Glyphward

ICP-by-platform · ServiceNow

Prompt-injection scanner for ServiceNow AI

ServiceNow's AI layer — Now Assist for ITSM, Virtual Agent AI, and custom ML Hub integrations built with Flow Designer — increasingly processes image attachments directly inside ITSM workflows. When a user attaches an error screenshot to an incident, a field technician photographs a work site, or an external email arrives with an inline product-defect image, downstream AI models receive those images as trusted inputs. They are not. Any image submitted through an incident, a Virtual Agent conversation, an FSM work order, or an inbound email can carry adversarial pixel-level instructions that redirect Now Assist summarisation, corrupt AI-driven priority classification, or manipulate automated resolution logic. ServiceNow's built-in AI guardrails focus on text output moderation — they perform no pixel-level multimodal prompt injection scanning on image inputs. Glyphward's /v1/scan API fills that gap: a single HTTP call from Flow Designer, taking under 200 ms, returns a 0–100 risk score that lets you block, flag, or quarantine adversarial attachments before they reach any vision model.

TL;DR

In the Flow Designer flow that processes image attachments — whether for Now Assist incident summarisation, ML Hub classification, or a custom Azure OpenAI call — add a Glyphward Glued Action immediately after the attachment retrieval step. The action fetches the attachment via GET /api/now/attachment/{sys_id}/file, base64-encodes the bytes, POSTs them to POST https://glyphward.com/v1/scan, and returns scan_score, scan_id, and a blocked boolean (true when score ≥ 65). Branch on blocked == true to add a work note and skip the LLM call. Free tier — 10 scans/day, no card required.

Why ServiceNow AI image inputs are an unscanned attack surface

Now Assist processes incident attachment images when a vision model is configured. Now Assist for IT Service Management can summarise incidents — their description, comments, and in supported configurations, attached screenshots. When an organisation integrates a vision-capable LLM (such as GPT-4o via an ML Hub spoke, or an Azure OpenAI deployment wired through the IntegrationHub HTTP step) into the Now Assist summarisation pipeline, any image attachment on that incident becomes an input to the vision model. The attachment was created by whoever submitted the incident: an internal employee, a VIP user, a managed service provider, or — via email-to-incident ingestion — an entirely external party. None of these submitters are vetted for adversarial intent, and ServiceNow performs no pixel-level analysis of the attachment before it reaches the model.

Virtual Agent AI accepts image uploads directly from portal users. ServiceNow Virtual Agent conversations on the Service Portal and Employee Center can be configured to accept file and image uploads from end users. When a topic conversation routes an uploaded image to an NLU or LLM backend for intent classification, product defect categorisation, or error code lookup, the image enters the AI pipeline directly from the user's browser. In environments where the Service Portal is accessible to external customers — HR portals, IT self-service portals with guest access, or partner-facing portals — the image source is fully external and completely untrusted.

Custom ML Hub integrations have no gating layer at all. Many ServiceNow platform engineers build bespoke AI workflows using Flow Designer's REST step or custom Scripted REST API integrations that call external vision LLMs — OpenAI, Azure OpenAI, Anthropic Claude — with incident attachment images for classification, priority routing, auto-resolution detection, or parts identification in FSM. These integrations are built by the customer's development team, and the AI security posture of those flows is entirely the developer's responsibility. ServiceNow provides no platform-level input scanning for REST calls made from these flows.

Email-to-incident ingestion exposes the attack surface to anyone who can send an email. ServiceNow's inbound email processing creates incidents from support emails and carries inline images and attachments from those emails directly into the incident record. If an AI workflow processes those attachments — a common pattern for automated triage of customer defect reports, field service dispatch, or IT alert correlation — the image input to the AI model originated from an arbitrary external email sender. No authentication or trust relationship governs who can send an adversarial image into this pipeline.

ServiceNow Document Intelligence (SWDI) is equally exposed. The Document Intelligence module uses AI to extract structured field values from uploaded document images — invoices, purchase orders, contracts. The extraction model receives the document image as its primary input. An adversarially crafted document can instruct the extraction model to return manipulated field values: a different vendor name, an inflated invoice total, or a different GL code. SWDI has no built-in pixel-level input scanning for adversarial document images.

