The meter nobody noticed
I spent part of the long weekend reading through ServiceNow's Knowledge 2026 announcements, and the most important thing the company shipped was a pricing decision.
When an external AI agent triggers a workflow inside ServiceNow through the company's new Action Fabric, that action consumes the same "Assist" currency customers already use for ServiceNow's own AI features. A password reset initiated by Anthropic's Claude draws down the same meter as one initiated by ServiceNow's native Now Assist. The company didn't build a separate billing system for external agents. It routed them through the existing consumption model.
This detail got buried under keynote demos and partnership logos. It shouldn't have. It's the load-bearing architectural choice, because it tells you what ServiceNow actually believes about where it sits in the emerging agent economy. If you meter external agents the same way you meter your own, you're treating other people's agents as a growth vector for your own platform economics. Every Claude workflow, every third-party agent execution, every action triggered by a model provider that doesn't exist yet: all of it runs the same meter.
The rest of the Knowledge 2026 announcements, the Action Fabric, the expanded AI Control Tower, the consolidation of Armis and Veza into a new Autonomous Security and Risk product, make more sense once you see them through the lens of that pricing decision. They're the infrastructure required to make the meter credible.
The puzzle
The consensus read on Knowledge 2026 is that ServiceNow, like every enterprise platform vendor, is layering AI capabilities onto its existing products. More agents, more automation, more governance tooling. That read is accurate at the surface. Underneath it, a more specific question is worth asking.
The question I keep returning to: who ends up owning the governance layer for AI agents that enterprises didn't build themselves?
The agents arriving from Anthropic, from OpenAI, from whatever model provider a customer chose last quarter. When a Claude agent needs to trigger an approval workflow, or a GPT-based agent needs to file an incident, or some future agent from a startup that hasn't raised its Series A yet needs to execute a business process, where does that action get governed?
Security vendors and identity vendors are the expected answer. They already manage access, authentication, and threat detection. A workflow platform is the surprising one. And ServiceNow's bet is that the expected candidates are structurally disadvantaged, because they can observe and flag but they don't control the point where the action actually happens.
ServiceNow processes more than 80 billion workflows a year across IT, HR, customer service, security, and operations. Action Fabric is the move to convert "we're where the work happens" into "we're where the work gets governed." Whether that's a defensible structural claim or a workflow vendor overreaching into territory it doesn't understand is what I want to work through.
Why the permission model has to be action-scoped
The traditional way enterprises govern access is identity-centric. You authenticate a user or a machine, assign them a role, and trust that the role's permissions constrain their behavior. For humans, this works reasonably well. Humans have stable identities, predictable work patterns, and a limited ability to operate at machine speed.
For AI agents, the model breaks down at a specific point: authentication establishes who is asking. It has no opinion about what they're about to do. Two agents with identical credentials might attempt radically different actions. One might file an incident report. The other might try to modify a pricing table and suppress the audit log. ServiceNow actually demoed this scenario at Knowledge 2026, staging a live prompt injection attack that attempted exactly that. The kill switch worked.
Identity-centric governance catches the second agent only if the role was scoped tightly enough to exclude that action in advance. Which requires anticipating every possible action an agent might attempt. With agents that reason, plan, and chain actions together in novel sequences, that anticipation problem becomes combinatorially hard.
ServiceNow's MCP Server Console is built for this problem. The console exposes the platform's full system of action to external AI agents through the Model Context Protocol, an open standard for AI-model-to-tool interaction. What sits behind ServiceNow's implementation, and distinguishes it from other MCP servers, is governed execution, with the full workflow and approval machinery enforcing every call. External agents can trigger workflows, approval chains, service catalog actions, and business rules, all within a permission model scoped to actions rather than identities.
The console uses "role-based tool packages" that define the specific set of actions a given agent is allowed to execute. An agent authenticated via OAuth doesn't get blanket access to the platform. It gets access to a defined package of tools, each one a specific action it can perform, with every execution logged through the AI Control Tower's audit trail. On top of this sits the MCP Registry: a centralized catalog of every MCP server an organization uses, whether built internally or sourced externally, with version tracking and access controls.
The concrete version: an employee asks Claude for help getting access to a tool. Claude, connected to ServiceNow through Action Fabric, identifies the access gap, routes the request through the appropriate approval workflow, and resolves it. The employee never opens the ServiceNow interface. But the approval chain, the audit trail, the SLA timer, the business rules all still fire inside ServiceNow's governed environment. The action was headless. The governance was embedded in the execution path.
