Workday Puts a Passport Desk in Front of HR Agents
On June 2, at Workday DevCon in Las Vegas, Workday announced a product that sounds less like a software feature than a security desk at the entrance to the HR department.
Agent Passport will test and verify Workday-built and third-party AI agents before they enter production, then monitor them after deployment. Workday said each attestation will be tied to public standards such as OWASP LLM Top 10, NIST AI RMF, and MITRE ATLAS. Cisco is the first attestation partner, using Cisco AI Defense to test agents for prompt injection, jailbreaks, data leakage, system prompt exposure, and unsafe actions.
Workday did not pitch this as a general AI trust badge. It framed the problem around people and money. An agent that mishandles payroll, benefits, onboarding, approvals, or finance records can expose employee data, miss a paycheck, approve the wrong action, or leave a company unable to explain what happened. Dean Arnold, Workday’s vice president of AI Platform, put the risk plainly in the release: agents are now doing sensitive enterprise work, and one insecure agent can create a public compliance problem.
The same day, Workday also announced Developer Agent, Agent-Ready Tools, and broader Workday Build capabilities. Developer Agent lets developers build Workday apps and agents from agentic coding tools such as Claude Code, Cline, Codex, Cursor, and Google Antigravity. Agent-Ready Tools expose Workday business logic to agents over MCP while inheriting Workday’s security model, delegation rules, business process controls, and audit trail.
The commercial message is clear. Workday wants customers to build agents faster, bring outside agents closer to HR and finance data, and still trust the boundary.
That boundary is becoming a new buying surface.
For the last six weeks, HR AI buyers have been pushed toward live workflow access. Greenhouse launched MCP for governed access to Greenhouse data. Workable launched an MCP server with tools across jobs, candidates, pipeline stages, offers, requisitions, employees, time off, and calendar events. ServiceNow expanded AI Control Tower across enterprise systems. Microsoft put an agent registry inside the Microsoft 365 admin center. ICIMS and Aptitude found that 69% of companies already use AI somewhere in talent acquisition, while only 18% use it broadly across hiring processes.
Connection is no longer enough.
Buyers need to know who checks the papers before an agent acts.
June 2 Turned Agent Trust Into a Product Launch
Workday’s June 2 release matters because it joins three motions that many enterprise buyers still discuss separately: building agents, connecting agents, and verifying agents.
Developer Agent is the build motion. Workday is telling developers they can start from the coding tools they already use and ask for an agent in natural language. One Workday example was a finance alert agent that warns when a department is trending over budget. The broader implication for HR is obvious. A people operations team could want an agent that checks offer approval exceptions, flags delayed onboarding steps, summarizes leave conflicts, or reminds managers to complete structured interview feedback.
Agent-Ready Tools are the connection motion. Workday described them as connectors built for autonomous agents rather than traditional integrations. They are meant to give agents precise business logic and context, reduce hallucination and latency, and connect through MCP. In a Workday blog post by Gabe Monroy, the company described three paths: host an outside agent that calls Workday Agent-Ready Tools, run agents on Workday while surfacing them in a chosen front door, or use Sana from Workday as the full workspace.
Agent Passport is the verification motion. It decides whether an agent is safe enough to run, what it has been tested against, which partner signed the result, and what happens if conditions change after deployment.
Those three motions form a product stack:
| Motion | Workday product | Buyer concern |
|---|---|---|
| Build | Developer Agent and Workday Build | Who can create agents on HR and finance data, and how fast? |
| Connect | Agent-Ready Tools over MCP | Which tools can read or act on records, approvals, and policies? |
| Verify | Agent Passport with third-party attestations | Who tested the agent, against which standard, and can it be revoked? |
The ordering matters. Enterprise platforms have spent the last year encouraging teams to build and connect agents. The verification step has often remained softer: a vendor policy statement, a security review, a risk questionnaire, an internal checklist, or a demo of guardrails.
Workday is turning verification into a product object.
That does not make the problem solved. It makes the market easier to inspect. If every agent has a record, a standard, an attestor, a test category, a runtime status, and a revocation path, then buyers can compare agents in a way they could not compare generic claims about “safe AI.” They can ask whether a recruiting agent, a benefits agent, a payroll agent, and a finance agent passed the same test. They can ask whether a Workday-built agent and a third-party agent were held to the same bar. They can ask what changed between approval and production.
