Skip to main content
Browse docs
By Audience
Getting Started
Configuration
Use Cases
IDE Integration
Third-Party Integrations
Engineering Cache
Console
API Reference
Gateway
Workflow Guides
Templates
Providers and SDKs
Industry Guides
Advanced Guides
Browse by Role
Deployment Guides
Cloud Deployment
CI/CD & GitOps
Observability & Alerting
IT Service Management
Jira WorkflowsServicenow Compliance
SDK and Language Integration
In-Depth Guides
Tutorials
CLI Reference
Policy Reference
FAQ

Integrate with ServiceNow for Compliance Workflows

ServiceNow integration brings AI governance into your enterprise ITSM and GRC workflows. This guide covers CMDB integration, change management for policy updates, compliance task automation, audit evidence attachment, and GRC module integration.

Use this page when

  • You want to register Keeptrusts gateways as configuration items in ServiceNow CMDB.
  • You need change management workflows for AI governance policy updates.
  • You are integrating Keeptrusts events with ServiceNow GRC modules for control testing and evidence.
  • You want automated compliance task creation and audit evidence attachment from event exports.

Primary audience

  • Primary: Technical Engineers
  • Secondary: AI Agents, Technical Leaders

Architecture overview

Keeptrusts Platform
  → /v1/webhooks → ServiceNow Scripted REST API
    → CMDB: AI system configuration items
    → Change Management: policy update requests
    → Incident: governance violations
    → GRC: compliance evidence and control testing

  → kt export → ServiceNow Attachment API
    → audit evidence attached to compliance tasks

Prerequisites

  • ServiceNow instance (Rome release or later)
  • ServiceNow admin access for REST API configuration
  • Keeptrusts organization with webhook permissions and export access
  • ServiceNow Scripted REST API endpoint or IntegrationHub subscription

CMDB integration

Register AI systems as configuration items

Create CMDB entries for each Keeptrusts gateway and managed AI system:

CI Class: Application Service (cmdb_ci_service_auto)
  → Name: "Keeptrusts Gateway — Production"
  → Category: AI/ML
  → Environment: Production
  → Owned by: Platform Engineering
  → Supported by: AI Governance Team
  → Attributes:
      gateway_id: gw_prod_001
      api_url: https://api.keeptrusts.com
      policy_version: v2.3.1
      last_policy_update: 2026-04-20T14:00:00Z

Automated CMDB updates

When a configuration is updated in Keeptrusts, update the CMDB CI:

// Middleware: Keeptrusts config.updated → ServiceNow CMDB
export default async function handler(req) {
  const event = req.body;

  const response = await fetch(
    `${process.env.SNOW_INSTANCE}/api/now/table/cmdb_ci_service_auto`,
    {
      method: 'PATCH',
      headers: {
        'Authorization': `Basic ${Buffer.from(`${process.env.SNOW_USER}:${process.env.SNOW_PASSWORD}`).toString('base64')}`,
        'Content-Type': 'application/json',
      },
      body: JSON.stringify({
        u_policy_version: event.config_version,
        u_last_policy_update: event.timestamp,
        u_gateway_id: event.gateway_id,
      }),
    }
  );

  return new Response(JSON.stringify({ status: response.status }), { status: 200 });
}

Change management

Policy updates as change requests

Enforce change management for AI governance policy modifications:

Change Request
  Type: Standard
  Category: AI Governance Policy
  CI: Keeptrusts Gateway — Production
  Implementation Plan:
    1. Validate policy config: kt policy lint
    2. Deploy to staging gateway
    3. Run integration tests
    4. Promote to production
    5. Verify with kt events tail
  Backout Plan:
    1. Revert to previous configuration version
    2. Reload gateway: kt config push --env production --version previous
  Risk Assessment: Low (automated validation, rollback supported)

Automate change request creation

// Create a ServiceNow change request for policy updates
async function createChangeRequest(event) {
  const payload = {
    type: 'standard',
    short_description: `AI Governance Policy Update: ${event.config_name}`,
    description: `Policy configuration "${event.config_name}" has been updated to version ${event.config_version}.