ServiceNow's structural advantage is that it already owns the execution surface where a large share of enterprise actions happen. If an agent needs to trigger a workflow, it has to come through the platform. And if it comes through the platform, ServiceNow can evaluate the action before it executes. The governance lives inside the execution path itself.
The MCP Server is generally available now, included in every Now Assist and AI Native SKU. The expanded AI Control Tower enters ServiceNow's Innovation Lab this month with general availability expected in August. The execution layer is live; the full governance instrumentation is still rolling out.
What the customs office needs to work
A customs office governs trade at the point of transit: every shipment is inspected, evaluated against current rules, and either permitted or blocked. The governance happens at the border, not at the point of origin. That parallel clarified the ServiceNow architecture for me.
ServiceNow is building the customs office for enterprise AI agents. The agents can be built by anyone. But when those agents need to execute governed work, they cross the border into ServiceNow's system of action. At that border, Action Fabric evaluates the action against the permission model, the AI Control Tower provides the context, and the execution either proceeds or gets blocked.
A customs office only works if the inspectors know what they're looking at. Knowing that an agent wants to modify an access permission is necessary but incomplete on its own. You also need to know: what asset is affected? What other permissions exist on that asset? What's the risk posture of the environment? Is this a test instance or a production system controlling medical devices?
The Armis and Veza acquisitions read as architectural prerequisites, not security bolt-ons.
Veza, which closed in March 2026, brought the Access Graph: a real-time map of every identity (human, machine, and agent), every system, and every permission across an enterprise environment. With over 30 billion access permissions under management at the time of acquisition, the Access Graph answers questions like "which AI agents can access sensitive data in this warehouse?" and "where are standing privileges that haven't been used recently?" The acquisition price was never officially disclosed; The Information reported a range of $1 billion to $1.5 billion, though the precision of that range is uncertain.
Armis, which closed in April 2026 for $7.75 billion in cash, brought real-time visibility across IT, OT, IoT, medical devices, and cloud infrastructure. Pre-acquisition reporting put Armis at $340 million in ARR growing at over 50% year-over-year, which would place the acquisition at roughly 23x ARR. That multiple signals how much ServiceNow valued the asset visibility layer it lacked organically. The companies had partnered for more than two years before the acquisition, which suggests the integration thesis was tested before the check was written.
Together: Veza maps who can access what. Armis maps what exists and what state it's in. Feed both into the AI Control Tower, and you have the context needed to evaluate whether a given agent action should be permitted. The question expands: given the current state of the asset, the existing permissions, the risk posture, and the compliance requirements, should this specific action execute right now?
ServiceNow consolidated both acquisitions into the new Autonomous Security and Risk product announced at Knowledge 2026. On integration depth: Armis closed on April 20, roughly two weeks before the conference. Some of the combined product descriptions use forward-looking language ("will feature"). The architectural vision is clear and the pieces are in hand, but the ratio of shipped product to roadmap isn't publicly documented at this stage.
The expanded AI Control Tower ties the pieces together across five dimensions:
- Discover — finding AI assets across the org, including 30 new integrations spanning AWS, Google Cloud, Azure, SAP, Oracle, and Workday
- Observe — continuous monitoring of agent reasoning via the Traceloop acquisition
- Govern — risk frameworks aligned to NIST and EU AI Act
- Secure — identity intelligence via Veza
- Measure — cost tracking and ROI dashboards
ServiceNow says it tracked over 1,600 AI assets internally and measured half a billion dollars in cumulative AI value through its own Control Tower in 2025.
Those 30 enterprise integrations for the Discover dimension are the tell that the ambition extends beyond ServiceNow's own platform. The company is reaching out to find and catalog AI assets deployed on other infrastructure. And then there's the go-to-market move that reveals the strategy more clearly than anything in the keynote: ServiceNow is offering AI Control Tower free for one year, framed as a $2 million value (this was reported by Efficiently Connected from the Knowledge 2026 briefings; ServiceNow's own newsroom doesn't appear to state the specific dollar figure). Give away the governance plane, build dependency on the visibility and context it provides, then monetize through the execution layer as agents consume Assist currency. The subsidy was the strategy. And the lock-in mechanism is specific: once an enterprise has cataloged hundreds or thousands of AI assets through the Control Tower and built governance policies, risk frameworks, and audit trails around them, the switching cost isn't the subscription fee. It's the reconstruction of the entire governance state. That's the dependency the free year creates.
Where the argument turns
I want to flag the moment in this analysis where my read shifted, because it changes what the rest of the piece means.
My initial assumption was that ServiceNow's dual-provider strategy, a three-year agreement with OpenAI making it the only natively embedded model, plus Anthropic as the Action Fabric launch partner, was hedging. Spreading risk across model providers the way any prudent platform would. Then I looked at the architecture more carefully.
