ServiceNow Acquires Armis: AI Cyber Defense Platform Analysis

/ AI, Application Development, Security

What’s Happening

ServiceNow has completed its acquisition of Armis, an AI-powered cyber exposure management company, and simultaneously announced the creation of an AI Center for Cyber Defense. The deal follows ServiceNow’s acquisition of Veza in March 2026, which brought AI-native identity intelligence into the platform. Together, the two acquisitions are designed to close the gap between threat detection and active remediation by combining asset visibility, identity mapping, and autonomous response into a single governed workflow. ServiceNow states the combined opportunity more than triples its addressable market for security and risk solutions, a segment that already crossed $1 billion in annual contract value organically in Q3 2025.

The Bigger Picture

The Agentic AI Security Problem Is Getting Urgent

This acquisition is less about security consolidation and more about infrastructure for a world where AI agents are active participants in the enterprise. As organizations accelerate agentic AI deployment, the attack surface is no longer just endpoints and applications. It includes AI agents themselves, the identities they operate under, the OT systems they touch, and the cloud environments they traverse. ServiceNow is betting that security leaders will need a unified control plane to govern all of it, and that the company is best positioned to provide one.

That bet is well-timed. According to ECI Research’s 2025 AI Builder Summit survey, two-thirds of enterprise AI leaders have already implemented multi-agent collaboration (enabling agents to coordinate and delegate task) in live or pilot workflows. When agents are collaborating autonomously across systems, the identity and asset management problem scales exponentially. The Veza plus Armis combination could address that compounding risk by mapping both human and machine identities alongside every connected physical and virtual asset.

What ITDMs Need to Understand

For IT decision-makers, the key question is whether this acquisition changes the risk calculus of the ServiceNow platform itself. The answer is yes, in a meaningful way.

Armis Centrix brings continuous, non-invasive visibility across nearly 7 billion tracked devices, including OT systems, medical equipment, and IoT infrastructure that most enterprise security tools simply ignore. Veza’s Access Graph overlays permission mapping across human accounts, machine identities, and AI agents. When both data streams flow into ServiceNow’s Context Engine and AI Control Tower, the likely result is a risk prioritization and remediation loop that can operate autonomously, with policy governance and audit trails baked in.

This matters particularly for industries where OT and IT convergence is happening fast, including manufacturing, healthcare, energy, and critical infrastructure. In those environments, the ability to detect and remediate risk across the full asset layer, not just the application stack, is a regulatory and operational requirement. Armis’ existing relationships with nine of the Fortune 10 and more than 35% of the Fortune 100 give ServiceNow an immediate foothold in exactly those accounts.

The economics are also compelling. ServiceNow frames this as a market expansion story, more than tripling the total addressable market for its security and risk business. For ITDMs evaluating platform consolidation, the relevant pressure point is this: ECI Research’s Enterprise Cloud Maturity research found that security is cited as the top cloud migration challenge by 53.5% of respondents, surpassing cost and tooling as the dominant constraint on migration velocity. A platform that reduces the number of vendors involved in security outcomes, while providing unified visibility from device to identity to AI agent, has a direct financial argument beyond the feature checklist.

What Developers and Security Engineers Should Know

From a technical standpoint, the architecture being assembled here is significant. The flow is straightforward in concept but difficult to build in practice: Armis discovers and continuously monitors every connected asset, Veza maps every permission across every identity type, and ServiceNow’s platform correlates both signals to drive automated risk prioritization and remediation.

The non-invasive nature of Armis’ asset discovery is important. It means the visibility layer does not require agents deployed on every device, which is frequently impractical in OT and IoT environments where patching and software installation are constrained by physical or regulatory realities. For security engineers, this passive visibility model paired with active remediation through ServiceNow workflows represents a more complete detection-to-response architecture than most current implementations can offer.

