Domain separation and Now Assist AI Agent Studio
Summarize
Summary of Domain separation and Now Assist AI Agent Studio
Domain separation in Now Assist AI Agent Studio enables ServiceNow customers to logically separate data, processes, and administrative tasks into distinct domains. This separation controls user access and visibility, enhancing data protection across AI agent configurations and conversations. It applies at both design time—when creating or updating AI agent workflows and components—and at run time during agentic conversations in various interfaces.
Show less
How Domain Separation Works
Domain separation is enforced by adding the sysdomain field to all AI agent tables and leveraging the sysdomainpath for domain hierarchy awareness. Process separation is managed via the sysoverrides column on domain-aware tables, allowing certain configuration tables to have domain-specific processes distinct from parent domains. This ensures that AI agents and workflows operate within their assigned domains, restricting access and visibility appropriately.
Design-Time Support
- AI agent workflows, agents, tools, and triggers can be created and updated with domain-specific settings.
- Administrators can assign domains to AI agent records, controlling who can access or modify them.
- Users can access AI agent records only if they belong to the same or a higher domain level.
Run-Time Support
- During agentic conversations on the Now Assist panel, web client, or other channels, the domain of the user the agent impersonates determines access.
- The domain visibility of agentic workflows is resolved based on the "Run as" attribute in the workflow trigger, ensuring domain-appropriate access during execution.
- When triggered on demand or via workflow triggers, domain enforcement ensures agents use configurations relevant to the triggered domain context.
Supported Domain Separation Features in AI Agent Studio
- Activation or deactivation of AI agents, workflows, and tools on a per-domain basis.
- Memory categories and properties (snaiaproperty) can be overridden per domain.
- Triggers can be overridden in different domains to customize behavior.
- Process separation is supported for configuration tables such as snaiaagentconfig and snaiausecaseconfigoverride.
Limitations
Details of AI agents and agentic workflows themselves cannot be overridden across domains, maintaining consistency in core agent definitions.
Practical Implications for ServiceNow Customers
Implementing domain separation in Now Assist AI Agent Studio helps ensure that AI agent configurations, conversations, and processes are securely partitioned across organizational boundaries. Customers can confidently manage multi-domain environments, controlling who sees which AI agent data and how agents behave according to domain-specific rules. This capability supports compliance, data privacy, and operational governance in complex ServiceNow instances.
Domain separation is supported for Now AssistAI Agent Studio. Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can control several aspects of this separation, including which users can see and access data.
Domain Separation Overview
Now Assist AI agents use basic domain separation capabilities to help protect your users' data. Domain separation support for AI agents is applied at design time and run time.
- Design-time support
- Refers to creating or updating agentic workflows, agents, tools, trigger configurations, and so on. AI agent configurations can be made domain-specific for individual agents and the actual agentic workflows. Administrators can apply specific domains to those records. Similar to other basic domain separations, records in the AI agents tables are accessible if the user belongs to the same or a higher domain than those records.
- Run-time support
- Refers to the agentic conversation on the Now Assist panel, web client, or any conversational channel. In the agentic conversations, the user that the agent impersonates functions as an agent with any AI agents who initiate the conversation on demand.
For example, if the conversation is happening via a trigger mentioned on the Run as field on the Trigger form of an agentic workflow. If the user that the agent impersonates belongs to the same or a higher
domain, that agent can access and use configurations that are associated with that domain.
The domain visibility for an agentic workflow is resolved during run time based on the Run as attribute in the agentic workflow trigger condition. For more information, see defining a trigger for an agentic workflow.
When an agentic conversation is triggered on demand, the domain visibility is applied to the particular agent in action. When an agentic conversation is initiated through a trigger, the domain visibility is applied to the user who resolves the caller (in an incident record where the Run as attribute is set to Caller), when the conversation runs against the incident record.
To understand more about the ServiceNow domain separation, see Exploring domain separation.
How domain separation works in Now Assist AI Agent Studio
Process separation is enabled through the use of the sys_overrides column in domain-aware tables. Any table that contains both the sys_domain and the sys_overrides fields can be configured to have different processes from the parent domain.
- sn_aia_agent_config
- sn_aia_usecase_config_override
- Agentic workflow discovery.
- AI agent and its tools can be active in the X domain and inactive in the Y domain.
- Memory category can be active in the X domain and inactive in the Y domain.
- sn_aia_property can be overridden in a different domain.
- Triggers can be overridden in different domain.