Case Study

Automating Vendor Access Management on ServiceNow for an Asset Management Firm 

Solution

IT Service Management | Security | Governance

Industry

Asset Management | Financial Services

Core Technology

ServiceNow

Overview

A global asset management firm working with dozens of third-party vendors and consultants had to routinely deal with temporary vendor access. But the whole process was handled informally through emails and spreadsheets. Sometimes even through ad hoc chats with the IT team.  

So, this left our client with a governance gap. While the company already used ServiceNow for ITSM, external access management remained entirely unstructured. With no standardized intake, no auditable approval trail, and no automated expiry process, the risk of unauthorized access to sensitive financial systems and client data grew with every new vendor engagement.  

Xavor Corporation was engaged to build a purpose-built vendor access management solution on ServiceNow, turning an ad hoc, high-risk process into a governed, automated access lifecycle. 

Business Challenge 

Asset management firms usually depend on a large ecosystem of external parties to run their business operations. So did our client, who worked with a network of technology partners for portfolio management, managed service providers to support IT operations, and consultants/auditors hired for compliance and audit purposes.  

Therefore, these third-party actors required temporary access to systems and records during reviews or regular maintenance. 

The core challenge was a complete absence of control over how temporary vendor access was requested, approved, fulfilled, and removed. Without a structured process, the organization faced compounding risks at every stage of the vendor access lifecycle.

1. No standard request process

Requests arrived through emails and chat messages with no required fields, so approvers couldn’t know whether a vendor is requesting access to portfolio systems or trading-related applications. 

2. Approvals with no paper trail

Managers approved access in their inboxes. That meant when an auditor came asking for evidence of who approved what and when, the answer was often a shrug and a search through old emails. 

3. Security reviews getting skipped

Because there was no enforced process, requesters would sometimes go straight to IT without looping in the security team or the system owner. That could expose sensitive client financial data to the wrong person. 

4. Access that never expired

End dates were written down somewhere but rarely acted on. Former consultants or service providers could continue accessing financial systems months after their engagement ended. And nobody had flagged it because nobody was watching it. 

5. No visibility for leadership

There was no place where a manager or security lead could see all active vendor access, who had it, to which systems, under whose approval, and what was coming up for renewal during audits or regulatory examinations 

the solution

Xavor built the solution entirely within ServiceNow without using any third-party tools or workarounds. Our goal was simply to make sure every vendor access request went through one process with every approval to be on record. And no access stayed active past its agreed end date without someone explicitly deciding to extend it.

1. A proper intake form

We built a Service Catalog item that captures everything essential upfront. Like who the vendor is, which portfolio management, or trading system they need access to. Then who is sponsoring the request, the business reason, and the start and end dates. Incomplete submissions do not go anywhere until the required fields are filled. 

2. A clear approval chain

Once a request is submitted, it moves through a defined sequence. The sponsoring manager confirms the business need. The security and compliance teams review the request to ensure it aligns with internal controls and regulatory requirements. The system owner approves the specific access being requested. Each step is logged automatically, no chasing, no missing sign-offs. 

3. Automated expiry reminders and removal tasks


Two weeks before access is due to expire, the system sends a renewal prompt to the sponsor. If no action is taken, a removal task is created automatically at the one-week mark. Overdue removals surface on the security dashboard as exceptions.  

4. Controlled oversight

Any extension requires renewed approval to ensure continued business justification and compliance oversight.   

3. Automated expiry reminders and removal tasks

Two weeks before access is due to expire, the system sends a renewal prompt to the sponsor. If no action is taken, a removal task is created automatically at the one-week mark. Overdue removals surface on the security dashboard as exceptions.  

4. Controlled oversight


Any extension requires renewed approval to ensure continued business justification and compliance oversight.   

5. A single access register


Every grant of vendor access creates a record in a dedicated Vendor Access Register table. That table is the authoritative source, not the original ticket, not an email thread. It shows the current status of every access grant from request through to removal, and it is what the team pulls up during audits.   

Outcomes & Benefits 

The results were visible almost immediately after go-live:

Tools & tech stack

Service Catalog 

Flow Designer & Approval Engine

Custom Table (Vendor Access Register) 

Business Rules & Data Policies 

Scheduled Automation & Notifications 

Scheduled Automation & Notifications 

conclusion

Most organizations usually have the tools they need to manage vendor access properly. What they are missing is the process built inside those tools. This client had ServiceNow, but they just had not used it for this. Once the workflow created by Xavor was in place, the risk picture changed quickly because the process was finally consistent.  
 
We can help you build a similar business infrastructure that you can track at all times. Xavor’s ServiceNow experts use the platform to help you automate key operations with governance, so your teams have complete visibility and stronger control over everything.

Make most out of your ServiceNow instance now 

Use ServiceNow as an AI-first business automation platform with Xavor.  

Scroll to Top