OpenAI is embedded natively for voice and general automation. Anthropic powers the Build Agent for coding and agentic workflows. And Action Fabric, the governed execution layer, is designed to accept any agent from any provider. The model provider is interchangeable. The execution layer is not. ServiceNow has made itself the layer that doesn't need to pick a winner, because every winner's agents still need to execute governed work somewhere.
That's a strategic posture worth sitting with. "We're the place where AI companies' agents come to do things" is a very different claim than "we're an AI company." And the pricing decision, routing all of it through the same Assist meter, is what makes the posture economically coherent.
Why Anthropic showed up at the border
The Anthropic partnership is the external validation that makes the structural argument harder to dismiss.
In January 2026, ServiceNow and Anthropic announced a broad collaboration making Claude the default model powering ServiceNow's Build Agent. At Knowledge 2026, Anthropic was named as one of the first launch partners for Action Fabric, with Claude connecting directly to ServiceNow's execution layer.
Why would Anthropic, arguably the most cautious of the frontier AI labs on safety and governance, choose a workflow platform as its first governed execution partner? The answer follows from Anthropic's incentive structure. Anthropic needs enterprise adoption to fund its research. Enterprise adoption requires governed execution, because no CIO will let Claude trigger business processes without audit trails, permission controls, and kill switches. Anthropic could build all of that itself, but building enterprise governance infrastructure is a different business than building frontier AI models, and it would take years to reach the depth ServiceNow already has. The faster path is to partner with the company that already owns the execution surface and let it handle governance.
Dario Amodei framed the logic in the January announcement: enterprises process "more than 80 billion workflows every year" through ServiceNow, and the way to get results from AI is to make it "an integral part of how you get work done." A model-provider CEO describing the value of someone else's execution surface. That's an unusual posture, and it tells you something about how Anthropic sees the stack.
"ServiceNow was willing to work with us and together to solve problems versus just adopting a product."
— Amit Zavery, ServiceNow president and COO, Axios, January 2026
That phrasing suggests a co-development relationship rather than a licensing deal. Whether the relationship is closer to design partnership or standard integration isn't publicly documented, but the co-development language points toward something deeper than a logo on a slide.
"The gap between knowing what needs to happen and making it happen is where productivity dies. Connecting Claude to ServiceNow's system of action closes that gap with enterprise execution."
— Boris Cherny, head of Claude Code at Anthropic, Knowledge 2026
An AI lab describing its own product's limitation and naming a workflow platform as the solution is unusual partnership theater. It's a structural admission about where the value sits.
The economics underneath the strategy
ServiceNow's financial structure makes the governance-layer bet legible as an economic strategy, not an architectural diagram.
The company reported $3.77 billion in total revenue for Q1 FY2026, up 22% year-over-year. Subscription revenue was $3.7 billion, roughly 97.4% of total revenue. That's one of the most subscription-dominant revenue mixes in enterprise software, which means ServiceNow's economics are driven almost entirely by platform adoption and consumption, not by implementation labor.
The AI-specific numbers are where the strategy shows up in the financials. Now Assist net new ACV surpassed $600 million and is on track to reach $1 billion by the end of FY2026. Management raised the full-year AI revenue target from $1 billion to $1.5 billion. Deals including three or more Now Assist products grew nearly 70% year-over-year.
The consumption model is the mechanism. On the Q1 earnings call, Zavery described the dynamic plainly: the more customers use AI-driven actions, the more Assist they consume. Customers buy a subscription that includes a pool of Assist units. Every AI-driven action, whether triggered by ServiceNow's native agents or by an external agent through Action Fabric, draws down that pool. When the pool is consumed, the customer buys more.
The pricing decision matters because of what it does to the unit economics. By routing external agent actions through the same consumption meter, ServiceNow turns every Claude workflow, every third-party agent execution, into incremental Assist spend. The more agents an enterprise deploys from any provider, the more ServiceNow's meter runs. The governance layer and the monetization layer are the same thing.
The company's long-range target is $30 billion in subscription revenue by 2030, with AI representing more than 30% of ACV. If that target is achievable, a meaningful portion of the growth has to come from consumption driven by agents ServiceNow didn't build. Action Fabric is the infrastructure that makes that math work.
Governance follows execution
Governance accrues to whoever owns the execution surface. The company that controls where the action happens doesn't need to build the best security or identity product. It needs to be the place where the work runs, and then instrument that place with enough context to make real-time action-level decisions.
