Change advisory boards are overwhelmed, under-resourced and often rubber-stamping risks they haven’t had time to properly assess. What if an AI agent could do the heavy lifting, and even do it better?

Change enablement is one of those IT service management processes that everyone agrees is important and almost nobody thinks works well. The theory is sound: proposed changes to IT services and infrastructure should be assessed for risk, approved by the right people and implemented in a controlled manner. The reality, in most organizations, is rather less elegant.

This is the second post in our series exploring how agentic AI, grounded in trusted cyber asset intelligence, can deliver immediate value in ITSM and IT operations. In our first post, we made the case that AI agents are only as good as the data behind them. Now we put that principle to work with a concrete use case: building a change manager agent that can assess, recommend and – in many cases – autonomously approve change requests.

The Problem With Change Enablement Today

Most organizations operate with three categories of change: standard, normal and emergency.

• Standard changes are pre-approved and repeatable: deploying a routine patch, provisioning a standard laptop.
• Emergency changes are, by definition, urgent and follow an expedited path.
• It is the normal changes – the bulk of what lands in the change pipeline – that cause the headaches. Normal changes require approval. In larger organizations, this means a change advisory board, or CAB: a group of individuals who meet periodically to review proposed changes, assess the risks and decide whether to approve or decline each request. In principle, this is governance. In practice, it is often a bottleneck.

The problems are well documented and widely felt:

• Volume overwhelm. The sheer number of changes raised means the CAB tends to focus on the high-priority items. Lower-priority changes receive cursory attention at best, and risky ones can easily slip through.
• Incomplete change requests. Too often, the change records themselves lack the necessary context. They may include the implementation steps but omit a credible back-out plan, testing evidence or a proper risk assessment.
• Labor-intensive reconciliation. Board members are expected to cross-reference change requests against incident history, asset criticality, service dependencies and current risk exposure, often manually, often under time pressure, and often with incomplete information.
• Inconsistent decision-making. When humans are tired, rushed or simply faced with too many decisions, quality suffers. What gets approved on a quiet Tuesday afternoon might be declined on a frantic Friday morning, and vice versa.

The result is a process that is simultaneously too slow for the teams requesting changes and too superficial to catch the risks it was designed to manage. Something has to give.

Enter the Change Manager Agent

The idea is straightforward in concept, even if the execution requires care: use an agentic AI to do the heavy lifting that the CAB currently struggles with. Not to remove human oversight entirely, but to ensure that when humans do need to make a judgement call, they are making it with full context, a clear risk assessment and a well-reasoned recommendation already in front of them.

Here is what the change manager agent does, step by step.

1. Assess the Change Request Itself

The agent begins by examining the content of the change request as submitted: the description of the proposed change, the method of implementation, the identified risks, the back-out and recovery plan, and any testing evidence provided. It evaluates completeness: are all the required fields populated? Is the back-out plan credible? Does the testing evidence actually relate to the change being proposed?

If the change request is incomplete, the agent can flag the gaps and return it to the requester before it ever reaches the approval stage, eliminating one of the most common sources of wasted CAB time.

2. Examine the Historical Context

No change exists in isolation. The agent looks at the history: previous changes made to the same service or the same impacted assets, their outcomes, whether they caused incidents, and how similar changes raised by the same team or individual have fared in the past. A team with a track record of clean implementations presents a different risk profile to one whose last three changes caused outages.

3. Evaluate Real-Time Conditions

This is where the agent moves beyond what any human CAB member could reasonably be expected to do in a periodic review meeting. It checks the current state of play:

• Are there ongoing incidents affecting the services or assets in scope? Implementing a change on a service that is already degraded is a different proposition to changing one that is running cleanly.
• Is a change freeze in effect? This sounds basic, but changes raised during freeze periods do slip through manual processes.
• What is the criticality of the impacted assets and services? Are they business-critical? Do they support revenue-generating functions or regulatory obligations?
• What is the current risk exposure? Are there known vulnerabilities on the impacted assets? Are there unresolved security concerns? Is the infrastructure still under vendor support, or has it reached end of life?
• What about warranty and lifecycle status? Making changes to hardware that is no longer supported by the manufacturer carries a different risk to changing assets under full warranty and support.