The AI Center for Cyber Defense is a longer-term signal worth watching. The stated goals include building the next-generation AI security stack, developing capabilities to anticipate and neutralize AI-driven attacks before they occur, and helping enterprises transition from legacy frameworks to AI-native security postures. That framing is consistent with a growing recognition across the industry that AI is both a defensive tool and an expanding attack vector. The governance challenge compounds this: ECI Research found that only 20.2% of organizations report enterprise-wide AI deployments built on a governed framework, even as 50.7% rely on public AI tools such as ChatGPT and Copilot. ServiceNow’s control tower and audit trail architecture is a direct response to that governance gap.

Competitive Positioning

ServiceNow is not the only platform company building in this direction. Microsoft Sentinel, Palo Alto Networks’ Cortex platform, and CrowdStrike Falcon are all moving toward unified security data and AI-driven response. What could differentiate the ServiceNow approach is the workflow layer. Security findings in most platforms still require human handoffs to become remediations. ServiceNow’s core competency is orchestrating those handoffs at scale, and the addition of Armis and Veza may give the platform the upstream signals it needed to make the orchestration genuinely autonomous rather than assisted.

The risk for ServiceNow is integration execution. Two significant acquisitions in quick succession create real complexity, and the architectural promise of a unified context engine requires tight product integration that takes time to deliver. Organizations evaluating this platform combination should pressure-test the current state of integration maturity, not just the roadmap.

What’s Next

The AI Security Stack Will Consolidate Around Workflow Platforms

The market is moving toward platforms that can govern the full lifecycle of a security event, from asset discovery through identity verification, risk scoring, automated response, and audit reporting, without requiring human intervention at every step. ServiceNow’s acquisitions position it as one of the few vendors capable of covering that entire chain within a single governed platform.

We expect enterprise security leaders to accelerate evaluation of integrated platforms over the next 12–18 months, driven by two converging pressures: the expanding agentic AI attack surface and growing regulatory scrutiny around AI governance and data privacy. Organizations in regulated industries, particularly financial services, healthcare, and energy, will feel that pressure earliest and most acutely.

The AI Center for Cyber Defense Signals a Long-Term Play

The establishment of a dedicated research and development center focused on AI-native cyber defense is not a short-term product move. It signals that ServiceNow views this domain as a sustained competitive differentiator, not simply a feature addition. The center’s dual mandate, developing capabilities to anticipate AI-driven attacks while helping enterprises build AI-native security postures, positions ServiceNow to influence how the industry defines and measures security maturity in an agentic world.

For ITDMs, the near-term priority is assessing where existing Armis or Veza deployments sit within the ServiceNow ecosystem and what integration timelines look like. For developers and security engineers, the more relevant question is how the Context Engine and AI Control Tower expose APIs and policy interfaces for custom workflow integration. That technical surface area will determine how much control engineering teams retain as autonomous remediation becomes the default operating model.

Authors

  • Paul Nashawaty

    Paul Nashawaty, Practice Leader and Lead Principal Analyst, specializes in application modernization across build, release and operations. With a wealth of expertise in digital transformation initiatives spanning front-end and back-end systems, he also possesses comprehensive knowledge of the underlying infrastructure ecosystem crucial for supporting modernization endeavors. With over 25 years of experience, Paul has a proven track record in implementing effective go-to-market strategies, including the identification of new market channels, the growth and cultivation of partner ecosystems, and the successful execution of strategic plans resulting in positive business outcomes for his clients.

    View all posts

  • With over 15 years of hands-on experience in operations roles across legal, financial, and technology sectors, Sam Weston brings deep expertise in the systems that power modern enterprises such as ERP, CRM, HCM, CX, and beyond. Her career has spanned the full spectrum of enterprise applications, from optimizing business processes and managing platforms to leading digital transformation initiatives.

    Sam has transitioned her expertise into the analyst arena, focusing on enterprise applications and the evolving role they play in business productivity and transformation. She provides independent insights that bridge technology capabilities with business outcomes, helping organizations and vendors alike navigate a changing enterprise software landscape.

    View all posts