Using agentic AI workflows in Now Assist for Security Incident Response

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Using agentic AI workflows in Now Assist for Security Incident Response

    Agentic AI workflows in Now Assist for Security Incident Response enable autonomous task completion by AI agents within the ServiceNow Security Incident Response (SIR) environment. These workflows utilize role masking to control user access based on specific roles included with the Now Assist applications. Customers can configure security controls to manage which roles have access to these workflows.

    Show full answer Show less

    Access to features, generative AI skills, agentic workflows, and AI agents depends on your ServiceNow license tier. Some AI capabilities are enabled by default upon installation, with different behaviors for new and existing customers.

    Key Features

    • Role-based Access Control: Agentic workflows use role masking to ensure only authorized users can access and run AI workflows. Configuration of security controls is required if specifying custom roles.
    • Default Enabling of AI Assets: New customers get designated AI skills, agents, and workflows turned on automatically with Now Assist product installation. Existing customers retain their prior customizations.
    • Agentic Workflows for Security Incident Response: Several predefined workflows and AI agents support common SIR tasks:
      • Wrap up security incident: Assists analysts in closing security incidents using natural language interaction.
      • Analyze security operations metrics: Helps SOC managers evaluate analyst performance by generating metrics like case volume, MTTA, and MTTR.
      • Resolve security incident: Guides analysts in identifying resolution paths and closing incidents via natural language.
      • Generate SIR Shift Handover Report: Automatically populates shift handover reports with relevant security incident details.
    • Modification and Automation: Agentic workflows and AI agent records are read-only by default; to customize, duplicate the workflow. You can also add triggers for automatic invocation.
    • Additional AI Agents: Some agents installed with Now Assist may not be directly linked to workflows but are available for use.

    Practical Guidance for ServiceNow Customers

    • Review and configure role-based security controls to ensure appropriate access to agentic workflows.
    • Understand which AI workflows are enabled by default based on your customer status and license.
    • Leverage predefined workflows to enhance efficiency in incident closure, metrics analysis, resolution guidance, and shift reporting.
    • Duplicate and customize workflows as needed to fit your security operations processes.
    • Explore all available AI agents within Now Assist to maximize automation opportunities in Security Incident Response.

    Use the Security Incident Response AI agentic workflows to complete your tasks autonomously.

    Agentic workflows and their AI agents use role masking to determine which users can access them. Ones installed with Now Assist applications have specific roles that come included with the application. If you select Users with specific roles for user access, you must configure the security controls to include these roles. For the instructions to change the security controls, see Define security controls for an agentic workflow.

    Note:
    Depending on your license, you will have access to certain application features, generative AI skills, agentic workflows, and AI agents. For more information, see ServiceNow product tiers.
    Important:
    Some Now Assist skills, agents, and agentic workflows are turned on by default. The default behavior works as follows:
    New customers
    When you install a Now Assist product, designated skills, agents, or agentic workflows are turned on automatically.
    Existing customers who are upgrading (starting with Australia Patch 4)
    There is no change to skills, agents, or agentic workflows that are currently enabled and customized.

    An AI asset is turned on if:

    • The Now Assist plugin is installed, but the asset was never turned on.
    • An admin has never adjusted roles for the skill.
    An AI asset is not turned on if:
    • The asset was previously turned on, and then turned off again.
    • An admin has adjusted roles for the asset.
    Table 1. Available agentic workflows for AI agents for Security Incident Response
    Agentic workflow name Description Available AI agents
    Wrap up security incident This agentic workflow helps the security analysts to close a security incident using natural language in the Now Assist panel. Security incident wrap-up generator AI agent
    Analyze security operations metrics

    This agentic workflow helps a security operations center (SOC) manager analyze their security analysts' performance.

    Metrics are generated for security incident response (SIR) records for case volume, mean time to assign (MTTA), and mean time to resolve (MTTR).
    • Security incident retrieval AI agent
    • Security metrics analysis AI agent
    Resolve security incident This agentic workflow helps the security analysts to identify a security incident resolution path. This workflow also assist the security analysts to close a security incident using natural language in the Now Assist panel.
    • Security incident resolution AI agent
    • Exchange online integration handling AI agent
    • Security incident wrap up generator AI agent
    • Observable analysis AI agent
    • Security incident activities handling AI agent
    • EDR AI agent
    Generate SIR Shift Handover Report This agentic workflow adds details of a security incident to the shift handover report. The agent populates the different sections of the shift handover with appropriate content by identifying the relevant details from the security incident. Security incident shift handover AI agent
    Important:
    By default, all agentic workflows and AI agent records are read-only.

    To modify an agentic workflow, you must first duplicate the agentic workflow. If required, you can add a trigger to invoke the workflow automatically.

    There might be AI agents installed with the Now Assist application that are not used in agentic workflows. To learn how to see all agents that are available to you, see Find AI agents.