The Risk Wheelhouse
The Risk Wheelhouse is designed to explore how RiskTech is transforming the way companies approach risk management today and into the future. The podcast aims to provide listeners with valuable insights into integrated risk management (IRM) practices and emerging technologies. Each episode will feature a "Deep Dive" into specific topics or research reports developed by Wheelhouse Advisors, helping listeners navigate the complexities of the modern risk landscape.
The Risk Wheelhouse
S5E9: ServiceNow Buys Armis, Telemetry Meets Workflow for IRM
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
ServiceNow’s planned $7.75B all-cash acquisition of Armis (targeted to close in H2 2026) is easy to misfile as “just another cybersecurity deal.” In this episode, Wheelhouse Advisors’ Ori Wellington and Sam Jones explain why it is actually a defining IRM market signal, one that raises the standard for what “risk management at scale” should mean going into 2026 procurement cycles.
The core message is simple and disruptive: IRM is shifting from artifact completion to verified outcomes. Risk registers, control libraries, assessments, and attestations may prove process, but they do not prove exposure was reduced. The deal signals a move toward a unified operating model where real-time asset and exposure intelligence, prioritization logic, and remediation plus verification workflows increasingly sit on a single platform spine.
Ori and Sam break down the new credibility threshold for “continuous monitoring” using a practical three-layer test:
- Visibility: continuous discovery, classification, and exposure scoring across IT, OT, IoT, and medical devices
- Action: prioritized routing into owned remediation workflows with clear accountability and SLAs
- Verification: audit-grade proof remediation occurred and residual exposure is measured and trending down, not just tickets being closed
They also connect this shift to the next wave of agent-assisted operations, with a clear warning: automation without validation can scale noise faster than it scales risk reduction. The episode defines the audit-grade evidence trail IRM leaders should demand, including signal provenance, decision logic, action records, and verification that a fix held over time.
Finally, Ori and Sam outline three immediate actions IRM leaders should take now for 2026 planning: rewrite outcome metrics, require closed-loop proofs of value, and explicitly test openness to avoid proprietary data-model lock-in as platform consolidation accelerates.
This episode draws from Wheelhouse’s IRM50 OnWatch research note and the IRM50 Vendor Index, and references Wheelhouse’s recently published ERM Vendor Compass Report, where ServiceNow is profiled.
Listen now to recalibrate your evaluation standards before 2026 technology plans get locked.
Access the full IRM50 OnWatch note and more IRM50 research by subscribing at rtj-bridge.com.
Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.
Subscribe at Apple Podcasts, Spotify, or Amazon Music. Contact us directly at info@wheelhouseadvisors.com or visit us at LinkedIn or X.com.
Our YouTube channel also delivers fast, executive-ready insights on Integrated Risk Management. Explore short explainers, IRM Navigator research highlights, RiskTech Journal analysis, and conversations from The Risk Wheelhouse Podcast. We cover the issues that matter most to modern risk leaders. Every video is designed to sharpen decision making and strengthen resilience in a digital-first world. Subscribe at youtube.com/@WheelhouseAdv.
Why The Armis Deal Matters
Ori WellingtonWelcome back to the deep dive. This week, we are uh really digging into a market signal that is just too big to ignore.
Sam JonesIt's too strategic and frankly too expensive.
Ori WellingtonAbsolutely. We're talking about ServiceNow's announced agreement to acquire Armis for a just a staggering $7.75 billion.
IRM 50 Research And Market Context
Sam JonesAnd that's an all-cash transaction. It's expected to close in the second half of 2026, so we have some time, but the signal is now.
Ori WellingtonRight. And I think if you're a leader in risk management, in governance or compliance, you might be tempted to just file this away.
Sam JonesYou'd see it as just another large cybersecurity deal.
Ori WellingtonExactly. But that would be a fundamental misread of the situation, wouldn't it?
Sam JonesIt really would. For anyone in integrated risk management, you know, IRM, the sheer scale of this investment is a forcing function. It's not optional.
Ori WellingtonA forcing function for what? Exactly.
Sam JonesIt signals a necessary, a really fundamental shift toward a unified operating model. We're talking about how to do risk management at scale, for real.
