Case Study
Automating Vendor Access Management on ServiceNow for an Asset Management Firm
Solution
IT Service Management | Security | Governance
Industry
Asset Management | Financial Services
Core Technology
ServiceNow
Overview
A global asset management firm working with dozens of third-party vendors and consultants had to routinely deal with temporary vendor access. But the whole process was handled informally through emails and spreadsheets. Sometimes even through ad hoc chats with the IT team.
So, this left our client with a governance gap. While the company already used ServiceNow for ITSM, external access management remained entirely unstructured. With no standardized intake, no auditable approval trail, and no automated expiry process, the risk of unauthorized access to sensitive financial systems and client data grew with every new vendor engagement.
Xavor Corporation was engaged to build a purpose-built vendor access management solution on ServiceNow, turning an ad hoc, high-risk process into a governed, automated access lifecycle.
Business Challenge
Asset management firms usually depend on a large ecosystem of external parties to run their business operations. So did our client, who worked with a network of technology partners for portfolio management, managed service providers to support IT operations, and consultants/auditors hired for compliance and audit purposes.
Therefore, these third-party actors required temporary access to systems and records during reviews or regular maintenance.
The core challenge was a complete absence of control over how temporary vendor access was requested, approved, fulfilled, and removed. Without a structured process, the organization faced compounding risks at every stage of the vendor access lifecycle.
1. No standard request process
Requests arrived through emails and chat messages with no required fields, so approvers couldn’t know whether a vendor is requesting access to portfolio systems or trading-related applications.
2. Approvals with no paper trail
Managers approved access in their inboxes. That meant when an auditor came asking for evidence of who approved what and when, the answer was often a shrug and a search through old emails.
3. Security reviews getting skipped
Because there was no enforced process, requesters would sometimes go straight to IT without looping in the security team or the system owner. That could expose sensitive client financial data to the wrong person.
4. Access that never expired
End dates were written down somewhere but rarely acted on. Former consultants or service providers could continue accessing financial systems months after their engagement ended. And nobody had flagged it because nobody was watching it.
5. No visibility for leadership
There was no place where a manager or security lead could see all active vendor access, who had it, to which systems, under whose approval, and what was coming up for renewal during audits or regulatory examinations
the solution
Xavor built the solution entirely within ServiceNow without using any third-party tools or workarounds. Our goal was simply to make sure every vendor access request went through one process with every approval to be on record. And no access stayed active past its agreed end date without someone explicitly deciding to extend it.
1. A proper intake form
We built a Service Catalog item that captures everything essential upfront. Like who the vendor is, which portfolio management, or trading system they need access to. Then who is sponsoring the request, the business reason, and the start and end dates. Incomplete submissions do not go anywhere until the required fields are filled.
2. A clear approval chain
Once a request is submitted, it moves through a defined sequence. The sponsoring manager confirms the business need. The security and compliance teams review the request to ensure it aligns with internal controls and regulatory requirements. The system owner approves the specific access being requested. Each step is logged automatically, no chasing, no missing sign-offs.
3. Automated expiry reminders and removal tasks
Two weeks before access is due to expire, the system sends a renewal prompt to the sponsor. If no action is taken, a removal task is created automatically at the one-week mark. Overdue removals surface on the security dashboard as exceptions.
4. Controlled oversight
Any extension requires renewed approval to ensure continued business justification and compliance oversight.
3. Automated expiry reminders and removal tasks
Two weeks before access is due to expire, the system sends a renewal prompt to the sponsor. If no action is taken, a removal task is created automatically at the one-week mark. Overdue removals surface on the security dashboard as exceptions.
4. Controlled oversight
Any extension requires renewed approval to ensure continued business justification and compliance oversight.
5. A single access register
Every grant of vendor access creates a record in a dedicated Vendor Access Register table. That table is the authoritative source, not the original ticket, not an email thread. It shows the current status of every access grant from request through to removal, and it is what the team pulls up during audits.
Outcomes & Benefits
The results were visible almost immediately after go-live:
- 95% reduction in incomplete requests: The intake form enforces required fields, so fulfillment teams are no longer receiving half-filled requests that need follow-up before anything can happen.
- 100% auditability of approvals: Every decision, who approved, when, and at which stage is captured on the request. That provides evidence for internal audits, external audits, and regulatory examinations.
- Security has a live view: The dashboard shows all active vendor access in one place, by system, by department, by sponsor, along with anything overdue or pending. It is the kind of visibility the team simply did not have before.
- 80% reduction in overdue vendor access: Automated tasks and reminders mean the removal process happens on schedule. Vendor accounts are no longer slipping through the cracks and staying active indefinitely.
- 50% less administrative effort for IT teams: With requests arriving complete and pre-approved through the right channels, the back-and-forth between IT and requesters dropped significantly.
Tools & tech stack
Service Catalog
Flow Designer & Approval Engine
Custom Table (Vendor Access Register)
Business Rules & Data Policies
Scheduled Automation & Notifications
Scheduled Automation & Notifications
conclusion
Most organizations usually have the tools they need to manage vendor access properly. What they are missing is the process built inside those tools. This client had ServiceNow, but they just had not used it for this. Once the workflow created by Xavor was in place, the risk picture changed quickly because the process was finally consistent.
We can help you build a similar business infrastructure that you can track at all times. Xavor’s ServiceNow experts use the platform to help you automate key operations with governance, so your teams have complete visibility and stronger control over everything.
Make most out of your ServiceNow instance now
Use ServiceNow as an AI-first business automation platform with Xavor.