Security vendors can detect. Identity vendors can authenticate. Observability vendors can monitor. Governance, the ability to permit or deny a specific action in real time based on context, requires control of the point where the action actually happens.
ServiceNow's bet is that it already owns enough of the enterprise execution surface to claim the governance layer as a natural extension. The acquisitions (Armis for asset context, Veza for identity-to-permission mapping, Traceloop for agent observability) are the instrumentation. Action Fabric is the interface. The AI Control Tower is the decision engine. And the consumption model is the economic flywheel that aligns ServiceNow's revenue with the volume of governed agent actions, regardless of who built the agent.
The question this framework raises for every other player in enterprise AI governance is uncomfortable: if governance follows execution, then building a standalone governance product, one that observes and reports but doesn't control the execution path, is structurally disadvantaged. Think of the distance between being the customs office and publishing quarterly reports about what crossed the border.
The customs office analogy has limits worth naming. A customs office only works for goods that cross the border. Plenty of enterprise work runs through SAP, Oracle, Workday, Salesforce, and custom applications that ServiceNow doesn't touch. The governance-follows-execution thesis is strongest where ServiceNow's execution surface is deepest (IT service management, HR workflows, security operations) and weakest where it isn't. Those 30 enterprise integrations in the AI Control Tower's Discover dimension are an acknowledgment of this gap: ServiceNow can see AI assets deployed elsewhere, but seeing them and governing them at the point of execution are different capabilities.
What I'd bet on
I'll commit to something falsifiable.
Within 18 months, ServiceNow's AI Control Tower will be the default governance plane for agent execution in at least two of the three major cloud providers' agent frameworks (AWS, Azure, Google Cloud). The reasoning: the cloud providers' own governance tooling for third-party agents is fragmented and early-stage. Each has authentication and monitoring, but none has built the action-level governance layer that connects agent permissions to workflow execution and business context. Their enterprise customers, meanwhile, are already running ServiceNow for IT and HR workflows, and the free-year Control Tower offer is designed to get the governance catalog established before those customers build their own. The 30 enterprise integrations in the Discover dimension are the land-and-expand mechanism that puts ServiceNow's governance plane inside environments the cloud providers thought were theirs. The economic signal will be Assist consumption growth outpacing Now Assist seat growth by a factor of two or more, indicating that external agents are driving a meaningful share of platform usage.
The deeper prediction: the "where does the agent execute" question will overtake the "who built the agent" question that dominates current enterprise AI conversations, within two years. Identity will remain necessary for authentication, and governance will migrate to the execution layer. ServiceNow is positioning for that migration. If it happens, the company's current $15.7 billion subscription revenue base is the floor, because every new agent from every provider becomes a consumption event on ServiceNow's meter.
If the migration doesn't happen, if enterprises decide they want governance at the model layer or the identity layer instead, then ServiceNow spent over $10 billion on acquisitions that make it a very good security and risk platform but leave it short of the governance chokepoint for the agent economy. That's a fine outcome, but it's not the one the stock price is starting to reflect.
Real risks remain. The Armis and Veza integrations are weeks old, not years old. The Autonomous Security and Risk product was announced two weeks after the Armis acquisition closed. Assembling the architectural pieces and integrating them into a coherent governance plane that works at enterprise scale are different problems on different timelines. And the execution surface, while deep in IT service management and HR workflows, has genuine gaps in ERP, CRM, and custom application territory where other platforms own the border.
The structural bet is clear. Whether the execution surface is deep enough and the integration fast enough to make it work: that's the genuinely open question. But the pricing decision tells you ServiceNow has already placed the bet. The meter is running.
Things to follow up on...
-
AI Control Tower GA timeline: The expanded five-dimension AI Control Tower enters Innovation Lab this month but general availability isn't expected until August 2026, which means the gap between the Knowledge 2026 announcement and what customers can actually deploy is roughly three months.
-
Workday's competing governance bet: Workday's Agent System of Record, now generally available with over 1,200 customers registering agents, applies HR management logic to AI agents as "digital employees," a conceptually distinct approach to the same governance problem ServiceNow is solving through execution-layer control.
-
Zscaler's access graph acquisition: Zscaler's intent to acquire Symmetry Systems, announced May 21, targets the same identity-to-data mapping capability that Veza brought to ServiceNow, which suggests the access graph is becoming a contested architectural layer across multiple enterprise platforms.
-
Shadow MCP as emerging risk: Cloudflare Gateway now includes rules for detecting unauthorized MCP server connections across organizations, signaling that unsanctioned agent-to-tool connections are already common enough to warrant dedicated detection infrastructure.