Ori WellingtonA mandate for unification. I like that. The core implication, then, for every risk leader listening, is that this deal forces all of us to reevaluate what we accept as the standard.
Sam JonesThe standard for continuous monitoring, for evidence, for everything.
Ori WellingtonExactly. And for this deep dive, we're basing our strategic analysis entirely on the Wheelhouse Advisors IRM 50 OnWatch Research Note.
Sam JonesThat's right. And to give you a bit of context, the analysis we're sharing today is drawn directly from that IRM 50 OnWatch research note. It's part of our ongoing research into how this market is evolving.
Ori WellingtonAnd we track this market using the IRM A50 vendor index.
Sam JonesWe do. And it's probably worth just quickly defining what that is. Think of the index as Wheelhouse Advisor's curated list of vendors and service providers who are actively shaping the IRM market.
Ori WellingtonSo it spans everything from GRC, ERM, or RM.
Sam JonesAll of it. GRC, ERM, operational risk, technology risk management, even risk management consulting. We use this index to track momentum, to interpret market signals just like this acquisition, and uh to anticipate where the capability shifts are headed over time.
Ori WellingtonAnd we should also note, as we often do, that ServiceNow is a vendor we've profiled pretty extensively.
Sam JonesWe have, particularly in the recently published ERM vendor compass report.
Intelligence, Logic, Workflow On One Spine
Ori WellingtonSo we've been watching how they're evolving their strategy in this whole enterprise risk context for a while now. And this acquisition, it feels like it just hits the accelerator.
Sam JonesIt does more than that. It doesn't just accelerate their strategy, it repositions the entire target. I mean, this deal effectively defines the new price of admission for owning the real-time asset data you need to run modern risk operations.
Ori WellingtonOkay, let's unpack that. Our deep dive today is going to focus on three core strategic areas that are changing for you, the IRM buyer, because of this deal. Okay. First, we're going to explore that fundamental shift in how IRM models will be judged. We're talking about moving from relying on, say, artifact completeness to demanding telemetry-informed closed loop outcomes. Second, we'll analyze how this deal is a forcing function, how it raises the evaluation standards for continuous monitoring. We'll focus on the crucial layers of visibility, action, and verification.
Sam JonesVerification being the key one.
Ori WellingtonThe most important one. And finally, we will leave you with three immediate, very practical actions that every IRM leader needs to take now in their 2026 procurement cycles to align their teams and their tech sac with these new standards.
Sam JonesGood. Let's get into it.
Ori WellingtonLet's start with the architecture that this whole thing implies. It seems to be all about the components that have to sit together on a single platform spine.
Sam JonesThat's the core of it.
Ori WellingtonThe Wheelhouse analysis points to three inseparable components for this to work at scale: intelligence, logic, and workflow.
Sam JonesRight.
Ori WellingtonSo Armis and ServiceNow bring very distinct, but it sounds like perfectly complementary capabilities to the table. What does each side actually contribute here?
From Artifacts To Closed Loop Outcomes
Sam JonesOkay, so we need to define their core missions. Armis, fundamentally, is an asset intelligence and exposure management business. That's their world.
Ori WellingtonSo finding things.
Sam JonesFinding things with incredible detail. They specialize in high fidelity discovery and tracking of assets across the entire modern distributed risk surface. That means your traditional IT, sure, but also the really tricky stuff.
Ori WellingtonLike OT operational technology.
Sam JonesExactly. OT in manufacturing or utilities connected medical devices in a hospital. And that just that rapidly expanding and often totally unmanaged category of IoT class devices.
Ori WellingtonYour smart thermostats, your cameras.
Sam JonesAll of it. Their value is the data, the data on what is there and what its risk state is right now.
Ori WellingtonAnd serve it. Now, on the other hand, they're the engine room.
Sam JonesThey are the engine room. They are fundamentally a workflow and platform business. You could call them the operating system for enterprise operations. They manage the process flow, the accountability, the actual work being done.
Ori WellingtonSo you fuse those two things together.
Sam JonesAnd when you fuse them, the resulting workflow is well, it's seamless and it's continuous. It's designed to move entirely away from the old manual periodic processes.
Ori WellingtonSo what does that target operating model look like in practice?
