You're right that at the technical level, it's an unsecured API. But I'd argue the AI context matters for two reasons:

  1. The capability itself: The "create data anywhere" permission wasn't a legacy API—it was added specifically to enable AI agent functionality (Now Assist). Traditional chatbots had scoped, rules-based actions. The shift to agentic AI introduced capabilities that the auth model wasn't designed to govern.

  2. The pattern: This is going to happen repeatedly. Companies are bolting AI agents onto legacy systems without rethinking authorization. ServiceNow is just the first high-profile example. The same pattern exists in Copilot plugins, Claude Desktop MCP servers, LangChain deployments—anywhere AI agents get grafted onto existing infrastructure.

You could call it "an unsecured API" and be technically correct. But the reason it was unsecured is that AI agents break the assumptions traditional IAM was built on: human decision-making, predictable workflows, fixed permissions.

The fix isn't just "secure your APIs" (though yes, do that). It's recognizing that autonomous agents need different authorization primitives than human-operated systems.