Implement at the
speed of thought.

Yes — and it's the default, not a toggle. Phyllis has enterprise agreements with every model provider we route to: no data is retained, and nothing is ever used to train a large language model. ZDR is on for every tenant, out of the box.

Only scan findings. When you run Instance Scan directly from Phyllis, findings are stored in Phyllis so we can reason over them and remediate on approval. No CMDB data, no case content, no user PII. Nothing sent to the underlying models is retained, per the ZDR guarantee above. If you'd rather keep findings out of Phyllis entirely, run scans natively in ServiceNow instead — Phyllis will still offer remediations by referencing the findings.

Every user connects to their instance via OAuth, and all existing roles and ACLs are honoured. If they can't do it in the ServiceNow UI, they can't do it through Phyllis. Every action is attributed back to that user, so audit logs stay legible and least-privilege is enforced by the instance itself — not by a policy memo.

Phyllis only ever looks at what's necessary for the ask on hand — nothing more. No blanket access to things like HR case records, no pulling data it doesn't need to answer the question. And as covered above, every connection is OAuth-scoped to the user, so what they can't see in ServiceNow, Phyllis can't either.

The more customised, the better. Phyllis reads your actual business rules, ACLs, client scripts, Flow Designer flows, and ATF suites, then reasons about change against what's there — not against a textbook OOTB reference. The more customised the instance, the more value Phyllis adds relative to a generalist developer.

Yes. A workspace can connect any number of instances — dev, test, prod, per-region tenants, customer-specific clones. Phyllis keeps context separated per instance, and the deployment canvas shows recent activity across connected instances so the team has a shared view of what's been pushed.

Both. Phyllis is scope-aware: it understands scope boundaries, cross-scope references, restricted caller access, and which records should land in which scoped application. Changes are captured in the correct update set with the correct scope selected — never orphaned in Default or Global by accident.

Yes. Phyllis knows which scope every record lives in, so one conversation can move across as many scopes as the work requires. If a fix needs changes in scope A and a new record in scope B, Phyllis creates the update set in A, configures, switches scope, configures again, and keeps every change where it belongs. You always know which scope a given change will land in.

Phyllis was trained by CMAs and CTAs — with 40+ domain skills and 500+ tools on top, grounded in CMA-grade best practice. End-to-end, that covers discovery (reading your live instance), planning (scoped stories, sized, with acceptance criteria), building (AI Agents, Flows, Catalog Items, Business Rules, ACLs, Flow Designer flows, ATFs, Virtual Agent, Performance Analytics), monitoring (drift, broken references, failing ATFs), documentation (CMA-grade design docs), and deployment (update set staging, canvas, preview-problem resolution).

Multi-round by design. Phyllis builds up understanding across turns — you can refine a plan over five conversations, come back a week later, and context resumes. Every plan, build, and design doc is versioned, so you can fork, compare, or roll back any decision the conversation produced.

No. Everything Phyllis produces — update sets, ATF results, Instance Scan findings, design documents — stages for your review. Nothing commits to any instance without your approval. Problems are one click to re-prompt with full context preserved.

Four minutes. Register the OAuth app, connect your instance, and you're in. No training data uploads, no fine-tuning, no setup checklist — Phyllis is ready for real work the moment you're connected.

We don't pretend Phyllis can do everything. Today Phyllis has full domain-skill coverage for end-to-end implementations across Core Platform, Custom Apps, Now Assist, AI Agents, ITSM, ITOM, CMDB, CSM, Customer Success, HRSD, ER, LSD, SOM, CPQ, and SIR — with 100+ domain skills and 500+ tools spanning the rest of the platform. Vulnerability Response is in build. If there's no domain skill for what you're asking, Phyllis won't pretend, won't make it up, and won't bullshit you — Phyllis will say so, and tell you what's possible instead.

Phyllis indexes the ServiceNow Store and the plugin catalogue. Describe what you need in your own words — Phyllis matches candidates against your instance (version, dependencies, scope compatibility) and stages the install for your approval. No more guessing at exact plugin names.

ServiceNow's Certified Master Architect is the top architecture certification on the platform. Every plan, build, and design document Phyllis produces is held to the review standard a CMA would apply — executive summary, discovery findings, impact analysis, dependency mapping, cited sources, and a defensible recommendation the reviewer can sign.