Sam JonesIt looks like this. You continuously discover and classify all your assets. At the same time, you continuously quantify the exposure associated with those assets. And then, and this is the crucial part, you route the remediation and the verification tasks through standardized accountable workflows.
Ori WellingtonAnd those workflows sit natively right alongside your normal IT and operational ticketing systems.
Sam JonesNatively. That's the key. No more swivel chairing between systems.
Ori WellingtonOkay. That sounds like a powerful technical improvement.
Sam JonesYeah.
Ori WellingtonBut the analysis argues, it goes deeper, that it fundamentally changes the IRM judgment standard itself.
Sam JonesIt has to.
Ori WellingtonIf the technology shifts to this continuous loop, how does that change the criteria IRM programs are actually measured against?
Sam JonesIt changes everything. It's a total paradigm shift because it operationalizes technology risk. It turns it into a direct verified input stream into your enterprise assurance and resilience functions. Okay. Think about the historical benchmark. For the last, what, decade? IRM models have been judged primarily on artifact completeness.
Ori WellingtonMeaning, can you give an example of that?
Sam JonesSure. It means asking questions like: do you have a risk register that's full? Is your control library fully documented? Have you completed all your risk assessments on time? Did you collect all your attestations from business owners?
Ori WellingtonAaron Powell Right. It's about process. Did we do the thing we said we would do?
Sam JonesExactly. These are necessary clerical tasks. I'm not dismissing them, but they only demonstrate that the process was followed. They don't prove that risk was actually reduced.
Ori WellingtonAnd that's the classic check-the-box approach. It's the thing we've all been so frustrated with for years because it rewards activity over actual measurable outcomes.
Sam JonesPrecisely. The new standard, which is driven by the capabilities implied by this unified architecture, it moves the judgment entirely toward closed loop outcomes.
Ori WellingtonOkay, so the strategic question itself changes.
Asset Fidelity Across IT, OT, IoT
Sam JonesIt shifts dramatically. It goes from did you document the risk according to the policy to did you measurably reduce the exposure and can you prove that reduction with objective third-party data?
Ori WellingtonAnd that's the core signal of this whole deal.
Sam JonesThat's it. IRM is moving away from simple registers and attestations and toward genuine telemetry-informed management. The success of your risk program is now measured by the quantifiable reduction of risk exposure, not the volume of your documentation.
Ori WellingtonThis is where it gets really strategic. The source material highlights the critical role of the TRM Assets Bridge Technology Risk Management in this whole shift.
Sam JonesIt's the foundation.
Ori WellingtonAsset intelligence isn't a new concept, though. So why does Armis's particular strength here make this acquisition so material for enterprise-wide IRM outcomes?
Sam JonesBecause assets are the foundational layer of tech risk, and our existing tools have, frankly, failed spectacularly at managing the modern asset landscape.
Ori WellingtonYou mean things like CMDBs?
Sam JonesHistorically, yes, we relied on configuration management databases, CMDBs, to track our assets. But CMDBs have a critical flaw in the modern world. They rely heavily on agents or on manual input or on specific network protocols.
Ori WellingtonThat just don't work in these weird non-standard environments.
Sam JonesThey don't. They don't function well in environments full of bespoke devices like OT, medical, or specialized IoT. So the fidelity of your asset data was always low, especially in your most critical high-risk environments. They do it by using passive network-level sensing to provide true high fidelity data. And fidelity here means knowing precisely what exists, even those non-traditional devices, where it is, who owns it, and maybe most importantly, how it is behaving in real time.
Ori WellingtonThat behavioral aspect is key.
Sam JonesIt's critical. We all know that asset ambiguity, that gray area of unknown, unclassified, or constantly changing devices, is the root cause of weak assurance, of slow response times, and poor compliance. This acquisition is material because it attacks that ambiguity head on.
Resilience, Assurance, And Compliance Proof
Ori WellingtonSo it's turning what was a security asset problem into a genuine enterprise outcome improver. Let's break down those consequences because they matter all the way up to the C-suite. Let's start with resilience. If I'm running a global manufacturing company or a big healthcare system, why is high fidelity asset intelligence now mandatory for my resilience program?
Sam JonesWell, think about a major manufacturing plant or a utility. You've got a huge volume of operational technology, OT, and industrial control systems.
