Solving the Enterprise AI Governance Gap: Lessons from Workday’s Agent System of Record
Enterprise AI adoption is currently hitting a significant bottleneck. While large language models (LLMs) continue to improve in reasoning and performance, the actual deployment of AI agents within corporate environments often stalls. The challenge isn’t a lack of intelligence; it is a fundamental issue of permissioning and governance. Organizations are struggling to define what an agent is allowed to touch, on whose behalf it is acting, and how the system validates those actions in real-time.
To address this, companies are moving toward a “system of record” approach to AI. By anchoring agent governance within the same systems that manage human resources and financial data, enterprises can ensure that AI behavior adheres to established corporate security and compliance standards.
The Governance Challenge in AI Deployment
According to Gerrit Kazmaier, president of product and technology at Workday, many organizations encounter friction when they attempt to build “do-it-yourself” AI solutions by connecting models directly to raw, unstructured data. In these scenarios, the richness of existing security models is often lost, leading to overly broad results or unauthorized data access.
The core issue is that accuracy in HR and finance is binary—”almost right” is effectively wrong. Whether it involves processing payroll, managing work schedules, or closing financial books, errors in automated workflows can have immediate, tangible consequences. Because these processes often lack a secondary “correction loop” before the damage is done, the underlying reasoning layer must be strictly governed by business process logic and role-based security.
Architecting for Trust and Compliance
Workday’s strategy for managing this risk involves using its Sana platform, which launched in March 2026. The platform utilizes a reasoning layer—specifically integrating with Gemini Enterprise—while keeping the context engine and business logic within the Workday environment. This architecture allows the system to “interrogate” AI outputs using verification and classification models before any action is executed.
Identity is the final piece of the puzzle. By leveraging existing organizational structures, the system ensures that an AI agent acts only within the scope of the human user it is representing. If a user is authenticated and authorized within the Workday security model, the agent operates under those exact same permissions. This approach ensures that audit trails remain intact, with the system of record maintaining the definitive history of both human and agent activity.
Why the System of Record Matters
For practitioners in highly regulated industries, the consensus is that governance cannot exist as a separate, disconnected layer. Dan Obendorfer, director of product at Würk, emphasizes that if permissions are defined outside of where the data lives, the integrity of the system is already compromised. Similarly, Kadan Stadelmann, CTO and co-founder of Compance.AI, notes that without clear agent ownership and accountability, organizational chaos is the likely result.
Key Takeaways for Enterprise Leaders
- Governance is Primary: Do not treat AI agents as standalone IT experiments; they must be managed as workforce investments with clear accountability.
- Context is King: AI agents require business context—such as HR hierarchies and financial permissions—to perform accurate, secure tasks.
- Unified Audit Trails: Ensure that interaction logs and execution records stay within your primary system of record to maintain compliance.
- Verification Layers: Implement classification and verification models to review AI outputs before they trigger changes in sensitive business data.
The Future of the Human-Plus-Agent Workforce
As the enterprise landscape shifts toward a “human-plus-agent” model, the ability to govern emergent behavior will become the primary differentiator for successful AI implementation. The goal is to move beyond basic visibility and track the actual impact of these agents on organizational performance. By treating AI agents with the same level of rigorous oversight applied to human employees and financial processes, companies can unlock the potential of enterprise AI with the confidence required for large-scale operations.