This is a different conversation from ordinary vendor trust.
In ordinary SaaS buying, the customer reviews security documentation, signs a data processing agreement, checks SOC 2, and moves on. In agent buying, the system may act in production. It can call tools, update records, trigger approvals, produce summaries, route cases, or advise a human reviewer. A once-a-year security file is too slow for that pattern.
Workday’s point is that the agent itself needs a continuing credential.
A Passport Has to Cover More Than a Scan
A passport desk is useful only if the stamp means something.
Workday said Agent Passport has three layers. The first covers broad trust areas that Workday defines and updates, such as attack protection, safe runtime behavior, and human oversight. The second converts those areas into specific testable claims tied to public standards. The third is the signed result from the partner that performed the test.
That structure is important because HR and finance agents fail in different ways from chatbots.
A chatbot can produce a poor answer. A payroll or recruiting agent can take an action that becomes part of an employment record. It can route an approval. It can update an employee case. It can draft a candidate summary. It can recommend a next step. It can expose data from a sensitive population. It can move faster than the human team can audit manually.
The passport has to cover at least five layers:
| Layer | Test question | HR example |
|---|---|---|
| Identity | Is this agent known, registered, and tied to an owner? | A custom onboarding agent has a named business sponsor and lifecycle owner |
| Permission | Can it only call tools and data allowed for its purpose? | A recruiter assistant cannot read payroll or employee relations notes |
| Behavior | Does it resist common agent attacks and unsafe instructions? | A prompt injection in a resume cannot make it export candidate data |
| Evidence | Does it leave a reviewable trace of tool calls and outputs? | A candidate summary points back to source records and timestamped actions |
| Revocation | Can the company stop or limit it quickly when risk changes? | A third-party agent loses write access after a failed runtime check |
The last layer is where Agent Passport becomes more than certification theater. Workday said that when an agent attempts to execute a task, Agent Passport will monitor in real time and allow, block, or route the action. It also said a single revocation can automatically stop, limit, or restrict affected agents based on company policy.
Revocation is the commercial edge.
Without revocation, verification becomes a launch checklist. A security team approves an agent, the agent enters production, and the organization hopes the model, tool route, data source, policy, vendor version, and attacker behavior do not change enough to invalidate the original review.
Agent risk does not stay still.
The agent’s risk can change when a new MCP server is added, a data field is exposed, a policy document is updated, a model route changes, a prompt template is revised, a vendor ships a new feature, or a user learns how to push the agent outside its intended task. A passport that cannot be suspended is just a laminated promise.
For HR, the ability to revoke matters because the workflow cannot always wait for a quarterly access review. A payroll action may need to be blocked before the coming pay run. A benefits agent may need to stop handling a special leave category. A recruiting assistant may need to be downgraded from write actions to read-only summaries after a candidate complaint. A manager-facing performance assistant may need to be isolated from compensation records until Legal reviews its output.
Buyers should therefore read every agent attestation as a control file, not as marketing collateral. The file should say what the agent was tested for, what it was not tested for, who signed it, when the test happened, what standards were used, what runtime signals are monitored, and which business owner can revoke or restrict it.
That file belongs in procurement, security, HR operations, finance, and legal review.
Cisco Gets the First Stamp
Cisco’s role is notable because Workday is not simply giving its own agents a Workday-grade approval label.
The release says Cisco AI Defense will independently test AI agents running in Workday against leading security standards before deployment and continue protecting them at runtime. The validations include resistance to instruction override, protection against system instruction exposure, safeguards against sensitive employee information leakage, and blocking harmful or policy-violating responses before they reach a user.
That creates a new split in the agent market.
One side is the platform that hosts the data, rules, business processes, and tools. Workday owns the HR and finance context in this case. The other side is the attestation partner that says an agent met a testable bar. Cisco is the first named partner, but the structure suggests a wider market for independent agent testing, security certification, compliance evidence, and runtime monitoring.
The split matters because HR AI vendors have an incentive problem.
A vendor that builds the agent wants the buyer to deploy it. A platform that hosts the agent wants adoption. A customer success team wants expansion. An internal team that built a custom agent wants credit for moving faster. None of those parties is naturally neutral.
