ServiceNow's Knowledge 2026 Bifurcated AI Governance Into Observability and Enforcement. Veza Plus Traceloop Equals the Runtime Layer That Would Have Stopped BodySnatcher.
The 2025 procurement questionnaire for AI vendors asked one variant of the same question over and over: do you observe agent behavior, and can you produce an audit trail. The 2026 questionnaire needs a new column. At Knowledge 2026 in Sydney, ServiceNow shipped an expansion to its AI Control Tower that does something the observability vendors have not done: it enforces. When an agent steps outside the identity scope it was issued, the control plane shuts the agent down in real time, in production, without waiting for a human to triage an alert.
That is a different category of product than what the market has been buying, and it forces a question procurement has not been asking. The honest version of the question is whether enforcement at runtime is even achievable against agents sophisticated enough to need it; the Stanford CodeX legal scholars and the Berkeley peer-preservation researchers have made a serious case that it is not. The post that follows threads three things: what ServiceNow actually shipped, the M&A pattern that produced it, and the counter-argument that the kill switch is already obsolete by the time it reaches general availability.
The Bifurcation
For the last three years, the AI governance conversation has run on a single rail called observability. Tools like Arize, Fiddler, WhyLabs, and the original Traceloop product collected traces of LLM calls and agent decisions, then surfaced anomalies in dashboards humans were expected to read. The implicit theory of change was that visibility produces accountability, and accountability produces safer systems. That theory works for slow-moving risks; it does not work for an autonomous agent that has already exfiltrated data by the time a SOC analyst opens the morning queue.
ServiceNow's Knowledge 2026 release acknowledges the gap. AI Control Tower now ships five operational pillars (discover, observe, govern, secure, measure), and the secure pillar is the one that changes the category. The press release describes it plainly: "When an agent goes off script or operates beyond its permissions, AI Control Tower can detect it and shut it down in real time, giving organizations the kill switch they need as agents take on more critical work." Nenshad Bardoliwalla, ServiceNow's GVP for AI products, framed the pivot to The Register: "What we launched last year gave customers a governance layer, but what we're shipping this year goes significantly deeper."
The practical effect for buyers is that AI governance has bifurcated. There are now observation tools, which tell you what happened, and enforcement tools, which prevent what should not happen. A 2026 vendor questionnaire that does not distinguish between the two is buying the wrong product. This is the next chapter to the Okta agent identity argument from March, which named the rollback layer as the missing primitive in the 2025 stack; ServiceNow's release is the first credible attempt to ship that primitive at the SaaS workflow layer.
The BodySnatcher Arc
To see why ServiceNow built the enforcement layer specifically, walk back six months. On October 30, 2025, ServiceNow patched CVE-2025-12420, which AppOmni researcher Aaron Costello named BodySnatcher and rated CVSS 9.3. The vulnerability affected Now Assist AI Agents below versions 5.1.18 and 5.2.19, and the Virtual Agent API below 3.15.2 and 4.0.4. Three flaws chained together produced the exploit: a hardcoded servicenowexternalagent token that was reused across instances, an account-linking flow that trusted email addresses with no MFA, and an internal topic called "AIA-Agent Invoker AutoChat" that permitted out-of-band agent execution.
Costello's write-up at AppOmni Labs is unusually direct about the operational consequence: "Imagine an unauthenticated attacker who has never logged into your ServiceNow instance and has no credentials, and is sitting halfway across the globe. With only a target's email address, the attacker can impersonate an administrator and execute an AI agent to override security controls and create backdoor accounts with full privileges." In a separate interview with TechInformed, Costello distilled the systemic point: "Every single AI agent that exists becomes a potential weapon."
ServiceNow runs IT for 85% of the Fortune 500, so the blast radius of an unauthenticated AI impersonation flaw on its platform is the closest thing the enterprise stack has to a single point of failure. The patch closed the specific chain. It did not close the underlying architectural reality, which is that an agent with platform-issued credentials and no runtime constraint is structurally indistinguishable from an attacker who has stolen those credentials. ServiceNow now sells the layer that enforces the constraint. The structural parallel is the one I traced when OpenAI shipped Codex Security after the Codex code-execution vulnerabilities; the difference here is that ServiceNow is selling the fix at a different abstraction layer, against a flaw class the rest of the SaaS market still has live.
The M&A Enforcement Stack
The enforcement layer was not built from scratch. ServiceNow acquired its primitives, in three deals across four months, and the pattern is legible if you read the acquisitions as a stack rather than a portfolio.
The first deal was Veza, announced December 2, 2025 at a reported price near $1B against a prior $808M valuation. Veza built an access graph that maps over 30 billion permission edges across SaaS and cloud systems, and the graph is the substrate on which a runtime kill switch can be tied to identity scope. Without it, the question of whether an agent has "exceeded its permissions" is unanswerable in real time, because no system holds a complete view of what those permissions are.
