Three Forces Made CSDM Non-Optional

Three Forces Made CSDM Non-Optional
Three Forces Made CSDM Non-Optional
20:58

Autonomous AI, EU regulation, and ServiceNow's new commercial model have turned the Common Service Data Model (CSDM) from a hygiene project into the foundation everything else now depends on. Here is why I think every leadership team should treat it that way, and what it changes for the people who own it.

Since ServiceNow introduced the Common Service Data Model in 2018, I have watched the same argument get made, and, in most organizations, quietly deferred.

I was part of opening ServiceNow's first office in Norway back in 2014-2015. In the years since, as VP Solutions at The Cloud People, a Pure Play ServiceNow partner, I have sat across the table from organizations of every size and industry, and watched the same proposal come around again and again: clean up the model, fix ownership, map the dependencies, retire the duplicate CIs. It was always sensible. In most places, it lost the priority fight to something with a clearer near-term return, and each time, the decision looked defensible.

Not everywhere, though, and the exceptions matter. A disciplined few made the investment early, did the unglamorous work, often alongside us, and built a model they can actually trust. They are not reading this with a problem to fix, they are the ones now moving fastest, and most safely, on AI and regulation. This paper is about everyone else, and about why the trade that was defensible for years is not defensible any longer.

01 – The shift

The argument has finally changed

For years, the case for CSDM rested on reporting quality, impact analysis, and service governance. Good arguments, all of them, and in most organizations never quite good enough to beat the next thing in the backlog.

In 2026, three forces outside IT changed the terms of that argument. None of them originates in IT housekeeping, and none can be answered by cleaning up the CMDB one more time. Each one independently makes CSDM maturity a precondition for something the business has already decided it wants.

First, autonomous AI now consumes the service graph directly. ServiceNow's Context Engine, Workflow Data Fabric, and the agentic specialists arriving across the platform draw their understanding of the business from CSDM data: ownership, dependencies, lifecycle, classification. Where that data is thin, the AI acts on a thin picture, at machine speed.

Second, EU regulation now requires the auditable context CSDM produces. The EU AI Act and DORA both demand that an organization can demonstrate, on evidence, what a system does, who owns it, what it depends on, and what state it is in. That is a service-model question before it is a compliance question.

Third, the commercial model now bundles AI in by default. ServiceNow's Foundation, Advanced, and Prime tiers include AI as a platform property rather than an add-on. The organization is paying for autonomous capability whether or not the foundation can support it, and the return on that spend is gated by the quality of the model.

“CSDM did not become important because IT finally decided it mattered. It became non-optional because three forces outside IT's control now depend on it, and two of them are law.”

02 – The problem

A platform still owned for what it used to be

It is worth being honest about that history, because it is the context every new CSDM proposal is heard in. CSDM has been available since 2018, and promoted inside most ServiceNow customers ever since. In most of them it rarely became a funded programme, and the reasons were structural, not a failure of will.

The benefits were always real, but indirect. Better impact analysis, cleaner reporting, more reliable change management, each valuable, none of them urgent. The work was unglamorous: ownership cleanup, relationship mapping, retiring duplicate CIs, agreeing taxonomies across teams that did not want to agree. And, crucially, the platform still worked without it. Tickets were resolved. Services were delivered. People filled the gaps in the model with their own knowledge of how things really connected. The CMDB could be substantially wrong and the business would still function, because humans were silently compensating for every inaccuracy.

There were exceptions, and they are the proof the rest of this argument rests on. A handful of the organizations I have worked with chose to do the work anyway, treating the model as an asset rather than a chore. They built a clean, well-owned foundation, and they are the reference point for everything that follows: evidence that real CSDM maturity is achievable, and a preview of the advantage it now confers.

For most organizations, though, CSDM lost, repeatedly, to things with a clearer near-term return. That was a defensible decision each time it was made. The reason it is no longer defensible is that all three of the conditions that made it safe to defer have now reversed at once.

  1. The benefit is no longer indirect. AI value and regulatory compliance both depend on the model directly, not as a downstream nicety.

  2. The work is no longer optional. Two regulations now require, on evidence, exactly the structured context the model produces.

  3. The platform no longer compensates. Autonomous agents act on the data as written, with no human silently bridging the gaps.

