The AI agent revolution isn't waiting on GPT-5 — it's waiting on someone to figure out who can tell the bot to fire someone.
The Summary
- Workday is positioning its HR/finance platform as the permissions layer for enterprise AI agents, arguing the real bottleneck is governance, not LLM capability.
- Their Sana agent system integrates with Google Gemini Enterprise, using Workday's existing role-based security as the control plane for what agents can access and execute.
- "Almost right is not acceptable" in payroll and finance — one wrong agent action can compound before anyone notices.
The Signal
Enterprise AI agents are hitting a wall that has nothing to do with reasoning benchmarks or context windows. The problem is simpler and harder: nobody knows what to let them touch.
Workday's president Gerrit Kazmaier laid it out clearly. When companies build DIY agent workflows by letting LLMs query raw databases, they lose the security model. The agent gets too much access, returns overly broad results, or worse, executes actions it shouldn't. The richness of who-can-do-what gets flattened. The company's solution is making its existing system of record the governance backbone for agents, so Sana inherits the same role-based permissions, approval chains, and policy hierarchies that already govern human users.
This isn't just an enterprise software play. It's a preview of the core infrastructure problem for Web4: delegation at scale. If agents are going to act on our behalf, they need identity, scopes, and revocable permissions. Not vague prompt guardrails. Actual access control.
"Think about paying people correctly, closing the books or managing work schedules reliably. Almost right is not acceptable."
The accuracy challenge here is different than chatbot hallucinations. HR and finance queries don't have correction loops. By the time you realize the agent scheduled interviews with the wrong candidates or processed payroll based on outdated org charts, the damage is done. Workday's approach: layer Gemini for reasoning, then add their context engine, business process logic, and verification models that interrogate outputs before execution. They're treating agent accuracy as an identity problem. Does the system know who this person reports to, what their pay grade is, what approvals are required for this action?
Key differences from consumer AI:
- No "regenerate" button when the agent fires someone
- Policy configurations and role hierarchies are deeply interrelated — one error compounds across the system
- Enterprise users expect the same governance from agents that they have for human employees
The Workday-Google partnership brings Sana agents into Gemini Enterprise, making them discoverable across the Google workspace. That's the wedge: agents built on a system of record show up where employees already work, but with permissions baked in from day one. It's a direct counter to the "just let the LLM query everything" approach that most startups are taking.
This matters because the permission problem doesn't get easier as agents get smarter. It gets harder. More capable agents need tighter controls, not looser ones. The companies that solve agent governance now will own the rails that Web4 runs on. Workday is betting that the best governance layer already exists — it's the one that tracks who works where, who reports to whom, and who can approve what. They're not building new infrastructure. They're turning old infrastructure into the control plane for autonomous systems.
The Implication
If you're building agents for enterprise, permission architecture is now table stakes. Raw LLM access won't cut it. Expect more platforms to retrofit their access control systems as agent governance layers. The companies with the richest identity graphs and approval workflows have the shortest path to trusted automation.
For everyone else: watch where the agent permission standards land. OAuth for humans took years to settle. Agent delegation standards are being written right now, in products like this.