How AI helps us ensure ServiceNow Platform security in every release

ServiceNow Platform security: person working on a laptop in an office alcove

The journey to AI-driven security automation at ServiceNow began with a digital technology hackathon focused on generative AI (GenAI). “When the GenAI boom started, my team and I explored how we could challenge ourselves,” explains Pavan M., director of product security management in our India Technology and Business Center.

Recognizing inefficiencies in the security review process, Pavan’s team identified five key pain points and sought solutions to automate them. “We analyzed our daily tasks, pinpointed repetitive manual processes, and questioned their value-add,” he says.

The team’s submission in the hackathon emerged as one of the top proposals among 300 to 400 entries. Although it didn’t win, the idea gained exposure and led to embedding AI into the ServiceNow software development lifecycle, which is used for every platform release.

AI-driven risk ranking: A game changer

Each year, our security team conducts approximately 3,000 application security reviews to ensure ServiceNow Platform security in every semiannual release. Given this volume, it’s impossible to manually test every aspect of security. AI helps our teams identify and prioritize the most security-sensitive updates so that they can focus on critical risks.

“We cannot afford to miss the most important security reviews,” says Santosh G., manager of product security. “Twice a year, we dedicate nearly four months to our family release testing.” With the ServiceNow Platform Yokohama release, “we leveraged AI to optimize our approach and preemptively identify vulnerabilities,” he adds.

Our job is to reduce risk, educate, and ensure the platform remains safe for both our customers and us. -Tom W., Dir., Product Security Mgmt.

AI now handles much of the process, reviewing more than 3,000 features per year, flagging those required for further assessment. Previously, three employees manually processed epics and stories to assign risk scores between 0 (critical) and 3 (low impact). AI has saved more than 300 hours of work.

The flagged risks are then divided among our security teams in India and the U.S. to undergo multiple rounds of validation before the platform release. “Once epics and stories are written and created by developers, our GST [global security testing] team assesses them over a two- to three-week period,” says Geetika R., senior product security engineer.

Quality assurance engineers verify functionality, and the GST team ensures all vulnerabilities are addressed before final launch.

Guardians of ServiceNow security

Our GST team has significantly streamlined the traditionally time-consuming risk rating process, thanks to AI.

“Our job is to reduce risk, educate, and ensure the platform remains safe for both our customers and us,” says Tom W., director of product security management. His teams collaborate closely with the Unified Technology Group, as well as with the release management and development teams, to make sure robust security measures are involved in each release.

By safeguarding each ServiceNow Platform release, our security teams help ensure a protected experience. With AI as a force multiplier, we’re setting new standards for secure and efficient platform releases to keep our customers’ data safe.

Join a company that puts customer security first. ServiceNow is among Fortune World’s Most Admired Companies and Fast Company’s Best Workplaces for Innovators. Explore ServiceNow careers.