The rest of this paper takes each of the three forces in turn, then turns to what I would actually do, and how I would argue for it from each seat at the leadership table.

03 – Force one

Autonomous AI now acts on the model

The first force is the one closest to my daily work, and the easiest to demonstrate. ServiceNow's AI is no longer a sidecar that sits alongside the platform and answers questions. With the April 2026 announcements and the Australia release, AI became a core platform capability that acts on the business, and to act on the business, it has to understand it first. The mechanism by which it understands the business is the service graph that CSDM defines.

ServiceNow describes its Context Engine as an enterprise context capability that grounds AI decisions in relationships, policy, and decision history drawn from the Service Graph and Knowledge Graph. Workflow Data Fabric connects data across systems so AI can reason over it. The agentic specialists, in IT, security, HR, and other domains, execute end-to-end processes rather than assisting with a single task. Every one of these reads from the same underlying source: the configuration items, relationships, ownership records, lifecycle states, and classifications that CSDM structures.

This is not a marketing characterization, it is the architecture. When an agent assesses the impact of a change, it traverses the dependency relationships in the CMDB. When it routes a task to an owner, it reads the ownership fields on the affected Application or Business Service. When it decides whether an action is safe, it checks lifecycle state. When it determines whether data may be processed, it relies on the classification of the relevant Information Objects. Where the class is unpopulated or inaccurate, the agent does not stop, it proceeds on the best available data, which may be wrong.

“A human incident manager silently corrects a bad CMDB record from experience. An autonomous agent does not. It acts on what the data says, correctly, quickly, and at scale, whether the data is right or not.”

illustration-csdm-perspective-series-3

04 – Force two

Regulation now requires the evidence

The second force is the one that turns CSDM from a recommendation into an obligation, and to me it is the most consequential of the three. Two pieces of European regulation now require, on evidence, exactly the structured operational context CSDM produces.

EU AI Act, the high-risk regime

For systems classified as high-risk, the Act sets out obligations in Articles 9 through 15 that map almost directly onto CSDM data classes:

Article 9 (risk management) requires a continuous, lifecycle-spanning process, which presupposes that systems, their criticality, and their dependencies are modelled.

Article 10 (data governance) requires that the data a system uses is documented and traceable, which maps to Information Objects and data classification.

Article 11 (technical documentation) requires an evidence package describing the system, assembled from technical context, dependencies, ownership, and lifecycle.

Article 12 (record-keeping) requires logs that can be correlated to a business function, which presupposes the function is modelled.

Article 14 (human oversight) requires named accountability, which is the ownership model.

Article 15 (accuracy, robustness, cybersecurity) requires that the system in production matches its assessed configuration, which presupposes reliable lifecycle and build records.

DORA, the register is a CMDB extract

The Digital Operational Resilience Act has applied to European financial entities since January 2025. Its Article 28 requires a maintained Register of Information covering all ICT third-party arrangements, their criticality, and the business functions they support. That is, in substance, a CMDB extract: services tied to business functions, with ownership, criticality, and dependency relationships. Most financial entities are building it by spreadsheet, because their CMDB cannot answer the question directly. Administrative fines reach up to 2 percent of total annual worldwide turnover, with higher ceilings in some member states.

The timeline is the argument, not the threat

On 7 May 2026, EU negotiators reached a provisional agreement, the Digital Omnibus on AI, to postpone the core high-risk obligations from August 2026 to December 2027 for use-based systems, and to August 2028 for product-embedded systems. The transparency obligations of Article 50 still apply from December 2026, and the prohibited-practices and AI-literacy provisions, together with the 35 million euro / 7 percent global turnover penalty framework, have been in force since February 2025.

I think the postponement is, paradoxically, one of the most useful facts in this whole analysis, provided it is read correctly. It is not relief, even though it will be reported as such. A defensible CSDM maturity programme takes twelve to eighteen months, conformity assessment alone takes six to twelve, and the harmonized standards are not yet final. The roughly eighteen months between now and December 2027 is, almost exactly, the time required to do the work properly. Read as breathing room, that interval evaporates. Read as a runway, it is enough, but only if the programme starts now.