Ori WellingtonRight. Things that controlled physical processes.
Sam JonesExactly. So if an unknown device is introduced onto that network or an existing device suddenly changes its behavior in a way that suggests it's compromised or malfunctioning, that asset ambiguity translates directly into service disruption risk.
Ori WellingtonA real-world physical risk.
Sam JonesAbsolutely. If you don't have real-time high-fidelity intelligence on every single device connected to that network, from a smart thermostat to a PLC on factory floor, your ability to respond to a threat is just fundamentally crippled.
Ori WellingtonBecause you can't execute your business continuity plan effectively if you don't even know the full scope of what you're trying to restore or protect.
Sam JonesYou can't. The continuous passive discovery that a tool like Armis provides is the necessary bedrock for any meaningful resilience program in today's distributed enterprise. You simply cannot manage the risk of service disruption if you don't know the full, continuously updated scope of your service components and their current exposure state.
Ori WellingtonOkay, and that ties directly into what's always been a huge pain point. Assurance. If I can't prove the scope of my assets, then I can't really assure my controls are effective, can I?
Sam JonesAnd this is a massive time saver for assurance teams. Historically, assurance would spend an enormous amount of time just manually validating asset inventories before they could even start to audit control effectiveness.
Ori WellingtonJust trying to figure out what they're supposed to be auditing.
Sam JonesExactly. And that time drain introduces delays, and it often means they're relying on dated or incomplete information. So if the platform provides this continuous high fidelity discovery and classification, it effectively short circuits all that manual validation.
Ori WellingtonIt gives them a trusted source of truth to start from.
Sam JonesIt provides audit grade evidence of what controls are operating on which assets. That lets the owner and team move from a theoretical exercise to a provable operational state. They can focus their energy on systemic weaknesses rather than clerical validation.
Ori WellingtonSo it's not just about making the security team happier, it's genuinely making the audit team more effective.
Sam JonesPrecisely. And that leads us straight into compliance. Because regulatory requirements, especially in highly interconnected sectors like finance, healthcare, critical infrastructure, they are demanding proof of operation, not just proof of policy.
Ori WellingtonThey want to see the evidence trail, the receipts.
Sam JonesThey absolutely want to see the receipts. Regulated environments are increasingly demanding demonstrable control operation, not just the existence of a policy document or an attested register entry.
Ori WellingtonIn this acquisition, by tightening that loop between asset intelligence and verified remediation, it provides the specific mechanism to generate that continuous demonstrable evidence.
Sam JonesIt's the difference between saying we have a policy that all critical OT assets must be segmented, and actually showing verified evidence that says asset X was found to be outside the segmentation zone at 9 5 5 AM, a ticket was created, the segmentation policy was automatically enforced by the network tool at 10.0 a.m. and a subsequent scan verified the correction at 10505 AM.
Ori WellingtonThat's a completely different conversation with a regulator.
Sam JonesIt fundamentally changes the compliance conversation. It moves from belief to proof.
Ori WellingtonSo the first strategic signal is crystal clear. The unification of high fidelity intelligence and high velocity workflow forces a market transition. A transition where IRM success is now defined by measurable outcomes and audit grade evidence, not just the volume of documentation.
Sam JonesThe game has changed.
The IRM Loop and The Failure Gap
Ori WellingtonLet's move to the second major implication then. This idea that the deal acts as a forcing function around our standards for continuous monitoring. Yes. The public rationale for a $7.75 billion price tag describes creating a unified end-to-end exposure and operations stack that can, quote, C-decide, act.
Sam JonesAnd that simple phrase, C-decide, act, is really the core evaluation criteria for the next generation of IRM systems.
Ori WellingtonAnd it also highlights where almost every legacy IRM implementation currently stalls out.
Sam JonesCompletely stalls out. Most organizations today are pretty competent at the C phase. They can collect data, they have vulnerability scanners, they have monitoring tools. Now maybe they have high fidelity asset discovery, they can see things.
Ori WellingtonBut the next two steps, decide and act. That's where it gets manual, slow, and consistent.
Sam JonesThat's the failure gap, the decide phase. You know, prioritizing the signal, applying enterprise risk tolerance and policy logic, routing it to the single correct owner. That is so often a manual meeting or a spreadsheet exercise.