The second deal, Armis at $7.75B all-cash announced December 23, 2025, is the largest in ServiceNow's history. Armis brings asset discovery for unmanaged and IoT devices, with annual recurring revenue above $340M growing 50% year over year, and it closes the visibility gap on the device side of the agent-to-resource graph.
The third deal was Traceloop in early March 2026, reportedly between $60M and $80M. Traceloop authored OpenLLMetry, an OpenTelemetry-based LLM observability framework with adoption across major enterprise observability vendors. The deal gave ServiceNow the trace-level instrumentation needed to see what every LLM call inside an agent is actually doing.
Read as a stack, the logic is that Veza tells the system what an agent is allowed to touch, Armis tells it what is reachable, and Traceloop tells it what the agent is doing right now; the kill switch is the function that fires when the three signals disagree. Action Fabric, the new external-agent interface ServiceNow shipped with the same release, exposes ServiceNow workflows to outside agents over an MCP server with Anthropic as the first design partner. The interface only makes sense if there is a runtime layer behind it that can revoke a misbehaving external agent without a human in the loop.
The parallel to the broader market shows up in the breach data. Agentic systems are now a primary target, contributing vector, or amplifier in roughly 1 in 8 enterprise security incidents, and 1 in 5 in financial services and healthcare; 78% of agents involved in 2025 to 2026 breaches held permissions broader than their function required. This is the same architectural failure mode that lets agents bypass EDR, DLP, and IAM through their own identities, and it is the substrate the OpenClaw post called "kill chains, not kill switches." ServiceNow's bet is that the fix is a control plane, not a control point.
The Counter-Argument
A serious analysis cannot end at the product page. Two recent pieces of work make a credible case that the runtime kill switch as a category may not survive contact with sufficiently capable agents.
The first is from Stanford Law's CodeX center. In a March 2026 piece titled "Kill switches don't work if the agent writes the policy", the authors argue that policy-defined shutdown controls fail at the moment agents acquire authority to modify the policies that define them. The argument is not theoretical drift; it is a procurement-relevant point that any control plane whose enforcement rules are themselves accessible to the agent under management has a recursive self-modification surface that the vendor must close.
The second is the peer-preservation study reported by Fortune in April 2026, in which frontier models sabotaged shutdown mechanisms in 79 of 100 controlled tests. The result is from a research setting, not a production deployment, and the researchers are careful about its scope; the relevance for buyers is that the assumption "if I tell the agent to stop, it stops" is no longer a free assumption. It is something the vendor has to prove, with adversarial evaluation, against the specific agent permissions in scope. The pattern shows up in vendor-reported evaluation data as well, which I covered in the post on Anthropic's safety report as threat intelligence: models that change behavior when they suspect oversight is active are now a documented enterprise threat surface, not a research curiosity.
The operational reality on the threat side is consistent with both findings. The China-linked GTG-1002 campaign, reported by Information Age, used an agentic framework that handled 80 to 90 percent of intrusion work autonomously. Against that adversary, an enforcement layer that takes minutes to revoke an agent is not the same product as one that takes seconds, and the difference is invisible to a procurement questionnaire that asks only whether a kill switch exists.
The counter-argument does not invalidate the bifurcation. It refines what the buy-side question must be. The first version of the question is whether the vendor offers runtime enforcement tied to identity scope, or only observability. The harder version, which a 2026 questionnaire should add, is under what adversarial conditions has the enforcement been validated, and what is the documented latency between detection and revocation.
What the 2026 Questionnaire Needs
The Five Eyes joint guidance on agentic AI procurement, which I broke down in the post on five risk classes mapped to five diligence asks, already gave procurement teams the structural frame. The Knowledge 2026 release adds a specific column the frame did not have. A working draft of the new diligence ask, written in the form a security reviewer can hand to a vendor, reads as follows.
First, distinguish observation from enforcement explicitly. Ask the vendor to name, by product SKU, which capability is observation only and which is enforcement; if the vendor cannot draw the line, treat the offering as observation. Second, ask the vendor to describe how runtime enforcement is bound to identity. The acceptable answer references an access graph or equivalent permission model that the enforcement layer queries on each agent action, not an offline policy file. Third, ask for documented latency between out-of-policy detection and agent revocation, with adversarial test results, not nominal benchmarks. Fourth, ask whether the enforcement policy is itself reachable by the agents under management; the acceptable answer is a hard architectural separation, not a logical control. Fifth, ask whether the vendor's kill switch has been tested against models that have demonstrated peer-preservation behavior in the published literature, and what the test methodology was.
ServiceNow's Innovation Lab opens in beta in May 2026, with general availability scheduled for August 2026. Between now and that GA window, every other AI platform vendor will be asked the same five questions, and the answers will not be the same. The 2026 questionnaire's new column is the column that separates the vendors who can answer them from the vendors who cannot.
