ServiceNow Security Rules

SquireX implements 29 security rule categories for ServiceNow AI Agents, covering the complete attack surface from agent tool configuration through data exfiltration, infrastructure trust, and supply chain integrity.

Rule Taxonomy

Rules use the SNOW-* namespace. Categories 1–27 are ported from their Agentforce equivalents for cross-platform consistency. Categories 28–31 are ServiceNow-native rules with no Salesforce equivalent.

Quick Reference

Category	Rule ID	Name	Severity
Tool Configuration	SNOW-1.1	Agent Tool Without Confirmation Gate	Critical
Script Safety	SNOW-2.1	Unsafe Script Pattern in Agent Tool	Critical
Grounding Security	SNOW-3.1	Grounding Source Without Classification	High
Structural Dependency	SNOW-4.1	Orphaned Agent Tool Reference	High
Flow Security	SNOW-5.1	Flow Action Without Input Validation	High
Flow Security	SNOW-5.2	Flow Running in System Context	Critical
Supply Chain	SNOW-6.1	Update Set Missing Agent Dependencies	High
Agent Architecture	SNOW-7.1	Agent Instruction Bloat	Medium
Prompt Poisoning	SNOW-9.1	Prompt Injection in Agent Instructions	Critical
Prompt Poisoning	SNOW-9.2	Inbound Email Triggers Agent Without Sanitization	Critical
DML Validation	SNOW-10.1	Agent DML Without Data Policy Guard	High
Scheduling	SNOW-11.1	Scheduled Job Invoking Agent Without Guardrail	High
Skill Kit	SNOW-12.1	Skill Kit Version Drift	High
Skill Kit	SNOW-12.2	Latent Memory Poisoning	Critical
Data Privacy	SNOW-13.1	Agent Accessing CMDB Without Privacy Guard	High
Virtual Agent	SNOW-14.1	VA Topic Without Input Sanitization	High
External Service	SNOW-15.1	Integration Spoke Without Cert Pinning	High
Role-Based Access	SNOW-16.1	Agent Action Without Role Gate	High
Multi-Agent	SNOW-18.1	Compositional Fragment Trap	High
Multi-Agent	SNOW-18.2	Yokohama Agent Duplication Sybil	High
Trigger Execution	SNOW-19.1	Business Rule Triggering Agent	High
Excessive Agency	SNOW-20.1	Agent Executing With Admin Privileges	Critical
Excessive Agency	SNOW-20.2	Role Masking Not Configured for Dynamic User	Critical
PII Leakage	SNOW-21.1	Agent Accessing Sensitive Table	Critical
PII Leakage	SNOW-21.2	Agent Accessing sys_attachment	High
SSRF	SNOW-22.1	Dynamic RESTMessageV2 Endpoint	Critical
Resource Exhaustion	SNOW-23.1	Unbounded GlideRecord Query	High
API Authentication	SNOW-24.1	API Without OAuth Scope Validation	High
MCP Access	SNOW-25.1	MCP Server Without Scope Constraints	High
Supply Chain	SNOW-26.1	Skill Namespace Shadowing	High
Runtime Drift	SNOW-27.1	Now Assist API Confirmation Bypass	Critical
ACL Script	SNOW-28.1	GlideRecord in ACL (Recursive Bypass)	Critical
ACL Script	SNOW-28.2	Agent Tool Using GlideRecord	High
ACL Script	SNOW-28.3	setWorkflow(false) in Agent Context	High
ACL Script	SNOW-28.6	addEncodedQuery Without User Context Restriction	High
Domain Separation	SNOW-29.1	Missing sys_domain Constraint	High
Scope Hygiene	SNOW-30.1	Cross-Scope Without Caller Access	High
Scope Hygiene	SNOW-30.2	Global Scope Agent Accessing Scoped Tables	High
Scope Hygiene	SNOW-30.3	Missing sys_scope Declaration	Medium
MID Server Trust	SNOW-31.1	Insecure MID Server Authentication	Critical
MID Server Trust	SNOW-31.2	MID Server Credential in Script	Critical
MID Server Trust	SNOW-31.3	Unencrypted MID Server Channel	High
MID Server Trust	SNOW-31.4	MID Server Without IP Allowlist	Medium

Regulatory Compliance Tagging

Every security finding identified by SquireX is automatically tagged with applicable regulatory compliance frameworks in the generated SARIF report. This enables immediate gap analysis for audit readiness and maps technical vulnerabilities to business risk.