Ori WellingtonAnd the act and verify loop.
Sam JonesThat closed loop is exceptionally rare in current IRM environments. This acquisition is forcing buyers to raise their evaluation standards. They have to insist on the completion of that full loop. It cannot be optional anymore.
Ori WellingtonOkay, so if we are raising the standard for continuous monitoring, the analysis argues it needs to be assessed in three distinct non-negotiable layers. Let's break down those new minimum requirements for buyers, especially as they're planning for 2026.
Sam JonesThis three-part assessment framework, visibility, action, and verification, it's the new credibility threshold for any vendor in this space. This is the foundation, the price of entry. You have to demand continuous discovery, classification, and real-time exposure scoring across all your asset classes: IT, OT, IoT medical, cloud with high fidelity. If your current vendor can't tell you precisely what exists and what its risk state is right now, they fail this foundational layer. Period.
Ori WellingtonOkay, second layer, action. This is where the platform's core workflow engine in ServiceNow's case really comes into play.
Sam JonesExactly. Action requires prioritize routing interremediation workflows with clear ownership. Who has to fix this? By when. It needs firm service level agreements, SLAs attached. It means the intelligence layer must automatically feed the operational task engine.
Ori WellingtonSo a critical risk signal doesn't just sit in someone's inbox.
Sam JonesRight. It immediately becomes an accountable tracked assignment. This is what moves risk from a pretty dashboard into the actual operational rhythm of the business.
Visibility Action Verification Standards
Ori WellingtonAnd finally, the highest threshold, verification. You said this is what distinguishes true risk management from just advanced ticketing.
Sam JonesVerification is the crucial difference, and it's the part most vendors really struggle with. It requires concrete, auditable, proof-real evidence that remediation actually occurred.
Ori WellingtonNot just that a ticket was closed.
Sam JonesNo, evidence that controls are operating as intended and a measurable outcome. Specifically, that the residual exposure is measured, scored, and trended downwards over time. A legacy GRC tool might track that a ticket was closed. That's action. The new standard demands proof that the risk was reduced. That's verification.
Ori WellingtonSo if a vendor can only provide the first two layers, visibility and action.
Sam JonesThey're not meeting the new credibility threshold that's being established by a platform that owns both the intelligence and the workflow.
Ori WellingtonThis is where the analysis gets really interesting because it connects this closed-loop model to the future of AI.
Sam JonesIt does.
Ori WellingtonServiceNow is positioning itself as an AI era control hub. It's connecting that discovery and prioritization with automated response, which aligns with the rise of agent-assisted operations in risk management. This is signal four in the research note. On the surface, it sounds like the promise of total efficiency.
Sam JonesIt is the dream of efficiency, absolutely. But we need to introduce a heavy dose of critical caution here. Automation is coming, it will be powerful, but IRM leaders have to be clear-eyed about the fact that automation without validation risks creating faster, more expensive noise.
Ori WellingtonThat is a powerful phrase. Let's explore that. What does faster, more expensive noise look like in practice for, say, a CSO?
Sam JonesOkay, imagine an automated system. It ingests a flood of new vulnerability signals after a big scan. The system is hyper-efficient and it automatically prioritizes and routes 10,000 tickets to various IT teams inside of an hour.
Ori WellingtonThat's fast action.
Sam JonesIt's incredibly fast. But what if those tickets are based on incomplete asset data? Or what if the prioritization logic mistakenly classifies a low-risk bug on a non-critical server as urgent?
Ori WellingtonYou've just flooded your high-value remediation teams with useless work.
Sam JonesYou've successfully scaled inefficiency. And it gets worse. What if the automated fix fails? Or it causes a cascading service interruption because the platform didn't verify the change against the business service map. Now you've created a far more expensive problem, much faster than any human ever could have.
Ori WellingtonSo the differentiator isn't just the speed, it's the auditability and the safety of that speed.
Sam JonesAbsolutely. The differentiator in IRM terms, the thing that separates a successful program from one heading for a failure wave will be whether those agent-assisted workflows produce an audit grade trail. This is non-negotiable for fiduciary duty.
Ori WellingtonAnd there are specific components you need to demand in that audit trail.
Sam JonesFour of them, yes.