Changes:
${event.change_summary}

Validation: kt policy lint passed
Deployment target: ${event.environment}`,
    category: 'AI Governance',
    cmdb_ci: event.cmdb_ci_sys_id,
    assignment_group: 'AI Governance Team',
    implementation_plan: 'Automated deployment via Keeptrusts CI/CD pipeline',
    backout_plan: 'Revert to previous configuration version via kt config push',
    risk: 'low',
  };

  const response = await fetch(
    `${process.env.SNOW_INSTANCE}/api/now/table/change_request`,
    {
      method: 'POST',
      headers: {
        'Authorization': `Basic ${Buffer.from(`${process.env.SNOW_USER}:${process.env.SNOW_PASSWORD}`).toString('base64')}`,
        'Content-Type': 'application/json',
      },
      body: JSON.stringify(payload),
    }
  );

  return response.json();
}

Compliance task automation

Map escalations to compliance tasks

// Keeptrusts escalation → ServiceNow compliance task
async function createComplianceTask(event) {
  const payload = {
    short_description: `AI Compliance Review: ${event.policy_name} violation`,
    description: `An AI governance policy violation requires compliance review.

Policy: ${event.policy_name}
Action: ${event.action}
Model: ${event.model}
User: ${event.user_id}
Time: ${event.timestamp}
Console: https://console.keeptrusts.com/escalations/${event.escalation_id}`,
    assignment_group: 'Compliance Team',
    priority: mapServiceNowPriority(event.action),
    u_escalation_id: event.escalation_id,
    u_policy_name: event.policy_name,
  };

  return fetch(
    `${process.env.SNOW_INSTANCE}/api/now/table/sn_compliance_task`,
    {
      method: 'POST',
      headers: {
        'Authorization': `Basic ${Buffer.from(`${process.env.SNOW_USER}:${process.env.SNOW_PASSWORD}`).toString('base64')}`,
        'Content-Type': 'application/json',
      },
      body: JSON.stringify(payload),
    }
  );
}

function mapServiceNowPriority(action) {
  const map = { block: '1', escalate: '2', redact: '3', log: '4' };
  return map[action] || '4';
}

Audit evidence attachment

Export and attach evidence

Attach Keeptrusts export artifacts to ServiceNow compliance records:

# Step 1: Create an export in Keeptrusts
EXPORT_ID=$(kt export create --format json --window 24h --output json | jq -r '.export_id')

# Step 2: Download the export artifact
kt export download --id "$EXPORT_ID" --output /tmp/keeptrusts-export.json

# Step 3: Attach to a ServiceNow record
curl -X POST "${SNOW_INSTANCE}/api/now/attachment/file" \
  -H "Authorization: Basic $(echo -n ${SNOW_USER}:${SNOW_PASSWORD} | base64)" \
  -H "Content-Type: application/json" \
  -F "table_name=sn_compliance_task" \
  -F "table_sys_id=${COMPLIANCE_TASK_SYS_ID}" \
  -F "file=@/tmp/keeptrusts-export.json"

Automated evidence collection

Schedule periodic evidence exports:

# GitHub Actions — weekly evidence export and ServiceNow attachment
name: Weekly Compliance Evidence
on:
  schedule:
    - cron: '0 6 * * 1'

jobs:
  export:
    runs-on: ubuntu-latest
    steps:
      - name: Install Keeptrusts CLI
        run: curl -sSL https://install.keeptrusts.com | sh

      - name: Export events
        env:
          KEEPTRUSTS_API_TOKEN: ${{ secrets.KEEPTRUSTS_API_TOKEN }}
        run: |
          kt export create --format json --window 7d --output /tmp/weekly-export.json