05 – Force three

You are already paying for it

The third force is commercial, and it reframes the budget conversation entirely. On 9 April 2026, ServiceNow retired the Standard, Pro, and Enterprise tiers and replaced them with Foundation, Advanced, and Prime. AI, Workflow Data Fabric, AI Control Tower, Moveworks, and Process Mining are now included by default across the new packaging, rather than sold as separate add-ons.

The implication is straightforward. The AI capability is no longer a discretionary purchase you can defer until the foundation is ready. It is bundled into the contract you are already signing. The spend is committed. What is not yet committed is your ability to extract value from it, and that ability is gated entirely by the model.

illustration-servicenow-tiers

This is the argument that lands with a CFO, or with a CIO who controls the budget: the organization is paying for autonomous capability across the platform, and the difference between a strong return and a poor one is whether the service model can support the capability the contract already includes. A modest assistant operating on a clean, well-owned, well-classified model delivers more reliable value than an autonomous specialist operating on a model full of gaps. The money is spent either way. The CSDM investment decides what the money buys.

CSDM maturity is not a cost centre competing for budget. It is the multiplier on a cost the organization has already accepted.

06 – The model

Built for this exact moment

CSDM 5.0, released in May 2025, is not a cosmetic revision. It restructured the model into seven domains, Foundation, Ideation & Strategy, Design & Planning, Build & Integration, Service Delivery, Service Consumption, and Manage Portfolios, and added several capabilities that map directly onto the three forces above. The model the regulation and the AI now require was, in effect, shipped before either pressure fully arrived.

Business Applications kept their name

A point of precision that matters when you argue with people who know the platform: CSDM 5.0 did not rename Business Applications to Digital Products. Business Applications remain in the Design & Planning domain alongside Business Capabilities and Information Objects. What is new is the Digital Product Portfolio concept, in which Applications, Services, and Products are treated as elements of a managed portfolio with a Digital Portfolio Owner, a layer above the existing classes, aligned with the IT4IT standard, not a replacement for them.

AI systems are now configuration items

CSDM 5.0 introduces AI-native classes, AI System Digital Asset, AI Function, and AI Application, across the Build & Integration and Service Delivery domains. This is the schema-level recognition that an AI system is itself a managed asset with provenance, dependencies, and a lifecycle. It is also precisely what the EU AI Act expects you to be able to inventory and document. The model already has somewhere to put the answer.

SBOM, lifecycle, and Service Instance expansion

The Software Bill of Materials, now a foundational element, provides the component inventory that vulnerability management and Article 15 cybersecurity evidence depend on. Refined lifecycle stage and status modelling answers the regulator's question of whether a system in production matches its assessed configuration. And the expansion of Service Instances beyond Application Services, to include Data, Network, Facility, and Operational Process instances, extends the model's reach across the estate an autonomous agent might act on.

It is worth quoting ServiceNow's own framing from the Yokohama release materials: a standardized framework that accelerates quick, safe, and compliant technology deployments, with built-in governance and audit-ready data. The compliance argument is being made by the vendor itself. Restating it inside your organization is not stretching the case, it is repeating ServiceNow's own positioning back from the customer side.

07 – The path

Crawl, walk, run, while AI is already running

The most common objection I hear is that a CSDM programme is a multi-year, boil-the-ocean exercise that blocks everything else until it is finished. That objection is wrong, and worth setting aside clearly. CSDM maturity is incremental by design, and AI activation does not have to wait for it.

ServiceNow's own recommended approach is a staged one, Crawl, Walk, Run, Fly, beginning with Foundation data and extending outward. The point of staging is that value is produced at every step, not only at the end. And, critically, the staging runs in parallel with AI activation, not before it.

fig-2-csdm-perspective-series-3

The discipline is not to delay AI until the model is perfect. It is to match the pace of activation to the maturity of the underlying data, system by system. Switch on the AI capabilities that deliver value now, on the low-risk, well-understood processes where the model already supports them, and value begins accruing against committed spend immediately. In parallel, harden the ownership, relationships, classification, and lifecycle on the higher-risk and higher-exposure systems, producing the evidence the regulator and the audit committee require. The high-risk, high-exposure automation goes live last, once the evidence exists to defend it.

Presented this way, the programme is not a blocker. It is the thing that lets AI activation proceed safely and continuously, instead of stalling the first time a governance question is asked.

