AI-triaged ServiceNow P1/P2 incident alerts in Slack

Build an agent workflow that triages fresh high-priority ServiceNow incidents and posts a pre-classified summary into Slack so responders can act without manually skimming the queue.

Trigger: a cron schedule that fires every 15 minutes during business hours (default to weekdays 8am to 6pm in the workspace's local time, but make this easy to change). ServiceNow does not have a first-class poll trigger here, so use cron and filter on the server side.

On each run, call the ServiceNow List Incidents action with a sysparm_query that filters to: state = 1 (New), priority IN 1,2, and sys_created_on greater than 15 minutes ago. Ask ServiceNow for display values so caller_id and cmdb_ci come back as human-readable names, and include at minimum: number, sys_id, short_description, description, priority, state, caller_id, cmdb_ci, assignment_group, category, subcategory, sys_created_on.

For each incident returned, reason over the short_description, description, caller, and affected configuration item to produce:

1) A best-guess category and subcategory drawn from common ITSM taxonomies (network, hardware, software, database, access, email, etc.) or from any taxonomy the user has shared with the agent.

2) A suggested assignment group name. If the user has shared a list of real group names, pick from that list; otherwise propose a sensible generic name and flag that it is a guess.

3) A one-paragraph plain English summary (three to five sentences) covering the observed symptom, the likely user or business impact, and a recommended first action for the responder.

Then call the ServiceNow Update or Resolve Incident action to append the classification and assignment suggestion to the incident's work_notes field. Format the work note clearly as an AI suggestion, for example: "AI triage suggestion — Category: Network / WAN. Suggested assignment group: Network Operations. Summary: ..." Do not change state, priority, assigned_to, or assignment_group; humans make the final call.

Finally, post one Slack message per incident to a dedicated channel (default #incident-triage, configurable) using the Slack Bot Send a Message action. Use Slack mrkdwn formatting with a structure like:

• A header line with a priority badge (🔴 for P1, 🟠 for P2), the incident number, and the short description. • Caller and affected configuration item. • AI summary paragraph. • Suggested category / subcategory and suggested assignment group, clearly labeled as AI suggestions. • A deep link back to the ServiceNow record using the instance URL plus /nav_to.do?uri=incident.do?sys_id={sys_id}.

Behavior rules: never escalate, reassign, resolve, or close incidents automatically — the agent only reads, writes work_notes, and posts to Slack. If the List Incidents call returns zero new incidents, do nothing (no "all clear" message). If a Slack post fails, retry once; if a ServiceNow update fails, still post to Slack so responders are not blind. Keep the schedule window aligned with the cron cadence so an incident is posted exactly once.

Inputs to ask the user during setup: ServiceNow connection, Slack Bot connection, target Slack channel, business hours window, list of real assignment group names (optional but improves suggestions), and any taxonomy hints for category/subcategory.

Additional information

What does this prompt do?

Watches ServiceNow for newly opened priority 1 and priority 2 incidents that are still sitting in the New queue.
Reads the short description, full description, caller, and affected service for each one, then writes a clear summary covering the symptom, likely impact, and a recommended first action.
Suggests a category, subcategory, and assignment group, and writes the suggestion to the incident's work notes so the on-call engineer can see and override it.
Posts a tidy Slack message to your incident triage channel with the incident number, priority, AI summary, suggested owner, and a direct link back to the ServiceNow record.

What do I need to use this?

A ServiceNow login with permission to read incidents and append work notes (usually any agent or ITIL role).
A Slack workspace and the channel where you want triage updates to land, for example #incident-triage.
A rough sense of your assignment groups so the AI can recommend one of the names your team actually uses.

How can I customize it?

Change the cadence or business hours window (every 5 minutes, only weekdays 8am to 8pm, 24/7, your call).
Adjust which priorities and states are included, for example add P3 or include incidents already in In Progress.
Tell the agent the names of your real assignment groups so suggestions match your org instead of guessing.
Swap the destination channel, route different priorities to different channels, or @-mention an on-call user group for P1 only.

Frequently asked questions

Does this auto-assign or resolve incidents on its own?

No. The AI only writes its suggested category, subcategory, and assignment group into the incident's work notes. A human responder still makes the final call on routing and resolution.

Can I limit it to certain assignment groups or business services?

Yes. Tell the agent which groups, business services, or configuration items you care about and it will filter the ServiceNow query before pulling anything into Slack.

What happens outside business hours?

The schedule only fires during the hours you specify. You can extend it to 24/7 if you want overnight coverage, or split it into a tighter cadence during peak hours and a slower one off-hours.

Will I get duplicate Slack messages for the same incident?

No. The workflow only looks at incidents created in the most recent window, so each new incident is posted once when it first appears.

Do I need an enterprise Now Assist license for this?

No. The AI summarization and classification happens in General Input, so you do not need ServiceNow's own AI add-on. You only need a ServiceNow account that can read incidents and add work notes.