ServiceNow is making a move to strengthen its position in identity security by acquiring Veza, which is known for its AI-native approach to access governance.
The deal highlights how central identity controls have become as enterprises adopt cloud, SaaS and autonomous AI agents. They now need to secure access to their tech stacks for a growing mix of identities, including human, device, API and AI agent, as malicious actors increasingly weaponize agentic AI to carry out more advanced cyberattacks. This requires strong identity and access controls to enable enterprises to ensure they maintain tight control over permissions.
With Veza, ServiceNow aims to offer end-to-end visibility into what every identity can access, so customers can manage this complexity and incorporate AI agents safely.
The acquisition, still subject to regulatory approval, would fold Veza’s identity visibility and governance capabilities into ServiceNow’s security portfolio, to give organizations better control over who, or what, can access critical data and systems.
Founded in 2020, Veza has gained attention for its AI-native Access Graph, which maps and analyzes access relationships across data systems, SaaS apps, infrastructure and AI agents. Its single dashboard gives security leaders a clear view to quickly spot and remove overly broad permissions. The platform supports identity governance features such as access reviews, entitlement management and automated provisioning.
Amit Zavery, president, COO and chief product officer at ServiceNow, said joining Veza’s Access Graph with ServiceNow’s AI Control Tower would give customers “a true single pane of glass” for governing identity risk across the business.
Veza complements ServiceNow’s existing identity features, like the platform’s Machine Identity Console, by offering better visibility and simpler management as businesses scale with AI. Veza will also add identity context to ServiceNow Security and Risk products, including Vulnerability Response, Incident Response and Integrated Risk Management, to give customers a clearer view of who and what is associated with an exposure, incident or risk event, the announcement noted.
Why Centralized Access Matters Now
The acquisition comes at a time when enterprise security is under a brighter spotlight following a string of high-profile breaches that have exposed customer data. Many of those incidents can be traced back to permissions that were misconfigured or overly broad.
Identity security is entering a consolidation phase as vendors try to unify tools that have long existed in silos. The need for reliable, auditable control over who can access sensitive data wherever it resides is only growing as customers and regulators push harder for data residency guarantees and sovereign cloud options.
Identity governance is quickly becoming the backbone of secure AI and cloud operations, and major vendors are racing to own that layer.
Beyond staying ahead of cyber threats, the goal is to help enterprises navigate increasingly complex sovereignty-driven compliance demands. Embedding identity and access controls directly into a large enterprise platform could provide a more transparent and manageable route toward compliance and trust.