Ori WellingtonOkay, let's detail the four required components for a truly auditable workflow. First, signal provenance.
Sam JonesProvenance means traceability. You have to know precisely what piece of telemetry was detected, who detected it, which sensor, which Armis engine, which cloud tool, and exactly when the detection occurred. If the origin of the exposure data is ambiguous or locked in a proprietary format, the entire workflow built on it is questionable.
Automation Without Validation Risks
Ori WellingtonOkay. Secondly, decision logic. This gets at that black box concern we often hear about automated prioritization.
Sam JonesThis is where we interrogate the decide step. Why was the signal prioritized? Why did the system decide this exposure needed immediate action before that one? You need a transparent map back to the policies, the risk thresholds, the business criticality scores that triggered the decision.
Ori WellingtonEven if an AI model made the call.
Sam JonesEspecially then. The factors considered by that model must be recorded and auditable. Without this, you can't defend your remediation prioritization to the board or to a regulator.
Ori WellingtonThird, the action taken. This tracks the operational consequence.
Sam JonesRight. You need an explicit record of what change was attempted, who owned the ticket, who approved the change, which is critical for high risk or OT environments, and you need documentation of any exceptions that were granted to bypass remediation. This maintains human accountability, even within automated systems.
Ori WellingtonThe action has to be traceable back to the decision.
Sam JonesIt has to be. And finally, we circle back to the highest standard verification.
Ori WellingtonWhat confirms effectiveness? And for how long?
Sam JonesThat's the question. Did the exposure score actually drop? Did the control state change from deficient to operating? Was the asset patched? And this is key. Was that patch verified by an independent scan or a secondary control system? And is there evidence retention to prove the fix held over time?
Ori WellingtonThat full four-part auditable trail.
Sam JonesThat's the minimum differentiator when you're evaluating agent-assisted risk operations. Anything less, and you are scaling chaos, not management.
Ori WellingtonLet's talk about the strategic market implication here, signal five. You don't spend $7.75 billion by accident. It signals a major shift in how platform advantage is even built.
Four Pillars Of An Auditable Trail
Sam JonesIt does. The sheer scale of this deal signals a profound belief among the largest software companies. The belief is that durable platform advantage will increasingly come from owning high-value primary source risk telemetry and context.
Ori WellingtonNot just integrating with third-party data or adding another modular risk application.
Sam JonesExactly. The value is migrating to the source of truth for asset reality.
Ori WellingtonThat's a bold claim. And it raises a critical question. If owning the telemetry becomes the new advantage, what are the specific consequences for IRM buyers who rely on a best of breed security stack?
Sam JonesIt implies three major consequences you have to plan for immediately. First, consolidation. You should expect more acquisitions focused on exposure management and asset intelligence by other major platform vendors who suddenly realize they're missing this foundational layer.
Ori WellingtonThey see the writing on the wall. Second, this increases what the research note calls platform gravity. What do you mean by that?
Sam JonesPlatform gravity means you get these tighter native experiences, and that offers undeniable efficiency for users, a seamless flow from discovery to ticket. But it creates much higher switching costs down the road.
Ori WellingtonThe lock-in risk.
Sam JonesThat's the one. If the critical asset telemetry is deeply embedded within a specific vendor's proprietary data model, extracting that context and taking it to a competitor becomes increasingly difficult and expensive, you have to be aware of the long-term lock-in potential inherent in buying a unified platform.
Ori WellingtonAnd that's a key piece of skepticism that IRM leaders have to carry with them, right? The efficiency of a unified stack versus the strategic risk of vendor lock-in.
Sam JonesAbsolutely. And the third consequence is the direct pressure on you, the buyer, to decide where your system of record for risk signals is going to live.
Ori WellingtonWhat do you mean by that?
Platform Advantage And Telemetry Ownership
Sam JonesYou can no longer afford to have five different dashboards tracking five different types of assets with varying levels of fidelity. The future IRM architecture demands unification of these signals, and this deal forces a strategic decision on which vendor is best positioned and most trustworthy to house that unified record, that single source of truth that tracks asset reality, exposure, and verified reduction.
Ori WellingtonWe've established that the standard has fundamentally changed, both in how we measure success and what technology capabilities we should now demand. So let's pivot to the actionable side.