4. Deliver a Recommendation

Having ingested and analysed all of this context, the agent produces a recommendation: approve, conditionally approve or decline.

• Approve: the change is low-risk, well-documented, consistent with historical patterns and not affected by any current risk factors. It can proceed without further human review.
• Conditionally approve: the change is broadly acceptable but has elements that warrant a second pair of eyes. Perhaps the impacted service is unusually critical, or there is a concurrent incident that introduces uncertainty. The agent flags the specific concerns for human review.
• Decline: the change presents unacceptable risk, is incomplete, conflicts with a change freeze, or targets assets with known vulnerabilities that should be addressed first.

The effect is transformative. Low-risk changes that are within the organisation’s risk appetite flow through automatically, without waiting for the next CAB meeting. The human advisory board – freed from the drudgery of reviewing dozens of routine changes – can focus its attention and expertise on the subset that genuinely requires human judgement. The quality of decisions goes up. The speed of approvals goes up. The risk of something slipping through goes down.

The Data Foundation: Why Asset Intelligence Matters Here

If you read the first post in this series, you will recognize a familiar theme: the agent’s ability to make sound recommendations depends entirely on the quality and completeness of the data it can access.

Consider the real-time checks described above. To assess whether impacted assets have known vulnerabilities, whether they are end-of-life, whether they are under warranty, whether they are critical to the organization – the agent needs a trusted, continuously updated source of cyber asset intelligence. This is not information that lives natively in most ITSM platforms. It requires deep, automated discovery across the technology estate, exactly what platforms such as Lansweeper provide.

That context can be delivered to the agent in several ways:

• Data synchronization: Lansweeper data is synced into the ITSM platform’s asset repository or CMDB, making it available to the agent as a native data source within the service management environment.
• Direct API calls: the agent queries Lansweeper’s API in real time as part of its assessment workflow, pulling the specific asset intelligence it needs for each change request.
• MCP server integration: as the Model Context Protocol matures, direct agent-to-agent communication via MCP servers will enable seamless, standardized access to Lansweeper’s cyber asset intelligence without bespoke integration work.

The delivery mechanism matters less than the principle: the agent must have all the knowledge and context it needs. Context from the ITSM platform itself – previous changes, incident history, the information provided on the change request. And context from the asset intelligence layer – the current state, risk posture, lifecycle status and criticality of every asset and service that the change will touch.

Without both, the agent is making recommendations with one eye closed.

What This Means in Practice

The change manager agent does not eliminate the need for human governance. It elevates it. Instead of spending an hour in a CAB meeting scrolling through 40 change requests – half of them routine, a quarter of them incomplete – the board receives a curated shortlist of conditionally approved changes, each accompanied by a detailed risk assessment and a clear explanation of what the agent has flagged and why.

The humans do what humans do best: exercise judgement on the hard calls. The agent does what agents do best: process large volumes of data, apply consistent criteria, check everything that should be checked, and never have a bad Friday afternoon.

Coming up Next

This is the second in our series on agentic AI in IT service management and operations. In upcoming posts, we will explore:

• Automated ticket enrichment and resolution: how asset context turns vague service requests into something an agent can act on autonomously.
• Proactive incident detection and remediation: how continuously updated asset intelligence enables agents to spot and address problems before users even notice.
• Zero trust security policy enforcement: how agents grounded in real-time asset data can continuously validate and enforce security policies across the estate.

Each of these use cases shares the same foundational requirement: trusted, comprehensive, continuously updated Cyber Asset Intelligence. The agent is only as good as the data behind it. Get the data right, and the possibilities are genuinely transformative.