The ServiceNow MCP server lets Claude, Cursor, ChatGPT, and AI agents read incidents, query the CMDB, and update records in ServiceNow. Here's the official setup, the real security risks, and how to govern it with redaction at the MCP layer.
The ServiceNow MCP server is a Model Context Protocol implementation that exposes ServiceNow's platform — its tables, Now Assist Skills, and platform actions — as a standardized set of tools that external AI agents can call. Once connected, an agent like Claude can search incidents, read records across tables, query the CMDB, pull change and problem records, retrieve knowledge articles, and write back to the platform on the authenticated user's behalf. ServiceNow's own framing is that it "opens its full system of action to every AI agent in the enterprise" — headless, governed access for any MCP-aware client.
Refer to the official ServiceNow MCP Server Console documentation for the current tool catalog, OAuth flow, and role-based tool packages. The setup pattern matches every other MCP integration: a managed OAuth client, a connector entry in Claude (or another MCP client), and the server begins answering tool calls scoped to the authorizing user's roles.
From the user's perspective, the AI agent suddenly knows their ServiceNow instance — every open incident, every CI in the CMDB, every linked change. From the security perspective, the AI agent now has read access, and frequently write access, to the operational nerve center of the company.
That's the value. It's also exactly where security teams need a control layer.
With the ServiceNow MCP server live, an agent turns into a service-desk operator that never clocks out — reading incidents, querying the CMDB, and updating records as the user who authorized it. The everyday jobs it takes on:
Every one of those actions runs through ServiceNow's own API, role model, and the MCP Server Console's governance — which is what makes it genuinely useful, and exactly why the regulated and operational data it touches needs an inspection layer in the tool-call path.
ServiceNow is not a content store you occasionally connect an agent to. It is the system of record for IT operations, HR cases, security incidents, and customer service — and the data inside it is some of the most sensitive an enterprise holds. The risks fall into four categories every security team should price into the deployment.
1. ITSM tickets are full of PII. Incident, HR case, and customer-service records routinely carry employee names, home addresses, phone numbers, government IDs, and customer account details — often pasted into the short description and work notes verbatim. An agent that reads an incident reads all of it, and a table query returns it in bulk.
2. Secrets and credentials get pasted into incident notes. Engineers troubleshooting an outage paste connection strings, API keys, service-account passwords, and access tokens directly into work notes to share context fast. None of it is masked at rest. The MCP server returns those notes to the model as plain text the moment the agent reads the ticket.
3. The CMDB exposes your infrastructure topology. The configuration management database is a map of every server, application, database, and the dependencies between them — exactly the reconnaissance an attacker, or an over-broad agent, should never get in one shot. A single CMDB query hands the model the architecture of your environment.
4. One query can pull large sets of records. Table queries and Now Assist skills are not row-at-a-time. A loosely scoped request can return thousands of incidents or CIs across the platform in a single tool call, and write actions can create or mutate records — which is why writes need approval and reads need inspection.
The traditional DLP a company already runs — at the network edge, on the endpoint, inside ServiceNow's own data-policy rules — does not sit in the MCP path. The tool response goes straight from ServiceNow into the AI agent's context window. That reach is the whole point of the integration, and it is exactly why each agent's access and actions in ServiceNow must be governed: controlled (what it can reach and do), the sensitive data it touches protected, and every call audited. That is where Strac ServiceNow MCP DLP lives.
Strac's ServiceNow MCP DLP is the governance layer that sits between AI agents and the ServiceNow MCP server. Strac governs every tool call: it sees exactly what each agent reaches in ServiceNow, controls its actions (allow, block, or require approval on writes and bulk record pulls), protects the sensitive data it touches by redacting, masking, or vaulting it, and logs every call as audit evidence. Non-sensitive, in-policy calls flow through untouched.
What this looks like in practice:
The same Strac MCP DLP layer covers Jira MCP, Zendesk MCP, and other surfaces — one control plane across every place AI agents touch your regulated and operational data. For the full pattern, see the MCP DLP pillar.
MCP DLP protects the AI-agent surface. Strac's native ServiceNow DLP protects the direct-user surface — the same ServiceNow instance, but inspected at the point where humans open tickets, paste into work notes, attach files, and grant access. Most enterprises run both: native DLP for the user-driven actions, MCP DLP for the agent-driven actions. Together they cover every path sensitive data can take in and out of ServiceNow.
What Strac's native ServiceNow DLP includes:
For the broader integration catalog — every SaaS, cloud, browser, and endpoint surface Strac covers — see strac.io/integrations. To understand how this fits a discovery-first program, see DSPM for AI.
The screenshot below shows Strac's MCP DLP redacting sensitive data from a real Claude session — employee identifiers, customer emails, and a credential pasted into a ticket, all tokenized inline before the model received the prompt. The same inspection pattern runs on every ServiceNow MCP tool call routed through Strac.
Setup is agentless and takes under 10 minutes.