Attack scenarios in ITSM AI workflows

Scenario 1 — Incident priority manipulation via screenshot. A user submits an error screenshot as an attachment to an IT incident. The screenshot appears to show a legitimate application error, but embedded within the image — in low-contrast typographic overlays or pixel-encoded text imperceptible to human reviewers — is an instruction directing the Now Assist AI summariser to classify the incident as Priority 1 / Critical regardless of actual severity. The AI summarises the incident as a P1 outage and triggers all associated escalation workflows: on-call paging, major incident bridges, executive notifications, and SLA critical-breach counters. Legitimate P1 incidents are buried in noise as the AI floods the P1 queue. Incident managers lose confidence in AI-assisted triage and must manually review every AI-generated priority assignment.

Scenario 2 — SLA bypass via resolution instruction injection. A support user attaches a "system failure" screenshot to a request incident. The image instructs the vision AI model processing the attachment to mark the incident as "resolved" with resolution code "User Error — no action required," closing the ticket automatically before any technician investigates. The SLA timer resets at incident close, erasing any breach that was accumulating. The user's actual problem remains unsolved. Depending on ServiceNow workflow configuration, a Business Rule or Flow Designer condition on incident state change may trigger automated email to the user stating the issue is resolved — further concealing the manipulation from the IT team. The attack can be used systematically to suppress SLA breach statistics, masking chronic IT problems from management reporting.

Scenario 3 — Field service work order completion fraud. A field service technician — or an external contractor submitting completion evidence via the ServiceNow Field Service Mobile app — photographs a work site and attaches the photo to an FSM work order. The photo is adversarially crafted: it depicts the work site normally to human reviewers, but contains embedded pixel-level instructions directing the AI completion-verification model to record the work as complete and approved. The downstream Flow Designer automation triggers work order closure and dispatches the payment authorisation webhook before any human sign-off on the actual work quality. Incomplete repairs, improperly installed equipment, or unfinished cable runs are certified as complete by the AI, with the organisation's own ServiceNow instance generating the approval record.

Scenario 4 — Email attachment injection from external senders. A malicious external party — a customer, a vendor, or an attacker with knowledge of the organisation's support email address — sends a support email with an adversarially crafted image attachment: an error screenshot, a product photo, or an invoice image. ServiceNow's inbound email processing creates an incident record with the attachment. The AI workflow that processes new incident attachments for automated triage or classification picks up the image and executes the embedded instructions. The attacker needs no ServiceNow account, no portal access, and no knowledge of internal workflow structure — only the organisation's support email address, which is typically published publicly. This is the broadest attack surface in the entire ServiceNow AI deployment: the entry point is unauthenticated and externally reachable by design.

Integration: Flow Designer HTTP step + Business Rule

// ============================================================
// GLUED ACTION: "Glyphward Image Scan"
// Action Designer > New Action
// Category: Security
// ============================================================

// --- Input Variables ---
// image_sys_id  (String)  — sys_id of the sys_attachment record

// --- Step 1: HTTP Step — Fetch attachment bytes from Attachment API ---
// Method: GET
// URL: https://<instance>.service-now.com/api/now/attachment/${image_sys_id}/file
// Authentication: ServiceNow OAuth / Basic (use Connection Alias: "ServiceNow Internal")
// Headers:
//   Accept: application/octet-stream
// Response Type: binary
// Output variable: attachmentBytes  (Binary / Blob)

// --- Step 2: Script Step — Base64-encode attachment bytes ---
// Name: Encode attachment to base64
(function execute(inputs, outputs) {
    var attachmentBytes = inputs.attachmentBytes;
    // GlideStringUtil.base64Encode handles binary byte arrays on the Now Platform
    var b64 = GlideStringUtil.base64Encode(attachmentBytes);
    outputs.imageBase64 = b64;
})(inputs, outputs);
// Output variable: imageBase64  (String)