Sam JonesOkay.
Ori WellingtonIf you're an IRM leader, you're starting to plan today, you're gearing up for major 2026 procurement cycles, what are the three immediate non-negotiable actions you should take to adjust your evaluation standards?
Sam JonesThe market has shifted toward verifiable outcomes. So your RFP criteria have to shift with it. It's that simple.
Ori WellingtonOkay, action one.
Sam JonesFirst action rewrite your outcome metrics. You have to stop rewarding activity and start measuring verifiable performance. This is probably the hardest psychological shift for legacy GRC teams.
Ori WellingtonLet's detail that. What's an old metric and what's the new performance standard we should be demanding instead?
Sam JonesOld metrics are passive completion metrics. Things like percentage of controls documented, number of GRC training hours completed, number of risk assessments initiated. They are administrative measures.
Ori WellingtonThey measure busyness.
Sam JonesThey do. The new standard requires active operational performance metrics that are tied directly to the telemetry.
Ori WellingtonCan you give me three examples of these new outcome-based metrics?
Sam JonesSure. They look like this: Time to discover unknown assets. For example, how quickly did the platform identify a newly deployed IoT device on the network? Another is mean time to mitigate a high-risk vulnerability across a specific critical asset class. And the third. The most important one. The quantifiable reduction in exposure by critical asset class trended quarterly. This measures the verifiable impact of your IRM program on the enterprise risk profile, not just the volume of its bureaucratic output. This is data the board can actually trust.
Ori WellingtonOkay. The second action addresses the evaluation process itself. It's about demanding verified outcomes during the proof of value, or POV.
Sam JonesRight. You must insist on closed loop demonstrations. We need to retire the era of looking at simple dashboard screenshots or generic process flow diagrams during vendor evaluations. The new POV requirement has to be operational.
Ori WellingtonAnd sure. So what does a successful modern closed loop POV scenario actually look like?
Sam JonesIt has to start with a real exposure signal, maybe a known critical vulnerability on a newly discovered, unmanaged OT device. Then the scenario must demonstrate the signal intake, the prioritization logic based on business service context, the automatic routing and actioning of the remediation task, and critically, it must end with the verified remediation and the explicit evidence artifacts that prove the fix was effective and the exposure score dropped.
Consolidation Gravity And Lock In
Ori WellingtonAnd a vendor can't show that whole loop.
Sam JonesIf a vendor cannot demonstrate the entire loop from discovery to verified fix using audit grade evidence, they are not meeting the new standard. I don't care what their marketing materials say. This is the only way to separate platform promises from operational reality.
Ori WellingtonAnd the third action addresses that long-term strategic risk of vendor lock-in and platform gravity we talked about. Explicitly testing for openness.
Sam JonesThis is so crucial, especially for organizations with deep investments in best of breeds security tools. You need to test openness explicitly. You have to validate that integrations remain first-class citizens, even as these platforms naturally want to tighten their native experiences.
Ori WellingtonAnd this means going far beyond just checking for a simple API connection.
Sam JonesFar beyond. You need to ask the tough questions.
Ori WellingtonLike what? What are those tough questions?
Sam JonesAsk for assurances on data portability. Demand to know the friction involved in pulling that high-fidelity asset context out of the platform and feeding it into a competing risk engine or an existing specialized tool, like a dedicated GRC system or a specialized vulnerability management solution.
Ori WellingtonYou're testing to see if the data can leave.
Sam JonesYou need to ensure that the core risk data models do not become proprietary choke points that lock you into one vendor for critical risk context. Remember that $7.75 billion valuation is a bet on owning that data. You need a strategy to retain control of it.
Ori WellingtonThese three actions, they all seem to point back to the same necessity, linking the abstract world of risk documentation back to the concrete, measurable reality of enterprise assets and workflows.
Sam JonesAnd that leads directly to the core value unlock of IRM. You must anchor technology signals to business service context. Asset intelligence, even high fidelity intelligence from Armis, is just data. It's noise until it can be translated into language the business actually cares about.
Ori WellingtonThe true IRM value only appears when asset exposure is translated into service impact.
Sam JonesAnd used to drive decision prioritization. That's it.
Ori WellingtonGive us a quick example of that translation.
