ServiceNow's $900M Armis Acquisition Targets 7 Billion-Device IoT Security Gap

ServiceNow Consolidates IoT Security at Scale

ServiceNow completed its acquisition of Armis on April 22, 2026, embedding the cyber asset intelligence platform's real-time monitoring of nearly 7 billion devices—spanning OT, IoT, medical equipment, and cloud infrastructure—into its AI-powered security stack. The deal triples ServiceNow's addressable market for security and risk products and shifts competitive pressure toward platform consolidation, challenging pure-play IoT security vendors like Nozomi Networks, Claroty, and Dragos that lack integrated workflow automation at enterprise scale.

The integration combines Armis' non-invasive device discovery with Veza's identity mapping (acquired by ServiceNow in March 2026) to create unified visibility across IT, OT, and IoT environments. For enterprises deploying agentic AI across distributed fleets, this closes gaps in traditional security tools that treat operational technology and internet-connected devices as separate problem sets. ServiceNow, used by 85% of Fortune 500 companies, now offers asset intelligence without requiring organizations to replace existing infrastructure—a decisive advantage when 39 billion connected devices are projected by 2030.

Market Implications for Security Buyers

The acquisition reframes procurement dynamics. ServiceNow directly competes with Microsoft's Defender for IoT and Cisco's Cyber Vision, but with deeper workflow integration for incident response and change management. Enterprises allocating 20-30% of security budgets toward converged platforms—per analyst benchmarks on total cost of ownership—gain unified asset tracking that eliminates the manual correlation between IT ticketing systems and OT monitoring consoles. This matters when AI-driven threats target edge devices: a single pane of glass for 7 billion endpoints reduces mean time to detect anomalies from hours to minutes in large-scale deployments.

For standalone IoT security vendors, the pressure mounts. Nozomi, Claroty, and Dragos must either consolidate or integrate more tightly with platforms like ServiceNow to remain competitive in enterprise RFPs. Their deep OT expertise remains valuable, but buyers increasingly favor vendors that embed asset intelligence into broader security operations rather than maintaining separate tools. ServiceNow's installed base gives it distribution advantage—existing customers can expand contracts rather than run parallel vendor evaluations.

KORE Shareholder Investigation Adds Vendor Risk

KORE Group's proposed sale to Searchlight Capital Partners and Abry Partners faces a shareholder investigation over board conduct and deal fairness, introducing instability for the IoT connectivity provider managing embedded security across distributed device fleets. The scrutiny delays deal closure and raises questions about leadership retention and product roadmap continuity—risks that matter when KORE's estimated $250M ARR in managed connectivity serves enterprises requiring multi-year contract commitments.

This uncertainty weakens KORE against stable competitors like Twilio's IoT Super SIM, Aeris, and Telit. Buyers hedging 10-20% of IoT connectivity spend toward alternative carriers to mitigate vendor concentration risk will likely accelerate those plans. Private equity buyers may refocus KORE on high-margin security add-ons post-acquisition, but the investigation creates a 2026 window where contract renewals carry execution risk. For procurement teams, this elevates vendor stability clauses and increases due diligence costs—a dynamic that favors large, publicly traded incumbents or newly consolidated players like ServiceNow-Armis.

NIST Guidance Raises Compliance Bar

NIST's draft guidance on securing AI systems and using AI for security operations targets AIoT deployments where on-device machine learning models expand attack surfaces alongside traditional firmware and network vulnerabilities. ENISA's 2025 Threat Landscape Report supports this, documenting AI infrastructure risks in IoT contexts managing 21 billion devices today. The guidance pushes demand toward vendors demonstrating NIST alignment—Armis under ServiceNow, Forescout, and Tanium gain advantage over tools built before AI workloads became standard at the edge.

Compliance costs are estimated at 5-15% of IoT capital expenditures for 2026 budgets, driven by mandatory AI security audits and Zero Trust architecture requirements in operational technology environments. This accelerates purchasing decisions toward platforms offering built-in audit trails and policy enforcement rather than bolt-on security products. Rust-based firmware from vendors like Ferrous Systems also gains traction for memory safety in AIoT applications—a technical shift that reduces exploit surfaces in devices with 10-15 year operational lifespans.

What to Watch

ServiceNow's integration execution over the next 12 months will determine whether the Armis acquisition delivers on its billion-device visibility promise or becomes another underutilized capability buried in a platform menu. Watch for customer announcements demonstrating pre-breach threat detection across merged IT/OT estates—proof points matter more than roadmap slides.

KORE's investigation timeline affects 2026 IoT connectivity contracts. If the deal closes without material changes, expect business as usual. If it collapses or restructures, enterprise buyers with KORE dependencies should have alternative carriers scoped by Q3 2026.

NIST guidance finalization will set the compliance baseline. Budget holders should allocate for AI security audits now rather than waiting for final publication—lead times for platform migrations that satisfy Zero Trust requirements in OT environments run 9-18 months. The window to avoid emergency spending in late 2026 is closing.