The Real Challenge of AI is Not Adopting It, But Governing It. We Discuss This with ServiceNow
The Evolving Landscape of AI
Artificial intelligence has moved beyond isolated trials. Enterprises no longer just ask to experiment with a chatbot, create a virtual assistant, or automate a single task. They want to understand how to integrate AI into processes, how to make it work alongside people, how to use it to reduce costs, and how to prevent it from creating new risks.
This is the picture that emerged at the ServiceNow AI Summit, the event organized by ServiceNow in Milan to discuss its strategy on agent-based AI, workflow orchestration, and cybersecurity. It's a less linear scenario than often portrayed. The market does not move at the same speed for everyone. Some companies already have established platforms, processes, and structures. Others are just starting and can build projects conceived specifically for artificial intelligence from scratch.
"The market moves at two speeds," explains Filippo Giannelli, Area VP for Italy & Israel, Country Leader Italy of ServiceNow. On one hand, there are companies that need to change their way of working, mindset, and internal processes. On the other, there are contexts where AI cannot wait for the lengthy timescales of change management, starting with cybersecurity. "Cyber does not wait," emphasizes Giannelli, because attackers do not wait for companies to complete their transformation.
Advantages of Starting from Scratch
The first issue is adoption. Companies already working with ServiceNow often have a solid foundation: they understand workflows, have structured processes, and have been working on automation and service management for years. This can facilitate the introduction of AI but does not eliminate the main problem: getting actual usage from people.
"[With AI agents] you can do whatever you want, but if agents are not used as intended, or if people do not understand how to interact with them, you lose the value entirely," explains Giannelli. Technology alone is not enough. A focus on corporate culture, skillsets, and how processes are reimagined is needed.
The paradox is that those starting from zero can move faster. Not because they have fewer problems, but because they can design the entire journey differently. AI is not merely integrated at the end of the project when the solution goes into production. It can be involved right from the analysis phase, cost estimation, Total Cost of Ownership evaluation, development environment setup, and validating possible approaches.
For Giannelli, this changes the implementation model: "AI is not just something you use at the end of a project. It's something you also use in analysis, estimation, and building the development environment." The result is a faster implementation. With the same costs, according to ServiceNow, it becomes possible to accomplish more tasks. For a new customer, the advantage is building processes and operations with a fresh mindset right away.
"Starting from scratch, especially with this mindset, can be a tremendous advantage," summarizes Giannelli. This is an important shift, as it overturns a traditional view of digital transformation. Past maturity helps, but it can also hinder if it forces the company to graft AI onto processes designed for another technological era.
Visibility, Cost, and Time Freed from Repetitive Tasks
What are Italian companies looking for when approaching these technologies? The answer is less futuristic than one might imagine: visibility and cost reduction. Before automating, companies want to understand what really happens in their processes. Where do bottlenecks arise? Which tasks consume time? Which steps can be eliminated, simplified, or moved to a common platform?
"Once I implemented ServiceNow, I understood all my business processes," shares Giannelli, recounting experiences of some clients. Visibility is not just an operational issue. It also impacts compliance and regulatory management, as it allows an understanding of who does what, where information is located, which steps are being performed, and with what responsibilities.
Then automation comes in. For businesses, the primary objective remains cost control. However, Giannelli avoids the more simplistic interpretation that AI is only used to cut jobs. The goal is to shift people towards higher-value activities, reducing the burden of repetitive tasks. "The salesperson must sell. The budget officer should focus on the budget. Those working on core activities must dedicate more time to core tasks."
In many companies, the opposite occurs: people invest a significant portion of their time on procedures, administrative steps, internal requests, updates, and coordination tasks. AI can reduce this dispersion, but only if integrated into a clear process model. Automating a single piece without changing what's surrounding it risks creating new inefficiencies.
Shadow AI as the New Shadow IT
The issue becomes even more delicate when adoption does not follow official channels. Giannelli highlights a phenomenon already visible in companies: shadow AI. Employees, managers, or functional teams use external AI tools, often because they are simpler or more immediate than corporate tools. The problem lies not in the use itself, but in the lack of governance.