Sam JonesOkay. If your platform flags a vulnerability on 500 servers, that's interesting data. But if your platform can instantaneously translate that into 200 of these servers directly support the core payment processing service, and the other 300 support the internal employee benefit portal, well the prioritization decision is instantly obvious. Which exposed device threatens the company's revenue stream? Which unknown OT asset could shut down the supply chain? That service context mapping is what justifies the entire IRM investment. It's what allows you to move beyond simply managing technology risk to actually managing enterprise resilience.
Ori WellingtonLet's close this section by looking forward a bit. This deal isn't just retrospective, it informs immediate future market movements. So, based on this acquisition, what market forecasts is now highly probable?
Three Actions For 2026 RFPs
Sam JonesThe research note projects a high probability, about 55% within the next six to twelve months, that IRM buyers are going to elevate continuous verification to a formal mandatory RFP requirement.
Ori WellingtonAnd that's driven by all these new complex asset classes.
Sam JonesExactly. It's driven by the undeniable rise of OT, IoT, generative AI infrastructure, and all the unmanaged asset exposure concerns that come with them.
Ori WellingtonAnd what's the resulting strategic change for the vendor landscape?
Sam JonesThe vendor shortlists are going to narrow dramatically. They will start to focus exclusively on platforms that can prove closed loop remediation, plus audit grade evidence trails across at least one high-value use case, like OT asset protection or cloud posture management.
Ori WellingtonSo the window for offering just a partial solution?
Sam JonesJust discovery or just ticketing. That window is closing and it's closing rapidly. The market demands proof of outcome.
Ori WellingtonThis truly feels like a dividing line for the entire IRM market. There's a pre-ARMIS reality and a post-ARMIS reality. The strategic message is that integration and outcome verification are no longer optional extras.
Sam JonesIt is a dividing line. The sheer scale of the investment is the sigral. It tells us that risk management at scale requires the unification of intelligence and workflow. The time for siloed artifact-based IRM programs is officially over.
Ori WellingtonThis acquisition of Arnis by ServiceNow, then, is fundamentally about closing the loop. The necessary and frankly long-overdue loop between asset reality and workflow action.
Sam JonesThat's right.
Ori WellingtonThe future of IRM evaluation standards, it rests entirely on demanding verifiable closed loop outcomes and having the audit grade evidence to back them all up.
Sam JonesAnd while the immediate focus is on achieving this automation and efficiency, we have to look further down the road at the long-term risks. Our long-term forecast suggests a non-trivial risk, about a 40% probability in the 18 to 30 month timeframe of a wave of automation without validation failures.
Ori WellingtonAnd this is that risk of scaling inefficiency we discussed. Organizations aggressively ingest more signals, they create more tickets, they automate more fixes, but they ultimately fail to show any measurable sustained exposure reduction.
Sam JonesOr maintain control effectiveness. They automate the noise, not the value. And that is the real threat of the AI and automation era.
Ori WellingtonSo what's the necessary countermeasure?
Sam JonesIRM leaders must proactively introduce formal guardrails for agent-assisted workflows, and they need to do it right now. This means embedding mandatory verification gates at the end of every automated action. It means defining clear approval thresholds for certain high-risk automated actions, especially in OT environments.
Ori WellingtonAnd establishing strict evidence retention standards.
Sam JonesStrict standards and implementing exception handling processes that require a human review before the loop is ever considered truly closed.
Ori WellingtonThat's the final thought we really want to leave you with. The power of AI in automation and risk management is immense, but the diligence of validation has to be non-negotiable. If you automate a fix, you must automate the proof of that fix.
Sam JonesAbsolutely. We've covered a lot today regarding the strategic implications of this deal for your IRM strategy and for your procurement cycles. This deep dive, along with the full analysis on vendor momentum and capability shifts, comes directly from our IRM 50 OnWatch research note.
Ori WellingtonYou can access this full note and all of our other IRM 50 research insights on our research platform. Just head over to the RTJ Bridge by subscribing at.rtj bridge.com. That's rtj bridge.com. Get the research that helps you define your standards and make informed decisions before your 2026 technology plans get locked in place.
Sam JonesWe look forward to continuing this discussion with you on the bridge.
Ori WellingtonWe'll see you there.