Content security in AI Search

  • Release version: Washingtondc
  • Updated July 16, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Content Security in AI Search

    AI Search within the ServiceNow AI Platform automatically filters search results based on the access rights of the logged-in user. This ensures that users can only view records they are authorized to access, providing robust content security without the need for additional configuration.

    Show full answer Show less

    Key Features

    • Indexed Security Features: Preserves role-based field-level ACLs, non-scripted and scripted table-level ACLs, before query business rules, domain separation, and user criteria for certain records.
    • Early Binding: The default implementation that integrates security filters into the search query. It requires records to meet both the search criteria and pass all security filters.
    • Late Binding: A fallback mechanism that post-filters results using the GlideRecord.canRead() method. It supports all indexed security features but is more resource-intensive.
    • External Content Security: AI Search retains access permissions when processing external documents, allowing for user aliasing from ServiceNow to external groups.

    Key Outcomes

    By leveraging content security in AI Search, ServiceNow customers can expect:

    • Enhanced data protection by ensuring users only see authorized content.
    • Flexibility in managing search results through early and late binding security processes.
    • Accurate representation of search results and counts, reflecting user permissions.

    This functionality is crucial for maintaining compliance and ensuring that sensitive information is only accessible to appropriate users within the organization.

    AI Search filters search query results and displays only records that the currently logged in user can access.

    Content security is automatically enabled and isn't configurable.

    Indexed security features

    When indexing records from ServiceNow AI Platform® tables, AI Search preserves the following access control settings:

    AI Search doesn't support scripted field-level ACLs or conditional field-level ACLs.

    Early and late binding security implementations for search queries

    At query time, AI Search filters search results by evaluating user access to indexed tables and records. The filtering implementation used depends on the security features present on tables and records that match the search query.

    Content security implementation Description
    Early binding

    Default content security implementation that incorporates security filters into the search query.

    The system adds relevant security filters for the user to each search query. To appear in the search results, records must match the search query and pass all security filters.

    Early binding security supports non-scripted ACLs, Before Query business rules, and domain separation, plus user criteria for records indexed from the kb_knowledge and sc_cat_item tables. If a search matches records that have table-level scripted ACLs, the search query automatically falls back to use late binding security.

    Note:
    If an early binding filter produces an error, the search query automatically falls back to use late binding security.
    Late binding

    More computationally expensive alternate content security implementation that post-filters search query results.

    The system applies security filters to the search query just as early binding security does. After retrieving records that match the filtered query, it invokes the GlideRecord.canRead() method for each record. To appear in the search results, records must match the search query, pass all security filters, and return true for the API method.

    Late binding security supports all indexed security features.

    By default, late binding security serves as a fallback mechanism for early binding security. You can override this default behavior in the following ways:
    • To make AI Search use late binding security for all results from an indexed source, set the value of that indexed source's Force Late Binding field to true.
    • To make AI Search use late binding security for all search results, set the value of the Force AI Search to use late binding for ACL evaluation ( glide.ais.security.force_late_binding ) system property to true.

    If AI Search applies late binding security to any results from an indexed source used by a facet, the list of available filter selections for the facet changes. When this happens, the facet only displays field values found in the current page of search results. For details on facets, see Create a facet in an AI Search application configuration.

    When you enable search result counts for a search application, the counts indicate the number of results that matched the user's search. Late binding security can remove results after they’re counted, causing the actual number of displayed results to be lower than the count. For more information on result counts, see Display search result counts on the results page for a search application.

    Content security for external content

    AI Search preserves access permissions when ingesting external documents. You can alias ServiceNow AI Platform users to the externally defined users and groups specified in these access permissions. AI Search constructs content security filters for external document records from these permissions and aliases.

    To learn about using AI Search with external data sources, see Indexing and searching external content in AI Search. For full details on external content security, see External content security for AI Search.