08 – The leadership view

The same conclusion from every seat

One thing I find striking about this convergence is that it reaches the same conclusion regardless of which seat in the leadership team you occupy. The three forces are not three separate concerns to be weighed against each other, they are three views of a single dependency. It is worth setting out how the case looks from each vantage point, because the people who decide on it arrive from different directions.

From the CIO's seat: a precondition, not a cleanup

CSDM has stopped being a discretionary IT-improvement effort and become a precondition for commitments the organization has already made. The AI capabilities read directly from the service model, two EU regulations require the evidence it produces, and the commercial model has bundled the AI in by default. The maturity of the service model now determines whether the AI investment returns, and whether the organization stays defensible under the EU AI Act and DORA. That is a different category of decision from periodic CMDB hygiene, and it warrants a different category of attention.

From the budget owner's seat: protection of committed spend

Seen through a financial lens, this is not new investment competing for budget. The autonomous capability is part of the platform contract whether or not it is activated, so the spend is already committed. What remains undecided is the return, and that return is gated by the quality of the service model. CSDM maturity is best understood as the multiplier on a cost the organization has already accepted, not as an additional cost in its own right.

From the risk and compliance seat: the route to audit-readiness

The EU AI Act and DORA both demand that the organization can demonstrate, on evidence, what each system does, who owns it, what it depends on, and what state it is in. That evidence is a product of the service model. Where it cannot be produced cleanly today, which is the situation in most enterprises I see, the work to produce it is not an IT side-project, it is the direct path to audit-readiness. The extension of the high-risk deadline to December 2027 does not change what must be demonstrated, it sets the window in which to become able to demonstrate it.

That last point is the one I would underline. The most natural reading of the December 2027 extension is that the pressure has eased. It has not. The roughly eighteen months between now and the deadline is the runway a proper programme requires, not slack on top of it. The extension did not reduce the work, it defined the latest responsible point at which to begin it. For an organization that has not yet started, that point has effectively arrived.

08 – Final reflection

The argument that kept losing is now winnable

Since 2018, the case for CSDM was made on its own merits, and in most organizations those merits were never quite enough. The argument did not fail because it was wrong, the disciplined few who acted on it proved that, it lost because it competed against things with a clearer near-term return, and because the platform tolerated a weak model while humans silently compensated for it.

That era has ended. Autonomous AI now acts on the model directly, without the human compensation that used to hide its gaps. EU regulation now requires the auditable context the model produces, with penalties that make it a board-level risk. And the commercial model has bundled AI into the contract, so the spend is committed and only the return is still in question. Three forces, none of them originating in IT, all converging on the same prerequisite.

For the first time, the argument aligns with the organization's own priorities. The CSDM programme is no longer the unglamorous internal effort that competes with the strategic ones. It is the foundation those strategic priorities, AI value, regulatory defensibility, and operational resilience, actually depend on. The work itself has not changed, it is still ownership, relationships, classification, and lifecycle. What has changed is that it is finally, demonstrably, non-optional.

“The work itself never changed. What changed is that the rest of the enterprise finally caught up to why it matters.

The case that struggled to win priority for years is, at last, winnable, because the choice has been taken away. The few who acted early are already ahead. For everyone else, the window to catch up is roughly eighteen months, and it is open now.

Access the full brief as PDF by clicking here:

 

star-1  THE PERSPECTIVE SERIES

This is a part of an ongoing series from The Cloud People on ServiceNow, enterprise platforms, and AI-driven transformation. More to follow.

Related blog posts

ServiceNow Has Outgrown IT Operations

ServiceNow Has Outgrown IT Operations

ServiceNow has quietly become the AI platform for enterprise transformation. Most organizations still run it as a ticketing tool under IT...

Enhance Automated Testing with Allure Report: Benefits and Setup

Enhance Automated Testing with Allure Report: Benefits and Setup

Automated testing is an essential component in software development, ensuring the quality and reliability of the software. The Allure Report is a...

IT Integration basics: SOAP or REST? A beginner’s guide to integrations

IT Integration basics: SOAP or REST? A beginner’s guide to integrations

In our new blog article series, we will dive into the topic of IT systems integration. We will begin by describing integration concepts for anyone...