It wasn’t a hypothesis. It wasn’t a cautionary tale 10 years ago. Something like this recently happened at a real company. The AI agent gained elevated privileges and deleted the entire production database, including customer records, reservations, and all backups, in less than 9 seconds. Gone. There are no attackers. There are no violations. It’s just an agent with too many accesses and no one is monitoring it.
Bill McDermott gave that talk Tuesday morning in front of a crowd of 25,000 people at the Venetian Convention Center in Las Vegas, but it didn’t soften it. “That’s what an AI agent can do when no one is looking,” he said. “Governance is not a function. It’s the whole ball game, because without governance the whole company can collapse.”
It’s an impressive start for a company that has been riding the AI wave harder than anyone else in enterprise software over the past two years. But the move was intentional. With nearly $16 billion in subscription revenue this year and projects set to double to $30 billion by 2030, ServiceNow has concluded that the next competitive frontier is not AI capabilities, but AI controls. And you’re making that bet at the exact moment when other vendors are still selling features.
blind spot
Every AI pitch in the past two years has told the same story. Here’s what AI can do: for your business. Productivity. innovation. Cost reduction. Mr. McDermott acknowledged that the benefits are real. ServiceNow recorded that benefit for itself, saving $500 million in 2025 through its own in-house AI implementation.
However, there is something else going on within the company that is not reflected in the proposal materials. Six out of 10 companies have started implementing agent AI, but only one in 10 is actually building autonomous AI. on the other hand, luck A famous report states that by 2025, 95% of companies will not be able to measure any ROI from their AI investments.
McDermott called it “AI disruption.” Employees are switching between 17 open tabs, wondering if AI could make their jobs easier. Agents provision access, process payroll, and remediate security incidents, but they have no identity, audit trail, or compliance posture. “The more it unfolds, the more information is exposed,” he said.
The structural problem, said Amit Zaveri, president and chief product officer at ServiceNow, is that most companies confuse two things that need to be differentiated: probabilistic AI (the models that generate answers) and deterministic execution (the workflows that run the company). LLM will provide recommendations. Tomorrow might give you something different. But when agents provision access to financial systems or make changes to payroll, they need to be accurate every time, traceable every time, and stoppable every time. “There can be no probabilistic solutions for businesses,” McDermott said in a later media session. “It has to be deterministic and it has to be always right.”
control tower
ServiceNow’s answer is AI Control Tower. It’s a governance layer first announced in 2025 and identified as a market-defining product on Tuesday’s stage, and will be made available for free for one year to companies ready to adopt (allegedly valued at $2 million).
This product does four things. Automatically discover and catalog all your AI assets (all models, all agents, all datasets, and all MCP servers) across your enterprise, including those running on AWS, Azure, Google, Anthropic, and OpenAI. Manage the entire AI lifecycle, automate compliance mapping, detect illusions, bias, and policy violations in real-time, and remediate before things get worse. ROI (recruitment, consumption, cost, and productivity gains) can be tracked in one dashboard, allowing CFOs to answer board questions with real numbers. It also provides continuous observability through what McDermott called a “kill switch.” This is the ability to pause, redirect, or stop agents anywhere in your enterprise with a single action.
Zavery demonstrated the kill switch live on stage. The simulated alert flagged a prompt injection attack. A prompt injection attack is a hidden command that tells an agent to ignore all existing pricing rules, set shipping costs to $1, and not log adjustments. “How badly do you want a kill switch?” Zaveri asked the audience. There is one button. The agent’s privileges were revoked, his actions were tracked across all systems he interacted with, and a P1 security incident was automatically generated. The whole room applauded.
The architecture is integrated with Veza, whose patented access graph maps over 30 billion privileges across human, machine, and AI identities, and Armis, which extends visibility to OT, IoT, medical devices, and critical infrastructure. Both companies were acquired in quick succession by ServiceNow earlier this year, with Veza and Armis completing their acquisitions within three days. Anticipating skepticism, McDermott addressed the issue directly at Financial Analyst Day, saying, “Are they buying growth? No, we weren’t. We were buying a ticket to a brighter future.”
All Arc agents report directly to AI Control Tower, providing a continuous stream of action logs, system access attempts, and operational data. For CISOs managing tens of thousands of desktops, each potentially running multiple agents, the governance layer can be the difference between adoption and paralysis.
Precedents surrounding the board
McDermott has a way of making governance discussions feel less bureaucratic and more urgent, and he repeatedly returned to a single example throughout Tuesday’s event. On Rabbit OS, the AI agent encountered a credential error and deleted the entire production database and all customer data backups in less than 9 seconds. At Meta, an internal AI agent leaked sensitive user data without the involvement of an external attacker.
“The industry is trying to band-aid all of these problems, using agents and creating more and more agents, but none of these standalone AI products can solve the core fundamental problem because they can’t manage the entire system,” Zaveri said at Financial Analyst Day. Gartner predicts that 40% of agent AI projects will fail by 2027, he noted. Not because the AI is incompetent, but because the AI is not managed.
bigger claim
Mr McDermott had a broader discussion under his pitch on governance. ServiceNow is not only building a secure layer of AI, it claims to be the control plane for the entire agent enterprise.
When an external agent such as OpenAI, Anthropic, Microsoft, or Workday calls Action Fabric, it launches ServiceNow’s managed workflow engine. All actions are recorded. All permissions are enforced. All results are traceable. “We are the AI agents of agents,” McDermott told reporters. “We manage everyone else’s agents. They can’t manage our agents because they don’t do it the way we do it.”
The logic of competition is sharp. Workday manages HR agents. Salesforce manages CRM agents. But when, as is often the case, compensation disputes involve finance, legal, human resources, and general ledger at the same time, there’s only one system that covers the entire process.
Regarding this story, luck journalist We used generative AI as a research tool. Editors verified the accuracy of the information before publication.