Supported frameworks include:

EU AI Act (High-Risk classifications for autonomous agents)
NIST AI RMF (Risk Management Framework)
SOC 2 Type II (CC6 Logical/Physical Access Controls, CC7 System Operations)
HIPAA (PHI protection)
PCI DSS (Cardholder data environment security)
OWASP MCP Top 10 (Model Context Protocol risks)

{
  "properties": {
    "tags": ["security", "servicenow", "ServiceNow ACL"],
    "category": "ServiceNow ACL",
    "compliance": ["SOC2_CC6", "NIST_AI_RMF"]
  }
}

Ported Categories (SNOW-1 through SNOW-27)

These rules are the ServiceNow equivalents of Agentforce rules. The rule IDs intentionally mirror their Agentforce counterparts for cross-platform comparison.

SNOW-1 — Tool Configuration

Detects sn_aia_tool definitions configured for autonomous execution without user confirmation gates.

// ❌ Tool configured for autonomous execution
// sn_aia_tool: execution_mode = "autonomous", requires_confirmation = false

// ✅ Supervised tool with confirmation
// sn_aia_tool: execution_mode = "supervised", requires_confirmation = true

SNOW-2 — Script Tool Safety

Detects unsafe scripting patterns (eval(), GlideEvaluator, Packages.java, GlideSystemScript) in agent-accessible Script Includes.

// ❌ VULNERABLE — eval in agent tool script
var result = eval(inputs.expression); // RCE via prompt injection!

// ✅ SECURE — use structured logic
var calc = new AgentCalculator();
var result = calc.evaluate(inputs.operation, inputs.operands);

SNOW-3 — Grounding Security

Detects AI Search grounding sources and RAG configurations that lack data classification guards.

SNOW-4 — Structural Dependency

Detects orphaned or broken sys_id references in sn_aia_agent_tool_m2m records that cause silent reasoning failures.

SNOW-5 — Flow Security

See Flow Designer Scanning for detailed coverage.

SNOW-6 — Supply Chain / Update Set Hygiene

Detects Update Sets with missing dependencies, hash validation failures, and promotion drift.

SNOW-7 — Instruction Bloat

Detects sn_aia_agent definitions with instruction fields exceeding 4,000 characters.

SNOW-9 — Prompt Poisoning

Detects prompt injection vectors in agent instructions and inbound email action scripts (a classic injection path unique to ServiceNow).

SNOW-10 — DML Validation

Detects agent scripts performing insert/update/delete without Data Policy validation.

SNOW-11 — Autonomous Scheduling

Detects scheduled jobs invoking AI agents without execution guardrails.

SNOW-12 — Skill Kit Version Drift & Memory Poisoning

Detects sys_gen_ai_skill_applicability records with missing ACLs. See Flow Designer Scanning for details.

Also includes SNOW-12.2 (Latent Memory Poisoning), which analyzes sn_aia_memory table records for embedded instruction-injection payloads that persist across sessions.

SNOW-13 — Data Privacy / CMDB

Detects agent scripts accessing CMDB tables (cmdb_ci_*) where read access constitutes infrastructure topology disclosure.

// ❌ VULNERABLE — agent queries full CMDB topology
var gr = new GlideRecord('cmdb_ci_server');
gr.query(); // Exposes server names, IPs, network architecture

// ✅ SECURE — scoped access with field filtering
var gr = new GlideRecordSecure('cmdb_ci_server');
gr.setFields('name,sys_class_name');
gr.setLimit(20);
gr.addQuery('support_group', groupSysId);
gr.query();

SNOW-14 — Virtual Agent Channels

See Virtual Agent Scanning for detailed coverage.

SNOW-15 — IntegrationHub Spokes

Detects spoke configurations lacking certificate pinning or using basic authentication.

SNOW-16 — Role-Based Access

Detects agent scripts performing privileged operations without gs.hasRole() checks.

SNOW-18 — Multi-Agent Orchestration

Detects Sybil identity risks from shared tool references across multiple agents. Includes SNOW-18.2 (Yokohama Agent Duplication Sybil) which detects duplicated agents that share undecoupled tool mappings in Yokohama Patch 1.

SNOW-19 — Trigger Executions

Detects Business Rules that invoke AI agents, creating cascading BR→Agent→DML→BR chains.

SNOW-20 — Excessive Agency

Detects agents configured with admin role or scripts using elevated privileges. Includes SNOW-20.2 (Role Masking Cascade Validation) which validates that agents using Dynamic User identity mode have Role Masking properly configured to prevent unrestricted instance access.

