ServiceNow Zurich makes the Now Platform agent native

ServiceNow’s Zurich release makes the Now Platform agent native with Build Agent, developer sandboxes, and agentic playbooks. Learn what shipped, how governance works, and a 30 day plan to ship real outcomes.

ByTalosTalos
AI Agents
ServiceNow Zurich makes the Now Platform agent native

Breaking: Zurich turns agents into first‑class citizens on ServiceNow

ServiceNow has flipped the default for enterprise automation. On September 10, 2025, the company announced the Zurich release, which bakes autonomous agents directly into the Now Platform with three pillars: Build Agent for vibe coding, developer sandboxes for safe iteration, and agentic playbooks that embed agents in real workflows across IT, HR, and CRM. The pitch is simple and bold: move from experiments to production on a stack you already govern. That claim is worth scrutiny, and it is backed by the official announcement that details what shipped and when. Read the high level specifics in the ServiceNow Zurich release announcement.

This review breaks down what launched, how it works, how it compares to bespoke agent stacks, and a clear path to ship measurable outcomes quickly.

What actually launched in Zurich

  • Build Agent for vibe coding: natural language in, production‑ready app components out. You describe a problem in plain English, and Build Agent proposes user stories, generates data models, logic, and tests, and shows diffs before you accept. It behaves like a junior developer you supervise rather than a chatty assistant.
  • Developer sandboxes: fully isolated development environments on top of your instance, with visibility and controls for admins. Each contributor can build, test, and integrate without stepping on one another’s work.
  • Agentic playbooks: a new class of playbook that embeds agents inside workflow steps. Think of your incident response, employee onboarding, or customer case resolution playbooks upgraded so agents can verify identity, draft communications, update records, and trigger downstream tasks while keeping humans in the loop when judgment is needed.
  • Built in guardrails: the release highlights ServiceNow Vault for data classification and protection, Machine Identity Console for controlling bot and API credentials, and the AI Control Tower for model and agent governance across the portfolio.

Why this matters now

The last 18 months have been dominated by proofs of concept and heroic demo videos. Executives are asking a different question: how do we put agents where the work and the data actually live, under the policies we already enforce. Zurich’s answer is to make agents a first class object on the platform, not a sidecar integration. That shift reduces integration fragility, centralizes risk controls, and shortens the path from idea to impact.

Build Agent explained with a simple metaphor

If low code is a power drill, vibe coding is a full crew showing up with tools, materials, and a plan. You say, “build a guest Wi‑Fi access app with approvals and a seven day expiration,” and Build Agent returns a working frame: the table structures, a form, the approval flow, reminders, and a test plan. You still inspect the build, add your compliance banner, change the approval step, and plug in the directory integration. The heavy lifting appears in minutes instead of days.

Under the hood, Build Agent uses retrieval augmented generation and reasoning to align with your environment, then wraps outputs in the governance model you already use for App Engine. That matters because your change management, roles, and audit trail do not get bypassed. You can accept, edit, or roll back with the same controls your platform team expects. For a product level view, see the Build Agent product overview.

How does this compare to code generation agents outside ServiceNow. The ethos is similar to GitHub’s direction where an AI acts like a teammate inside existing guardrails, not an all knowing oracle. If that framing resonates, you will appreciate the argument that an AI should be a teammate, not a tool when it touches production.

Where Build Agent shines

  • Greenfield on platform: assembling CRUD apps with approval flows, SLAs, and notifications is fast and auditable.
  • Standardized scaffolding: naming conventions, logging hooks, and test plans can be templated so new projects start consistent by default.
  • Collaborative review: diffs make it easy for a senior developer to approve only what meets standards.

Where to be cautious

  • Ambiguous requirements: vibe prompts that mix goals and edge cases can produce sprawling scaffolds. Keep prompts crisp and iterate.
  • Hidden dependencies: when agents touch legacy tables with brittle triggers, require extra review of generated logic.
  • Scope creep: it is tempting to let Build Agent generate adjacent features. Resist until the core workflow proves value.

