ServiceNow's Virtual Agent Vulnerability Shows Why AI Security Needs Traditional AppSec Foundations

In October 2025, a critical vulnerability in ServiceNow's Virtual Agent was discovered, highlighting the importance of securing AI-driven systems by addressing fundamental application security issues. The vulnerability, uncovered by AppOmni's research team, involved broken API authentication, inadequate identity verification, and excessive agent privileges, allowing attackers to take over the platform using just an email address. This incident underscores the broader industry trend where AI agents, as primary API consumers, amplify traditional security flaws like broken authentication and authorization, turning them into full platform compromises. It stresses the need for a comprehensive security strategy that includes foundational application security, threat modeling, dynamic application security testing (DAST), and AI red teaming to address both traditional vulnerabilities and AI-specific risks. The response to this incident reflects how organizations must ensure comprehensive visibility into AI agents' activities and access to secure them against future vulnerabilities.