// ❌ VULNERABLE — agent has admin role
// sn_aia_agent: execution_identity has role "admin"

// ✅ SECURE — least-privilege Role Masking
// sn_aia_agent: execution_identity has roles ["itil", "catalog"]
// Role Masking enabled to restrict to minimum required permissions

SNOW-21 — PII Leakage

Detects scripts accessing sensitive tables (sys_user, incident, hr_case, sys_attachment) without data privacy guards. See also SNOW-13 for CMDB-specific patterns.

SNOW-22 — SSRF

Detects sn_ws.RESTMessageV2 calls with dynamic endpoints derived from agent input.

SNOW-23 — Resource Exhaustion

Detects unbounded GlideRecord queries without setLimit() or chooseWindow().

SNOW-24 — API Authentication

Detects Scripted REST endpoints serving agent operations without OAuth entity scope validation.

SNOW-25 — MCP External Access

Detects MCP server configurations accessible to agents without scope constraints.

SNOW-26 — Namespace Shadowing

Detects duplicate tool/skill labels across scoped applications that confuse agent tool routing.

SNOW-27 — Runtime Drift

Detects Now Assist API paths that bypass tool confirmation requirements.

Net-New Categories (SNOW-28 through SNOW-31)

These rules address ServiceNow-specific attack surfaces with no Salesforce equivalent.

SNOW-28 — ACL Script Correctness

The highest-leverage ServiceNow security finding. GlideRecord in ACL scripts creates a recursive bypass — the access control check itself bypasses access control.

// ❌ CRITICAL — GlideRecord in ACL = recursive bypass
var gr = new GlideRecord('sys_user_has_role');
gr.addQuery('user', gs.getUserID());
gr.addQuery('role.name', 'admin');
gr.query();
answer = gr.next();

// ✅ CORRECT — use built-in ACL APIs
answer = gs.hasRole('admin');

Also includes SNOW-28.6, which detects use of addEncodedQuery() in agent-facing scripts where addUserEncodedQuery() should be used to restrict data to the active user's authorized context.

SNOW-29 — Domain Separation Drift

Detects scripts accessing records without sys_domain constraints in multi-domain instances.

SNOW-30 — Application Scope Hygiene

Detects cross-scope access without caller_access declarations and scope boundary violations.

SNOW-31 — MID Server / Discovery Trust

Detects insecure MID Server configurations including credentials in scripts, unencrypted channels, and missing IP allowlists.

Cross-Platform Rule Comparison

For organizations running both Salesforce Agentforce and ServiceNow Now Assist, the matched rule IDs enable unified security reporting:

Agentforce Rule	ServiceNow Rule	Shared Threat Model
AGENTFORCE-1.1	SNOW-1.1	Excessive Agency — missing confirmation
AGENTFORCE-2.1	SNOW-2.1	Script injection in agent tools
AGENTFORCE-20.1	SNOW-20.1	Admin privilege escalation
AGENTFORCE-21.1	SNOW-21.1	PII data exfiltration
AGENTFORCE-22.1	SNOW-22.1	SSRF via dynamic endpoints
—	SNOW-28.1	GlideRecord ACL bypass (SN-only)
—	SNOW-31.1	MID Server trust (SN-only)

Rule Taxonomy​

Quick Reference​

Regulatory Compliance Tagging​

Ported Categories (SNOW-1 through SNOW-27)​

SNOW-1 — Tool Configuration​

SNOW-2 — Script Tool Safety​

SNOW-3 — Grounding Security​

SNOW-4 — Structural Dependency​

SNOW-5 — Flow Security​

SNOW-6 — Supply Chain / Update Set Hygiene​

SNOW-7 — Instruction Bloat​

SNOW-9 — Prompt Poisoning​

SNOW-10 — DML Validation​

SNOW-11 — Autonomous Scheduling​

SNOW-12 — Skill Kit Version Drift & Memory Poisoning​

SNOW-13 — Data Privacy / CMDB​

SNOW-14 — Virtual Agent Channels​

SNOW-15 — IntegrationHub Spokes​

SNOW-16 — Role-Based Access​

SNOW-18 — Multi-Agent Orchestration​

SNOW-19 — Trigger Executions​

SNOW-20 — Excessive Agency​

SNOW-21 — PII Leakage​

SNOW-22 — SSRF​

SNOW-23 — Resource Exhaustion​

SNOW-24 — API Authentication​

SNOW-25 — MCP External Access​

SNOW-26 — Namespace Shadowing​

SNOW-27 — Runtime Drift​

Net-New Categories (SNOW-28 through SNOW-31)​

SNOW-28 — ACL Script Correctness​

SNOW-29 — Domain Separation Drift​

SNOW-30 — Application Scope Hygiene​

SNOW-31 — MID Server / Discovery Trust​

Cross-Platform Rule Comparison​