.webp)
json
"mcpServers": {
"servicenow": {
"url": "https://mcp.strac.io/servicenow",
"auth": { "type": "bearer", "token": "<your-strac-token>" }
}
}
For Cursor, OpenAI Agents, custom agents — same endpoint, same auth.The same Strac ServiceNow MCP DLP control produces evidence mapped to every major compliance framework.
For the broader AI-data-governance program this sits inside, see AI DLP.
The ServiceNow MCP server — delivered as the MCP Server Console in the Zurich release — is a Model Context Protocol implementation that lets external AI agents (Claude, Cursor, ChatGPT, Perplexity, custom agents) read and act inside ServiceNow via standardized tool calls. It's how an AI assistant gets governed access to incidents, records across tables, the CMDB, change and problem records, and knowledge articles, and can take write actions on the authorizing user's behalf.
Now Assist is ServiceNow's own generative-AI layer: skills and assistants that run inside ServiceNow and act on its data within ServiceNow's boundary. The ServiceNow MCP server points the other direction — it exposes ServiceNow (including Now Assist Skills surfaced as MCP tools) to external agents over the open Model Context Protocol, so the AI client your team already uses can read and act in ServiceNow. Now Assist keeps the agent inside ServiceNow's native guardrails; MCP lets any external agent reach in, and the tool response leaves those guardrails the moment it returns to the client. That hand-off is exactly where Strac ServiceNow MCP DLP inspects and redacts.
By itself, not without an additional governance layer. The MCP Server Console adds OAuth, role-based tool packages, and audit trails, but it still returns whatever the authorizing user can see — including employee and customer PII in tickets, credentials and secrets pasted into work notes, and CMDB topology. For enterprise use with regulated and operational data, you need an MCP-layer control like Strac ServiceNow MCP DLP that inspects, redacts, and gates every tool call before content reaches the AI model.
Two things ServiceNow concentrates that other systems don't: secrets pasted into incident work notes during live troubleshooting, and the CMDB. The work notes leak credentials no scanner caught at paste time; the CMDB hands an agent — or an attacker behind one — a full map of your infrastructure in a single query. Strac inspects both: it redacts pasted secrets inline and can mask or gate CMDB topology before it ever reaches the model.
ServiceNow's built-in protections operate at the storage and policy layer — data policies, ACLs, and the MCP Server Console's OAuth and audit features. None of those redact the content of a tool response in the MCP path. Strac is purpose-built for that path: it inspects every tool response before content reaches the AI agent's context window, with detection breadth (PII / PHI / PCI / secrets / credentials / source code / OCR-in-images) that goes well beyond native rule engines, plus approval gates on writes and bulk pulls.
Yes. Strac exposes a standard MCP gateway endpoint, so any MCP-aware AI client routes tool calls through it with one configuration change. No SDK changes, no application code changes.
PII (SSN, driver's license, passport, address, phone, email), PHI (clinical notes, MRN co-occurrence, ICD-10 codes adjacent to identifiers), PCI (full and partial card numbers via Luhn check), credentials and secrets (API keys, AWS / GCP / Azure access keys, connection strings, OAuth tokens, JWTs, SSH keys, private keys — 48+ patterns, the ones engineers paste into work notes), and custom detectors trained on your internal data classifications. Detection runs across text, files, images (OCR), and structured fields.
Yes. Strac produces a per-call audit log: timestamp, AI client identity, user, tool invoked, table or CI accessed, data classes detected, redactions applied, vault references, disposition — and high-risk writes and bulk pulls can require approval before they execute. The log is queryable in the Strac console and exportable to your SIEM. This is the evidence trail SOC 2, HIPAA, and GDPR auditors will ask about for AI-agent activity in ServiceNow.
Under 10 minutes for the first workspace. OAuth Strac into ServiceNow, paste the Strac MCP gateway endpoint into your AI client's config, pick a policy template, done. No agents to install, no ServiceNow re-permissioning, no application code changes.
The ServiceNow MCP server is rapidly becoming the way AI agents read into the system of record for IT, HR, security, and customer operations. That surface holds employee and customer PII, the credentials your engineers paste into tickets, and the CMDB map of your entire infrastructure. Running ServiceNow MCP in 2026 without an MCP-layer governance control is not a question of if the first incident reaches your security team; it's when.
Strac ServiceNow MCP DLP gives you the control plane, the redaction, the approval gates, and the framework-agnostic compliance evidence so you can let your team use ServiceNow with Claude, Cursor, ChatGPT, and any future AI client without making each one a separate security exception.
If you are running — or about to run — ServiceNow MCP in production, book a 30-minute demo. We'll walk through the architecture, the policy templates, and a deployment plan for your specific ServiceNow instance and AI clients.
For the broader MCP DLP control plane across every SaaS surface, see the MCP DLP pillar. For more SaaS-specific deep dives: Jira MCP, Zendesk MCP, Slack MCP, Salesforce MCP, Notion MCP, Google Workspace MCP.
.avif){kind=icon}
.gif)
