Blog

From ITSM to AI control tower: what ServiceNow’s Armis acquisition really means 

The enterprise software landscape witnessed a seismic shift in December 2025 as ServiceNow announced its agreement to acquire cybersecurity leader Armis for approximately $7.75 billion. This transaction represents ServiceNow’s largest acquisition to date and marks a definitive evolution for a company that began as an IT Service Management (ITSM) provider.  

By absorbing Armis, ServiceNow is positioning itself as an “Artificial Intelligence (AI) control tower” for business reinvention, signaling that cybersecurity is no longer a peripheral Information Technology (IT) function but the core of enterprise operational workflows. 

Reach out to discuss this topic in depth.   

The union of ServiceNow-Armis – From workflow engine to enterprise control plane 

At its core, the acquisition represents ServiceNow’s transition from a downstream workflow orchestrator to an upstream system of intelligence and control. The value lies not just in adding security capabilities, but in redefining ServiceNow’s role in the enterprise technology   stack. 

  • Moving upstream to become a dominant enterprise technology partner: ServiceNow has historically owned the workflow layer, operating as a system of action dependent on signals from other tools. With Armis, it moves upstream to own the source of truth for every physical and digital asset across the enterprise. This positions ServiceNow alongside Microsoft and SAP as a foundational enterprise platform, not just a workflow orchestrator  
  • A platform-led shift from tool sprawl to autonomous cyber-physical protection: By combining Armis’s best-in-class asset discovery, exposure intelligence, and Centrix capabilities with ServiceNow’s ubiquitous workflows, the platform reduces reliance on fragmented point tools such as legacy scanners and basic asset trackers. This integration enables a transition from reactive automation to autonomous detection and response across unmanaged Internet of Things (IoT) and Operational Technology (OT) environments, reinforcing ServiceNow’s positioning as a strategic cybersecurity shield for the entire cyber-physical attack surface 
  • A scalable platform-led play to combat cybersecurity tool sprawl: Enterprises are fatigued by fragmented security stacks. By bundling Armis’s best-in-class asset discovery and exposure intelligence with ServiceNow’s ubiquitous workflows, the company offers a platform alternative that can replace multiple point tools such as legacy scanners and basic asset trackers, strengthening long-term scale and stickiness 
  • Strengthening the AI Control Tower and “manager of agents” narrative: As enterprises deploy hundreds of AI agents across platforms, ServiceNow aims to be the governing layer that ensures these agents operate safely, compliantly, and with proper oversight. Armis provides the real-world context these agents lack, enabling the Control Tower to understand asset criticality and operational impact rather than acting on abstract signals alone  
  • Transforming Governance, Risk and Compliance (GRC) and Integrated Risk Management (IRM) into real-time operational resilience: Armis telemetry converts risk management from static audit snapshots into a live, continuously updated view of enterprise exposure. Embedded into ServiceNow IRM, this enables real-time risk scoring and elevates the value proposition from compliance reporting to operational resilience, changing the buyer focus from compliance managers to Chief Risk Officers (CROs) and the board
     

Armis’ opportunity from the deal 

For Armis, the acquisition marks a critical inflection point in its evolution and market reach. The company has successfully pivoted from a niche IoT and OT security specialist to a broader vulnerability and exposure management provider, allowing it to scale to critical mass.  

The next phase of growth, however, requires deeper penetration into large, complex enterprises. Becoming part of ServiceNow gives Armis direct access to a global enterprise customer base, significantly accelerating customer expansion and positioning its exposure management capabilities as a default layer within enterprise workflows rather than a standalone security tool.
 

Challenges for the deal 

Despite the strategic logic, execution risk remains. ServiceNow and Armis operates in distinct technical domains, one centered on workflow orchestration and the other on deep asset and exposure intelligence. Successfully integrating these capabilities into a unified, intuitive experience will be critical for mass adoption. ServiceNow must ensure that Armis’s technical depth is abstracted into consumable workflows without diluting its value, while delivering a seamless product experience that feels like a single platform rather than loosely connected components. 

Looking ahead 

For the industry, this acquisition validates asset intelligence as a core security function. Competitors are likely to respond by aggressively pursuing their own discovery and device intelligence acquisitions to avoid falling behind ServiceNow’s integrated “control tower” model. 

However, the path forward is not without risks. ServiceNow must carefully manage the integration of Armis’s technical depth while preserving the startup’s speed and innovation culture. If executed effectively, the combined platform will offer robust risk visibility and remediation that makes security an inherent part of the business workflow rather than an after-the-fact technical chore. 

If you enjoyed this blog, check out, ServiceNow’s CRM Launch and the Rise of the System of Execution – Everest Group Research Portal , which delves deeper into another topic relating to ServiceNow. 

To learn more or discuss this topic further, contact: Kumar Avijit ([email protected]), Arjun Chauhan ([email protected]) and Praharsh Srivastava ([email protected]).