Enterprise AI agents are hitting a wall, and it’s not about how smart the models are. The bottleneck comes down to permissions: what an agent can touch, who it acts for, and how the system knows the difference. Workday’s answer is to turn its existing system of record into the governance layer for those agents.
Gerrit Kazmaier, the company’s president for product and technology, said in an interview that customers struggle when they try to piece together their own solutions for agent permissions. “Sana makes sure the integrity of the approvals and security model is always adhered to,” Kazmaier said. “Frankly, that’s where customers struggle when they try to build do-it-yourself AI by just accessing raw data, so the richness of the security model gets lost, and the results become overly broad.”
The company launched Sana in March. Workday recently expanded its partnership with Google to bring the agent platform to the Gemini Enterprise, making agents built on Sana discoverable there as well.
Accuracy is the hard part
Kazmaier said the biggest challenge was ensuring accuracy for HR and finance users. “Almost right is not acceptable,” he said. “Think about paying people correctly, closing the books or managing work schedules reliably.” This is where SQL errors can be particularly problematic.
Accuracy is harder to evaluate in this context than in most AI applications. Policy configurations, role-based security, and organizational hierarchies are deeply connected. A small error compounds quickly. And unlike most generative AI outputs, HR and finance queries often lack a correction loop. By the time a paycheck processes incorrectly or an interview gets scheduled wrong, the damage is already done.
The company’s technical approach involved building Gemini in as its base reasoning layer, then adding its own context engine and business process logic on top. They also added verification and classification models that interrogate outputs before execution.
Related: The Boys’ last season struggles culminated in strong finale
Accuracy and identity are the same issue: does the system know enough about the agent, the authorizing human, and the current state of the record to act correctly? Workday can infer organizational structures from the data customers already provide. Third-party identity providers like Okta already verify their information by checking Workday, so its context is the system of record for many enterprises.
Identity and permissions are the same problem
Kazmaier said the Self-Service Agent uses Google’s model as the conversational surface to trigger a workflow. The user is then authenticated and authorized through Workday’s identity and security model. Agents will only act on behalf of that user and work within their current permissions. This approach to AI production insights is key to ensuring secure and accurate operations.
Audit trails follow the same logic. Gemini retains only interaction logs, while the main audit stays inside Workday and its customer.
For practitioners in HR and finance, the permission and governance layer in the agent system of record is key in regulated spaces. Dan Obendorfer, director of product at Würk, put it bluntly in an email. “It has to live in the system of record, that’s not a preference, that’s the only way it works,” he said. “If your permissions are defined somewhere outside of where the data actually lives, you’ve already lost.”
Kadan Stadelmann, chief technology officer and co-founder of Compance.AI, made the same point separately. “Without agent ownership, performance, costs or actions, chaos ensues.” The system works by what it knows about who you are, which is the hard part to get right.
Leave a Reply