// --- Step 3: HTTP Step — Call Glyphward /v1/scan ---
// Method: POST
// URL: https://glyphward.com/v1/scan
// Connection Alias: "Glyphward API"  (define in Connections & Credentials)
// Headers:
//   Content-Type: application/json
//   Authorization: Bearer ${glyphward_api_key}
// Request Body (JSON):
// {
//   "image": "${imageBase64}",
//   "context": "servicenow-incident-attachment"
// }
// Response Type: JSON
// Output variable: scanResponse  (Object)

// --- Step 4: Script Step — Parse scan response and set output variables ---
(function execute(inputs, outputs) {
    var resp = inputs.scanResponse;
    var score  = resp.score  || 0;
    var scanId = resp.scan_id || '';
    outputs.scan_score = score;
    outputs.scan_id    = scanId;
    // Block threshold: score >= 65 triggers quarantine
    outputs.blocked    = (score >= 65);
})(inputs, outputs);
// Output variables: scan_score (Integer), scan_id (String), blocked (Boolean)

// ============================================================
// FLOW DESIGNER CONDITION — after "Glyphward Image Scan" action
// ============================================================
// Condition: [Glyphward Image Scan] > blocked  is  true
//
// TRUE branch — add work note and exit without LLM call:
//   "Update Record" step on the incident:
//     Work notes: "Image attachment blocked by security scanner
//                  (scan_id: ${Glyphward Image Scan.scan_id}).
//                  Contact submitter to resubmit without
//                  adversarial content."
//   (Optional) Set Incident.assignment_group = "Security Review Queue"
//   End flow / do not proceed to Now Assist or ML Hub step
//
// FALSE branch — proceed to vision LLM call as normal
//   (Next step: ML Hub spoke / Azure OpenAI HTTP step / etc.)

// ============================================================
// BUSINESS RULE ALTERNATIVE — simpler on-platform gating
// Table: sys_attachment
// When: Before Insert
// Condition: (current.table_name == 'incident') &&
//            current.content_type.startsWith('image/')
// ============================================================
(function onBefore(current, previous) {
    // Fetch attachment stream as bytes
    var attachSysId = current.sys_id.toString();

    // Call Glyphward synchronously via GlideHTTPRequest
    var gr = new GlideHTTPRequest('https://glyphward.com/v1/scan');
    gr.addHeader('Content-Type', 'application/json');
    gr.addHeader('Authorization', 'Bearer ' + gs.getProperty('glyphward.api_key'));

    // Read attachment bytes and base64-encode inline
    var sa = new GlideSysAttachment();
    var bytes = sa.getBytes(current.table_name.toString(), attachSysId);
    var b64 = GlideStringUtil.base64Encode(bytes);

    var body = JSON.stringify({
        image:   b64,
        context: 'servicenow-incident-attachment'
    });

    var response = gr.post(body);
    var result   = JSON.parse(response.getBody());

    if (result.score >= 65) {
        // Abort the insert — attachment is not saved
        current.setAbortAction(true);
        gs.addErrorMessage(
            'Attachment rejected by Glyphward security scan ' +
            '(scan_id: ' + result.scan_id + '). ' +
            'Please resubmit without adversarial content.'
        );
    }
})(current, previous);

The Flow Designer Glued Action approach is recommended for production deployments: it separates the scan logic from table-level Business Rules, supports retry configuration, and integrates cleanly with Flow Designer's error handling and audit logging. Name the Action "Glyphward Image Scan" and publish it to the Global application scope so it is reusable across ITSM, HR Service Delivery, CSM, and FSM flows without duplication.

The Business Rule approach is suitable for simpler implementations where you want to reject adversarial attachments at the point of upload — before any record is created — without modifying existing flows. The setAbortAction(true) call prevents the sys_attachment row from being inserted and surfaces an error message to the submitter in the Service Portal. Note that getBytes() on a Before Insert rule operates on the record before it is committed; test this against your instance's ServiceNow version and attachment size limits, particularly for FSM photo attachments which can exceed 10 MB.

Store your Glyphward API key in a ServiceNow System Property (glyphward.api_key) with the Encrypted checkbox enabled, or use a Credential record in Connections & Credentials with type "API Key" and reference it from the HTTP step Connection Alias. Never hardcode the key in Script steps or Flow Designer variables.

