilot mode. At Knowledge 2025, multiple technology leaders told me they agreed conceptually with ServiceNow's vision of AI-orchestrated work but were struggling with the governance frameworks to support it. How do you give AI agents enough access to be useful without creating massive security exposures? How do you audit what autonomous agents are doing? How do you prove to regulators that you have control over AI systems accessing sensitive data? Veza provides answers to these questions. But - and this matters - technical governance infrastructure alone won't solve the organizational change challenges that our diginomica network research identified as the primary barrier to AI success. You can have perfect identity governance and still fail if you haven't figured out change management, data quality, and organizational alignment. The messaging shift in today's press release tells you where ServiceNow sees itself heading. "The AI control tower for business reinvention" replaces the "AI platform for business transformation" language from earlier releases. Control tower, not platform. Reinvention, not transformation. This matches what I've been observing in ServiceNow's positioning over the past year. At Knowledge 2025, CEO Bill McDermott moved away from diplomatic "platform of platforms" language to explicitly suggesting that some enterprise applications will be eliminated as organizations consolidate around AI-native architectures. The control tower metaphor is more honest - ServiceNow isn't just enabling AI, it's positioning itself as the governance layer that determines which AI agents, and by extension which applications, get to operate in the enterprise. Veza fits this directly. Combining Veza's Access Graph with ServiceNow's AI Control Tower and agentic workflows gives the company what Amit Zavery calls "a true single pane of glass, with control of every identity in their organization." This is an explicit play to own the governance layer that sits above all other enterprise systems. ServiceNow's strategic positioning needs to be tested against what's actually happening with enterprise AI deployments. Our diginomica network research last month found that 93% of CIOs and CTOs have implemented AI. But only 57% report any success, and the majority say AI has failed to meet the elevated expectations of their boards and fellow executives. The gap between expectations and returns isn't primarily technical - it's organizational. One member of our community put it directly: This is not a technology implementation, it's a fundamental rethinking of how work gets done, requiring open dialogue about fears, realistic timelines, and sustained commitment to behavior change. Identity governance infrastructure doesn't solve this challenge. You can have perfect visibility into what your AI agents can access and still fail to realize value if you haven't addressed change management, data quality, and organizational alignment. These are the things actually preventing AI from delivering measurable returns. ServiceNow gets this tension. The "Now Next AI" initiative, which deploys specialized teams to work directly with customers on business cases and implementation, shows the company understands that technology alone isn't sufficient. But the Veza acquisition suggests ServiceNow believes that lack of governance infrastructure is what's preventing some organizations from moving beyond pilots - that removing this technical barrier will unlock broader adoption. That might be true for regulated industries where identity governance is a compliance requirement before any AI deployment can proceed. Veza's customer base in banking, hospitality, and fast-moving consumer goods suggests the platform works in sectors where regulatory scrutiny is intense. Whether governance infrastructure alone shifts the success rate from 57% to something more compelling is what ServiceNow is betting on. The Veza acquisition works strategically. Identity governance has become a real bottleneck as enterprises try to move from AI pilots to production. ServiceNow's willingness to acquire rather than build everything internally shows the company understands AI market speed - this isn't cloud's measured, multi-year development cycle. The messaging shift from "AI platform" to "AI control tower" captures where ServiceNow is actually heading. This isn't about enabling AI deployments alongside other vendors - it's about owning the governance layer that determines which AI agents operate across the enterprise. Combined with AI Experience and the Microsoft partnership, Veza strengthens an already coherent platform play. But technical capabilities alone won't determine success. Our diginomica network research shows the primary barriers to AI success are organizational, not technical. Identity governance provides necessary foundations for safe AI deployment, but doesn't guarantee value realization. You still need clean data, realistic expectations, proper change management, and leadership that can separate genuine opportunity from vendor promises. ServiceNow's execution over the next year will show whether the company can integrate six significant acquisitions while maintaining platform coherence, whether identity governance removes a real bottleneck keeping customers in pilot mode, and whether McDermott's aggressive competitive positioning translates into market share gains or just provokes fiercer responses. What's clear is that ServiceNow isn't playing the diplomatic "platform of platforms" game anymore. The company is making an explicit play for dominance, and the Veza acquisition strengthens the technical foundations for that ambition. Whether customers follow that vision remains the open question.

ServiceNow to acquire identity security start-up Veza

As part of the acquisition, ServiceNow will combine Veza's Access Graph platform with its AI Control Tower dashboard. Cloud company ServiceNow announced yesterday (2 November) that it has signed an agreement to acquire identity security start-up Veza for an undisclosed sum. As part of the acquisition, ServiceNow will add Veza's identity visibility, intelligence and governance capabilities into its security portfolio, including Veza's Access Graph - a visibility and risk control platform that analyses access relationships and permissions across human and AI "identities". The Access Graph platform was built to store and query the relationships between "billions of nodes", according to Veza, from identity to specific permissions on individual resources. The technology is designed to inform a business on what permissions a specific identity has and how they got those permissions, and can be used to spot overprivileged access. Should the deal go ahead as planned, ServiceNow will combine the Access Graph platform with its AI Control Tower - an AI governance and management dashboard - as well as its agentic AI workflows. ServiceNow will also add Veza's vulnerability response, incident response and integrated risk management capabilities to its security and risk products. "In the era of agentic AI, every identity - human, AI agent or machine - is a force for enterprise impact. It's only when you have continuous visibility into each identity's permissions that you can trust it," said Amit Zavery, president, chief operating officer and chief product officer at ServiceNow. "By combining Veza's industry-first Access Graph with ServiceNow's AI Control Tower and agentic workflows, we can give customers a true single pane of glass, with control of every identity in their organisation. "Together, we'll empower CISOs and security teams to make safer access decisions that protect their businesses, and to defend their high-value data assets from AI-powered attacks." Silicon Valley-based start-up Veza was founded by Tarun Thakur, Maohua Lu and Rob Whitcher in 2020 when they spotted a market gap in data security; authorisation. The start-up serves nearly 150 global enterprises and includes the likes of Crowdstrike, Workday, Zoom, Skechers and Mattel. "Veza was built to make identity security transparent, scalable, and effective for every organization," said Thakur, who is also CEO of Veza. "With ServiceNow, we will help customers embrace AI with greater confidence. "Together, we can turn identity governance and identity security into a strategic advantage by giving organisations clear, integrated control over every type of identity - whether it belongs to a person, a machine, or an AI agent." Last year, SiliconRepublic.com spoke to Mark Cockerill, senior vice-president for legal, and lead for Ireland at ServiceNow, about the growing presence of AI in the workplace. Don't miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic's digest of need-to-know sci-tech news.