"They may start inputting data they shouldn’t, asking questions they shouldn’t," explains Giannelli. In some cases, it involves seemingly innocuous activities: preparing a presentation, summarizing a document, writing a draft. In other cases, it enters a much riskier territory: creating automations, accessing corporate data, interacting with internal processes, agents acting without a regulated context.
Here, the parallel with shadow IT is evident, but the risk is broader. Unauthorized software can create security and compliance issues. An ungoverned AI agent might take actions, trigger workflows, create load on systems, make operational decisions, or alter a process without full visibility from IT.
This is why, according to ServiceNow, native governance over agents is necessary. It's not enough to tell employees what they shouldn't do. We need to provide adequate corporate tools, define guardrails, control data access, and have a centralized view of what is happening.
The Need for a Control Tower over Agents
Giannelli uses a concrete example from the Covid years. In one company, someone had created a small open-source RPA automation to book office spots during a period when access was limited. The intention may have seemed harmless. The result was not: the automation started generating load on the system as if tens of thousands of people were accessing it.
ServiceNow, explains Giannelli, was able to identify who created the automation, how it worked, and how to bring the system back under control. The same pattern can recur today with AI agents, but on a wider scale and with potentially more serious consequences. The Control Tower serves precisely this purpose: to classify agents, understand what they are doing, verify if they operate within corporate policies, and, if necessary, stop them. It’s not just a monitoring panel. It’s a governance level over automations that can originate inside and outside the traditional IT perimeter.
The integration with Armis, acquired by ServiceNow in April 2026, should be understood in this direction. Visibility involves not only applications and workflows but also managed and unmanaged devices. If a non-governed device enters the corporate perimeter and begins interacting with data or processes, it must be identified. The same applies to agents and automations. The boundary between cybersecurity, access management, device control, and AI governance is becoming increasingly blurred.
Cybersecurity Becomes Machine Against Machine
It's in security that the shift appears most pronounced. Companies can proceed gradually in adopting AI in administrative, commercial, or service processes. In cybersecurity, they do not have the same leeway. Attackers already utilize automation, artificial intelligence, and significant financial resources. Traditional defenses risk being unable to cope.
"Before, it was more or less man against man; now it’s machine against man," explains Giannelli. And if the attack moves at the speed of a machine, so must the defense. Hence the role of AI agents for broader protection, capable of observing what happens in systems, correlating signals, reacting more swiftly, and reducing attackers' advantages.
ServiceNow starts from a foundation already built on security operations, vulnerability management, risk management, and integrated risk management. With Armis and Veza, the ambition expands. The company does not want to limit itself to being a platform for orchestrating corporate workflows. It aims to become a more relevant player in cybersecurity, integrating processes, data, access, devices, and agents.
Giannelli recalls the company leadership's goal: to exceed 30 billion dollars in subscription revenue by 2030. In cybersecurity, the ambition, according to the manager, is to grow the business to over 10 billion dollars. While he does not comment on potential acquisitions, he confirms the direction: ServiceNow aims to become a strategic player in this market too.
Models, Geopolitics, and Orchestration
With Giannelli, we also touched on the topic of access to more advanced models and the differences between markets, geographical areas, and technological availability. The manager compares the current phase to the beginnings of electrification when access to energy was not uniform, and each territory moved at different paces. According to Giannelli, the market will tend to normalize these differences. Today, one model may be more powerful, accessible, or constrained than another. Tomorrow, a new one will arrive. Competition will push for broader and continuous availability. In this scenario, the role of the platform becomes orchestrating different models, not being tied to just one.
Business AI Cannot Grow Without Governance
What ultimately emerges from the ServiceNow event is that AI can accelerate projects, reduce costs, free up time from repetitive tasks, and make processes more visible. But without governance, it risks fueling new forms of digital disorder. Shadow AI is already inside companies. Agents can become powerful tools, but also automations out of control. Cybersecurity can no longer be managed with traditional timings and logics because attackers are already moving with automated tools. In this context, the platform is no longer just the place where a workflow is managed. It becomes the level from which to observe, control, and orchestrate the work of people, systems, and agents.