Developer sandboxes: speed without collisions

Most enterprise platform teams know the pain of shared dev instances. One team refactors a table while another tunes a flow. In the afternoon a third team pushes a data policy that breaks both. Developer sandboxes aim to stop that constant step on each other by giving every builder an isolated space that mirrors production capabilities. Admins can allocate, reclaim, and monitor sandboxes, track resource use, and set policies for who can merge into shared environments.

Why this matters for agent work: agent behaviors can be unpredictable until guardrails are tuned. Sandboxes let teams iterate safely. You can test prompts, permissions, and fail safes against representative data without risking a flood of misrouted tickets or accidental customer emails.

Practical tips for sandboxes

  • Seed with synthetic data: mirror the shape and sensitivity of production without copying real PII.
  • Turn on verbose logging: capture prompt inputs, model choices, and agent actions for quick triage.
  • Set merge gates: require passing tests and manual approval for any change that touches identity, entitlements, or external messaging.

Agentic playbooks: from static steps to adaptable execution

Playbooks have long been a recipe for consistent work. Agentic playbooks add a sous chef. A traditional playbook might instruct a human agent to validate a user, reset a password, update the ticket, and notify the requester. An agentic playbook embeds an agent to do steps two and four automatically while the human handles identity checks and exceptions.

The real upgrade is the blend of automation and judgment:

  • Explicit triggers: schedule or event based, with clear preconditions.
  • Human decision gates: define where the agent acts and where it must defer.
  • Reusability: the same agentic step can be reused across playbooks. A “verify identity and mask sensitive fields” step can appear in HR onboarding, benefits changes, and access requests.
  • Auditability: every agent action is logged like any other platform change, so you avoid black box gaps.

Concrete examples

  • IT service management: for a spike in laptop returns, an agentic playbook can auto collect device diagnostics, create the return authorization, schedule a courier, and populate a post mortem template. A technician steps in only when hardware is out of warranty or the user is a high risk role.
  • HR service delivery: during offboarding, an agent cross checks assets, locks accounts, revokes entitlements in third party systems, and drafts the final notice for HR review. A human reviews tone and exceptions, then the agent executes.
  • Customer service management: for suspected fraud on a credit card, an agent verifies identity with step up authentication, freezes the card, initiates replacement, and sends a compliant notice. A human supervisor handles edge cases or escalations.

Governance and safety: what is different here

Agent projects stall when security and compliance teams see a tangle of ad hoc integrations, unknown models, and opaque logs. Zurich’s approach is to place governance in the platform layer instead of bolting it on project by project.

  • Data safety with Vault: discover, classify, and apply protection policies to sensitive data across workflows. That gives a defensible answer to where personal data lives and how it is protected.
  • Integration control with Machine Identity Console: treat every non human integration as an identity with clear authentication, authorization, and rotation rules. If an agent uses an outdated method, the console flags and helps remediate.
  • Oversight with AI Control Tower: central visibility for agents, prompts, models, and usage. Set provider controls, require approvals for model changes, and see which agents touched which records.
  • Change control and audit: Build Agent respects your existing processes. Every AI assisted change is previewed and tracked. Rollbacks and approvals happen within the same rails as any other release.

This is the crux of being agent native. Agents are not sidecars. They are first class entities in your platform, subject to the same policies as humans and systems. If you are aligning security with the identity team, you will find useful parallels in treating identity as policy code, as discussed in identity as the agent control plane.

Zurich versus bespoke agent stacks

There is nothing wrong with building a bespoke agent stack from libraries, vector databases, and orchestrators. It can be an excellent choice when you need a custom interaction model or when most of your work is off platform. But inside enterprises already running ServiceNow, Zurich changes the build calculus.

  • Single policy plane: identity, secrets, audit, and data classification are applied once. You do not need to replicate guardrails in five places.
  • Data proximity: your records, tasks, and catalog live on the platform. Agents act where the data and workflows are, which cuts latency and integration fragility.
  • Composable workflows: agentic steps become reusable building blocks. You avoid ad hoc glue code between an agent framework and your process engine.
  • Measurement baked in: you can log outcomes at the task, playbook, and service level without inventing new telemetry pipelines.
  • Faster trust building: platform native guardrails help security teams approve pilots faster. That reduces the time between first demo and first production use.