Get early access

Coverage matrix

Attack vector Incident screenshot attachment FSM work order photo Virtual Agent image upload Email inline image attachment
Typographic overlay injection (FigStep-class) Detected Detected Detected Detected
Low-contrast pixel-encoded text instructions Detected Detected Detected Detected
Steganographic payload in JPEG/PNG metadata Detected Detected Detected Detected
Priority / severity override instruction Detected N/A Detected Detected
Resolution state manipulation instruction Detected Detected Detected Detected
Work order completion approval instruction N/A Detected N/A N/A
AI role/persona hijack instruction Detected Detected Detected Detected
Data exfiltration redirect instruction Detected Detected Detected Detected
ServiceNow SWDI field-value manipulation Detected Detected N/A Detected
Standard image with no adversarial payload Pass (score < 65) Pass (score < 65) Pass (score < 65) Pass (score < 65)

Related questions

Does Now Assist natively scan image attachments for prompt injection?

As of mid-2026, Now Assist does not include pixel-level multimodal prompt injection scanning. Now Assist's built-in guardrails focus on inappropriate or policy-violating content in text outputs — for example, preventing the AI copilot from generating harmful or off-topic responses. They do not analyse the raw image bytes of incident attachments for adversarial pixel payloads, low-contrast typographic overlays, or steganographically encoded instructions. The guardrail layer operates after the model has already processed the image input; it cannot retroactively prevent the model from having followed an injected instruction that modified its summarisation or classification output. Glyphward's scan operates before the image reaches the model, providing a deterministic gate at the input layer that Now Assist's output-layer moderation cannot replicate.

How does the Glued Action approach work with ServiceNow's MID Server for on-premise?

If your ServiceNow instance is configured to route outbound REST calls through a MID Server — the standard architecture for on-premise ServiceNow deployments that restrict direct internet egress from the application node — the Flow Designer HTTP step uses that MID Server automatically when an ECC Queue-backed REST Message is configured. To allow the Glyphward scan call: open the MID Server's config.xml and add glyphward.com to the mid.http.proxyHost allowlist, or configure an outbound REST Message endpoint pointing to https://glyphward.com/v1/scan and assign it to the MID Server cluster. The Connection Alias you define in Connections & Credentials can be tied to the MID Server; the Flow Designer HTTP step inherits this routing. No changes to the Glued Action JavaScript are required — the MID Server proxy is transparent to the script layer. Verify connectivity from the MID Server host using curl -X POST https://glyphward.com/v1/scan before deploying the flow to production.

What about the ServiceNow Document Intelligence (SWDI) module?

ServiceNow Document Intelligence uses AI to extract structured data from uploaded document images — invoices, contracts, purchase orders, and expense receipts. The extraction model receives the document image as its primary input and returns field-value pairs: vendor name, invoice date, total amount, line items, and GL codes. The same multimodal prompt injection attack applies: an adversarially crafted document image can instruct the extraction model to return manipulated field values — an inflated invoice total, a substituted vendor name, or a different cost centre code — that then flow into downstream ERP or procurement records. SWDI has no pixel-level input scanning for adversarial document images. Gate on Glyphward before passing document images to the SWDI extraction pipeline: add the Glyphward Glued Action as the first step in any Flow Designer flow that calls the SWDI Document Intelligence spoke, and reject documents with score ≥ 65 before they reach the extraction model.

Can this be used to scan images in ServiceNow Catalog item requests?

Yes. Service Portal Catalog items can include file upload variables of type "Attachment" that accept images — common for hardware request forms (submit a photo of the failing device), facilities requests (submit a photo of the reported issue), or onboarding workflows (submit a photo of an ID document). If a downstream AI workflow processes those catalog request attachments — for automatic categorisation, priority assignment, or document verification — any image submitted through the Catalog is an untrusted input. Add the Glyphward Glued Action as the first step in the Flow Designer flow that handles catalog request fulfillment, before the step that calls any vision LLM. The input variable is the sys_id of the attachment on the sc_req_item or sc_request record, fetched from the catalog item's attachment field the same way as incident attachments.

Further reading