You've deployed an AI agent that handles employee onboarding. Another one processes expense reimbursements. A third flags payroll anomalies before the close. Each was demo'd beautifully. Each passed your internal review. But has any of them been independently tested against the actual attack vectors that break enterprise AI in production?
That question — uncomfortable as it is — sits at the heart of what Workday announced at DevCon in June 2026: a system called Agent Passport that tests and verifies every AI agent, whether built by Workday or a third party, before it goes live in an HR or finance environment. And it keeps monitoring after.
This isn't a marketing feature. It's a direct response to the realization that enterprise AI has moved fast enough to outpace the governance structures protecting the systems it touches.
The Problem Agent Passport Is Built to Solve
Ask yourself: what actually happens when an AI agent operating on your payroll data gets a carefully crafted prompt from a bad actor — or just makes a catastrophically wrong inference about a benefit election? Most enterprises have no clear answer. They know the agent was tested. They just don't know what it was tested for.
That distinction matters. Most agent security testing today is done by the vendor who built the agent. You get a "verified safe" label from the same company that wrote the code. That's not independent. It's not auditable. And it's not comparable across agents from different vendors.
Workday built Agent Passport around three principles: open standards, independent testing, and a signed, auditable record per agent.
Every attestation is tied to a public industry framework — OWASP LLM Top 10, NIST AI RMF, or MITRE ATLAS. These aren't Workday inventions. They're the same standards your security team already uses for application risk reviews. Now, for the first time, you can compare an HR automation agent against a finance reconciliation agent on exactly the same terms.
What Gets Tested
The specific attack vectors Agent Passport checks for are not hypothetical. They've been documented in production breaches and research: prompt injection (an external input overrides the agent's instructions), jailbreak and goal hijacking (the agent is manipulated into pursuing unintended outcomes), system prompt extraction (the agent's configuration and guardrails are exposed), employee data leakage (PII or compensation data surfaces where it shouldn't), and unsafe outputs (the agent produces responses that violate policy or legal requirements).
Each test result is signed by the partner that performed the testing — not by Workday. Cisco is the launch partner, bringing its AI Defense platform to provide the independent validation. That means when a security team reviews an agent's record, they're seeing attestation from a named third party that has skin in the game.
The three-layer structure of each agent's record matters for enterprise risk teams: the first layer defines broad trust domains (protection against attacks, safe runtime behavior, human oversight mechanisms); the second maps to specific, testable claims anchored in public standards; the third contains the signed results from the attesting partner.
What This Means for CISOs and CIOs
For the security leader, Agent Passport changes the conversation from "has this been reviewed?" to "what was it reviewed for, who did the review, and what's the signed record?"
That shift enables something that hasn't been possible before: comparing agents from different vendors on the same terms. If you're evaluating an HR onboarding agent from Workday, a finance reconciliation agent from a fintech startup, and a procurement agent from a third-party AI vendor, you've historically had three different vendor-produced security documents with no common language. Agent Passport gives you a baseline: any agent that clears the same OWASP LLM Top 10 checks has been held to the same bar, regardless of who built it.
For the infrastructure team, the real-time monitoring capability matters as much as the pre-deployment certification. When an agent attempts to execute a task, Agent Passport monitors in real time and either allows, blocks, or routes the action. If a vulnerability is discovered post-deployment — because the threat landscape changes, or because a new attack technique emerges — a single revocation can stop affected agents across the entire business, constrained by company policy. That's incident response for the agentic layer.
What This Means for CFOs and CHROs
For business leaders, the risk calculus is simpler: the agents touching the most sensitive data in your enterprise (payroll, benefits, financial close, HR records) are also the ones where an error has the highest regulatory and reputational cost.
An AI agent that leaks employee compensation data, processes a fraudulent expense claim, or mishandles a termination workflow isn't just an IT problem. It's an employment law problem. A fiduciary problem. Potentially a front-page problem.
Workday's own framing is clear: "one insecure agent can leak employee data, break compliance, and put the company on the front page for the wrong reasons." That's not hyperbole. In conversations with HR and finance leaders over the past year, the single biggest blocker to expanding AI agent deployment isn't capability — it's the inability to answer the governance question: "How do we know this is safe enough to run unsupervised?"
Agent Passport is a direct attempt to make that question answerable before deployment, not after an incident.
The Broader Context: Enterprise AI Governance Is Becoming a Differentiator
Workday isn't alone in building for this moment. Across enterprise software, vendors are racing to create governance layers for the AI agents they've been shipping for the past 18 months. The pressure is coming from multiple directions simultaneously.
Regulators in the EU and US have moved from examining AI models to examining AI deployments — specifically the workflows where AI systems take consequential actions. HR, payroll, lending decisions, and financial reporting are at the top of that list. Any enterprise operating AI agents in those domains without auditable governance is accumulating regulatory risk.
At the same time, the data on AI governance outcomes has become compelling. Research consistently shows that enterprises with structured AI governance programs see dramatically higher rates of AI projects reaching production — the difference between a pilot graveyard and a functioning AI program isn't the model quality, it's the governance infrastructure.
The companies most likely to realize the ROI on their AI investments are the ones building governance capability now, before they need it in a crisis.
What Enterprises Should Do Now
Agent Passport enters early access in the second half of 2026, with general availability projected before year-end. The Workday-Cisco integration is active today.
If you're a Workday customer, three things are worth your immediate attention:
First, inventory your deployed agents. Most enterprises have deployed more agents than their security teams know about. Before you can certify them, you need to know what's running. This is not a Workday-specific problem — it's a category-wide issue that the SAP AI Agent Hub and ServiceNow Action Fabric are also addressing.
Second, review your current agent testing practices. If your vendor is the only one testing their own agents, you have a governance gap. That doesn't mean the agents are unsafe — it means you have no independent verification. Mapping your current agent portfolio against OWASP LLM Top 10 is a starting point any security team can do today, regardless of which vendor built the agent.
Third, frame AI governance as a business enabler, not a blocker. The governance conversation in most organizations is stuck in "slow things down to manage risk" mode. The actual evidence points in the opposite direction: enterprises that invest in AI governance are the ones that succeed at scale deployment. Agent Passport, framed correctly, isn't a reason to slow AI adoption — it's the infrastructure that makes confident expansion possible.
The Passport Metaphor Is Deliberate
The naming here is intentional. A passport doesn't tell you everything about a person — it tells you that a credible independent authority has verified their identity against a known standard. That verification travels with them. It can be checked at any point of entry.
That's exactly what Workday is building for AI agents. Not a certification that says "this agent is perfect." A verification record that says "this agent has been tested against these specific risks, by this specific independent party, as of this specific date."
In a world where enterprise AI agents are doing the work of processing thousands of payroll runs, managing benefit elections, and flagging financial anomalies — the passport metaphor isn't cute branding. It's the right mental model for how enterprise leaders should think about deploying AI in high-stakes workflows.
The question for enterprise leaders isn't whether to deploy AI agents. That ship has sailed. The question is whether you can answer the governance question before something goes wrong — and Agent Passport is among the most structured attempts yet to make that answer auditable.
Agent Passport enters early access in H2 2026. Current Workday customers can engage their account team for early access details. The Workday-Cisco partnership is active today, with joint capabilities rolling out over coming quarters.
Stay current on enterprise AI governance: follow @rajeshberi on X or connect on LinkedIn.