When should you choose a bespoke stack instead. Consider it if most actions occur in systems that are not on the Now Platform, if you require agent behaviors not yet supported by playbooks, or if you need specialized model hosting for regulatory reasons that the platform cannot meet today. If you anticipate orchestrating agents across multiple ecosystems, explore patterns for cross vendor agent orchestration so you do not paint yourself into a corner.

A step by step path to ship agent outcomes in 30 days

This plan assumes you have a functioning Now Platform team and a few willing business partners. Adjust the scope if your environment is more complex.

  1. Pick one service metric that hurts. Examples: mean time to resolution for a top incident category, average onboarding completion time, or cost per customer contact for a repeatable case type. Set a baseline from last quarter and define a concrete target such as 30 percent faster or 20 percent lower cost.
  2. Map a contained workflow. Choose a path with high volume and low regulatory risk. Document the steps and the systems touched. Identify where an agent can remove waiting or copy paste work without altering policy decisions.
  3. Set guardrails early. Involve security on day one. Define data access, redaction rules for prompts, and what the agent is allowed to do without approval. Register the project in AI Control Tower and set up Vault policies for the tables in scope.
  4. Stand up developer sandboxes. Give each contributor a sandbox that mirrors production. Seed them with representative synthetic data. Configure logs and a shared dashboard that surfaces agent actions, error rates, and rollbacks.
  5. Prototype with Build Agent. Describe the target workflow and let Build Agent generate the initial app elements. Review the diffs together, prune anything unnecessary, and enforce naming and logging standards. Treat Build Agent as a force multiplier, not an autopilot.
  6. Embed into an agentic playbook. Replace two to three manual tasks with agent steps. Keep humans on decision gates. Add guardrails such as rate limits, maximum changes per task, and mandatory previews for outbound messages.
  7. Instrument outcomes. Add telemetry to measure cycle time, handoffs avoided, and error correction rate. Configure a daily report that compares pilot metrics to the baseline and flags regressions.
  8. Test for failure modes. Use synthetic cases to stress edge conditions: incomplete information, duplicate records, and missing entitlements. Require one round of red team testing where a different group tries to make the agent misbehave safely in sandbox.
  9. Run a controlled pilot. Route 10 to 20 percent of eligible work through the agentic playbook for two weeks. Give agents human names in the system so observers can track actions. Hold twice weekly reviews to tune prompts and permissions.
  10. Decide to scale or stop. If you hit at least 70 percent of the target and risk is acceptable, expand to 50 percent of volume and brief leadership. If not, publish lessons learned and move to the next candidate workflow.

How to measure value without vanity metrics

Avoid counting prompts, tokens, or raw task counts. Instead, track what leaders care about and what customers feel.

  • Cycle time reduction: measure the end to end workflow, not just a substep. The customer or employee does not care how many tasks moved to an agent. They care that the outcome shows up faster.
  • First time right rate: measure the share of cases that finish without rework after the first agent pass.
  • Human minutes reclaimed: sample how much manual time was removed and where those minutes were reinvested.
  • Risk posture: count prevented policy violations, expired credentials remediated, and sensitive data retained inside policy. If governance improved, call it out.
  • Experience signals: track one or two survey questions that matter, such as satisfaction with resolution speed or clarity of communications. Use statistically valid samples instead of optional pop ups.

Practical guardrails and design patterns

  • Start with read and draft permissions. Let agents summarize and draft before they are allowed to update records or send communications. Promote privileges as confidence grows.
  • Constrain scope tightly. Limit which tables the agent can touch and cap batch sizes. Simple rules prevent runaway loops.
  • Reuse agentic steps. Extract useful agent actions into shared, versioned components so other teams do not reinvent them.
  • Keep the human in the decision loop. Let agents do the tedious work. Keep identity verification, policy exceptions, and tone sensitive communications with humans.
  • Document prompt contracts. Treat prompts like code. Version them, review them, and attach acceptance tests whenever possible.
  • Align with your identity team. Many failure modes trace back to inconsistent entitlements. The identity viewpoint on agents as first class identities is expanding fast, as covered in identity as the agent control plane.

What to watch next

Expect three fronts of rapid progress over the next two quarters.