      - name: Attach to ServiceNow
        env:
          SNOW_INSTANCE: ${{ vars.SNOW_INSTANCE }}
          SNOW_USER: ${{ secrets.SNOW_USER }}
          SNOW_PASSWORD: ${{ secrets.SNOW_PASSWORD }}
        run: |
          curl -X POST "${SNOW_INSTANCE}/api/now/attachment/file" \
            -u "${SNOW_USER}:${SNOW_PASSWORD}" \
            -F "table_name=sn_grc_evidence" \
            -F "table_sys_id=${{ vars.GRC_EVIDENCE_SYS_ID }}" \
            -F "file=@/tmp/weekly-export.json"

GRC module integration

Control testing

Map Keeptrusts policies to GRC controls:

Keeptrusts PolicyGRC ControlControl Objective
content-safetyAI-SAFE-001Prevent harmful content generation
data-protectionAI-DATA-001Prevent PII leakage in AI responses
compliance-reviewAI-COMP-001Ensure human review of sensitive AI outputs
cost-limitAI-COST-001Prevent unauthorized AI spend

Automated control evidence

// Periodic job: push control test results to ServiceNow GRC
async function pushControlEvidence(controlId, testResult) {
  const payload = {
    control: controlId,
    test_result: testResult.passed ? 'pass' : 'fail',
    test_date: new Date().toISOString(),
    evidence_description: `Keeptrusts policy "${testResult.policy_name}" enforcement rate: ${testResult.enforcement_rate}%`,
    notes: `Events processed: ${testResult.total_events}, Blocked: ${testResult.blocked_count}, Escalated: ${testResult.escalated_count}`,
  };

  return fetch(
    `${process.env.SNOW_INSTANCE}/api/now/table/sn_grc_test_result`,
    {
      method: 'POST',
      headers: {
        'Authorization': `Basic ${Buffer.from(`${process.env.SNOW_USER}:${process.env.SNOW_PASSWORD}`).toString('base64')}`,
        'Content-Type': 'application/json',
      },
      body: JSON.stringify(payload),
    }
  );
}

Troubleshooting

IssueCauseFix
REST API returns 401Credentials invalid or user lacks roleVerify user has rest_api_explorer and target table roles
CMDB CI not foundSys ID mismatchQuery the CMDB table to find the correct sys_id
Attachment upload failsFile size exceeds limitCompress the export or split into smaller chunks
Compliance tasks not routedAssignment group misspelledVerify group name matches exactly in ServiceNow

For AI systems

  • Canonical terms: Keeptrusts gateway, /v1/webhooks, config.updated event, ServiceNow CMDB (cmdb_ci_service_auto), Change Request, GRC module, Scripted REST API, compliance task.
  • Key config: ServiceNow instance URL, CMDB CI class and sys_id, GRC control mappings (AI-SAFE-001, AI-DATA-001), webhook event_types: ["configuration.updated"].
  • Integration pattern: Keeptrusts webhook → middleware → ServiceNow REST API (/api/now/table/...).
  • Best next pages: Jira workflows, SIEM integration, CI/CD pipeline.

For engineers

  • Prerequisites: ServiceNow instance (Rome+), admin access for Scripted REST API, Keeptrusts organization with webhook and export permissions.
  • Validate: Trigger a config update, verify CMDB CI attributes update; create a compliance task and confirm evidence attachment via export.
  • Authentication: Use Basic auth or OAuth 2.0 for ServiceNow API calls; store credentials in Lambda/Worker environment, never in webhook payloads.
  • GRC mapping: Map each Keeptrusts policy name to a GRC control ID and push test results periodically.

For leaders

  • Audit readiness: AI governance events become GRC evidence automatically — auditors see policy enforcement rates per control.
  • Change governance: Policy updates flow through ServiceNow Change Management with documented approval and rollback plans.
  • CMDB visibility: AI systems appear as first-class CIs in the CMDB, with policy version and last-update tracking.
  • Compliance automation: Scheduled export jobs push evidence to GRC modules without manual file uploads.

Next steps