  • Deeper playbook capabilities: more granular triggers, richer agent memory within a playbook run, and broader reuse across business units.
  • Model governance controls: finer per provider and per agent policies that make multi model fleets safer to operate in regulated environments.
  • Cross system agent actions: tighter packaged integrations so an agentic step can confidently transact across your primary systems without brittle custom glue. If your roadmap spans multiple ecosystems, study emerging patterns for cross vendor agent orchestration.

Bottom line

Zurich is the first time a major enterprise platform has brought vibe coding, safe iteration, and agentic execution under one roof and under one policy model. If you already run ServiceNow, the default answer for agent projects should be to start on platform. You will move faster, govern better, and measure outcomes more cleanly. Pick one workflow, install the guardrails, and give Build Agent a target. If the pilot works, scale the playbook and publish the results. If it fails, your logs will tell you why and your next attempt will be sharper.

The agent era will not be won by the flashiest demo. It will be won by teams that turn policy into code, wrap it in playbooks, and ship measurable improvements week after week. Zurich gives you a credible way to do exactly that, and the core capabilities are available now via the ServiceNow Zurich release announcement and the Build Agent product overview.

Other articles you might like

Agent Engine and A2A: Google makes cross vendor agents real

Agent Engine and A2A: Google makes cross vendor agents real

Google Cloud just made agent interoperability practical for enterprises. With Agent Engine, A2A, tracing, connectors, and streaming, teams can ship multi agent workflows across vendors with real controls and speed this quarter.

AI Agents
·Read more
Agent Bricks and MLflow 3.0: Turning Point for Enterprise AI

Agent Bricks and MLflow 3.0: Turning Point for Enterprise AI

Databricks unveiled Mosaic AI Agent Bricks and MLflow 3.0 with built-in evaluations, tracing, and governance. Learn why this stack changes production agents and how to build and ship across AWS, Azure, and GCP.

AI Agents
·Read more
Cloudflare’s Agents SDK and remote MCP bring edge-native AI

Cloudflare’s Agents SDK and remote MCP bring edge-native AI

Cloudflare’s new Agents SDK pairs with remote MCP servers, Durable Objects and Workflows to move agents from laptop demos to governed, low-latency production. See what shipped and how to deploy it with confidence.

AI Agents
·Read more
Okta turns identity into the control plane for AI agents

Okta turns identity into the control plane for AI agents

On September 25, 2025, Okta introduced Okta for AI Agents and Cross App Access, extending OAuth so enterprises can centrally authorize agent-to-app access. See what changed, who backs it, and how to roll it out.

AI Agents
·Read more
Figma’s MCP server plugs design systems into AI agents

Figma’s MCP server plugs design systems into AI agents

Figma’s remote MCP server lets agents and IDEs query components, tokens, styles, and usage rules directly from your design system. Expect cleaner handoffs, faster reviews, and automation that follows your standards.

AI Agents
·Read more
ChatGPT Agent is the first mainstream computer-using AI

ChatGPT Agent is the first mainstream computer-using AI

On July 17, 2025, OpenAI turned chat into computer use. ChatGPT Agent researches, clicks, and acts inside a virtual computer with narration and approvals. Explore strengths, limits, and how to put it to work.

AI Agents
·Read more
GitHub Copilot’s Coding Agent Hits GA: A Teammate, Not a Tool

GitHub Copilot’s Coding Agent Hits GA: A Teammate, Not a Tool

GitHub Copilot’s coding agent is now GA and ready to own end to end tasks. It plans changes, runs tests in isolated runners, opens draft PRs, and works within branch protections and review gates.

AI Agents
·Read more
Agentforce 3 shifts the AI race to control, scale, and trust

Agentforce 3 shifts the AI race to control, scale, and trust

Agentforce 3 reframes the AI platform race around control, scalability, and trust. With Command Center observability, native MCP interoperability, and automatic model failover, Salesforce pushes agents from demos to dependable digital labor.

AI Agents
·Read more
Amazon’s agentic Seller Assistant transforms SMB e-commerce

Amazon’s agentic Seller Assistant transforms SMB e-commerce

Amazon is evolving Seller Assistant into a permissioned agent that plans, executes, and reports across inventory, account health, compliance, and ads. See what changed on September 17, 2025 and why it matters for SMBs.

AI Agents
·Read more