Independent attestation does not remove conflicts. It reduces one of them. It creates a record from someone other than the agent’s builder.
Cisco has an incentive too. DJ Sampath, who leads Cisco’s AI Software and Platform group, framed the partnership around a signed record that security teams can read. That is the opening for a new buyer role. The security leader is no longer just asking whether Workday, Greenhouse, or a recruiting vendor passed an enterprise security review. They are asking whether each non-human actor has its own inspectable security file.
The distinction matters when the agent is built by a customer, tested by a security partner, hosted by Workday, surfaced in Copilot or Gemini, and connected to an ATS through MCP. The old vendor questionnaire cannot describe that chain with enough precision. A signed agent record can at least give the parties a common object to argue over.
That record could become valuable in four rooms.
The first is the security review. Security teams need to know whether an agent can leak data, accept hostile instructions, expose its own prompt, or perform unsafe actions. A signed test result gives them a baseline. It does not replace internal review, but it can make the review less dependent on vendor claims.
The second is the procurement review. Procurement can compare agents by what they have been tested against and which standards apply. A vendor that wants access to HR or payroll data may need to show the same passport categories as a Workday-native agent.
The third is the audit room. If an employee or regulator asks how the company approved an agent, the company can produce a record: the agent, the owner, the standard, the tests, the attestor, the date, the runtime status, and any revocation events.
The fourth is the renewal meeting. If the vendor wants expansion, the buyer can ask how many agents were verified, how many failed, how many had restrictions, how many were revoked, how many runtime blocks occurred, and which incidents required support.
This could change vendor behavior. A vendor with strong agent controls can use attestation as a sales advantage. A vendor with weak controls may resist standard comparison. A platform that wants to become the place where third-party agents act on HR data will need to show that third-party agents can be reviewed without giving every vendor a custom exception.
The strongest version of Agent Passport is therefore not one badge. It is a ledger.
Each agent should accumulate status over time: approved, restricted, failed, revoked, re-tested, transferred, deprecated, or retired. It should also show which capabilities are covered. A read-only analytics agent does not need the same bar as a payroll update agent. A benefits advice agent does not need the same evidence file as an interview scoring agent. A recruiter drafting assistant does not carry the same risk as a write-capable MCP agent that can move candidates through stages.
The passport desk needs categories, not blanket approval.
ServiceNow and Microsoft Already Built Different Desks
Workday is not alone in treating agents as assets that need governance.
On May 5, ServiceNow expanded AI Control Tower across five dimensions: discover, observe, govern, secure, and measure. The announcement said discovery spans systems beyond ServiceNow through 30 new enterprise integrations across AWS, Google Cloud, Microsoft Azure, SAP, Oracle, Workday, and other enterprise applications. It also said the product can monitor agent behavior at runtime, assess risk against NIST and EU AI Act-aligned frameworks, enforce least privilege, shut down agents that operate beyond permissions, and track cost and ROI.
That is a different desk from Workday’s.
Jon Sigler, ServiceNow’s executive vice president and general manager of AI Platform, described the gap as one between adoption and accountability. That framing is useful for HR buyers because it separates two executive promises. One promise says AI will reduce manual work. The other promise says the organization can still explain and control what the AI did. HR budgets are now being asked to fund both.
Workday starts from trusted HR and finance records. It wants outside and custom agents to enter those processes without losing Workday’s rules, approvals, and audit trail. ServiceNow starts from enterprise operations. It wants to map AI assets, workflows, identities, cost, and risk across the organization, including third-party systems and infrastructure.
Microsoft takes another approach. Its agent registry in the Microsoft 365 admin center gives administrators a centralized view of agents available to the organization, with agent types such as Microsoft agents, external partner-built agents, and agents published by the organization. Microsoft is making agents governable through the admin plane used by IT.
These three desks answer different buyer questions:
| Vendor surface | Starting point | Buyer question |
|---|---|---|
| Workday Agent Passport | HR and finance agent verification | Can this agent safely touch people and money records? |
| ServiceNow AI Control Tower | Enterprise AI governance and workflow control | Which agents, models, prompts, identities, workflows, and costs exist across the company? |
| Microsoft Agent Registry | Microsoft 365 admin governance | Which agents are available to users, who published them, and how are they managed? |
The competition is not only feature competition. It is jurisdiction competition inside the enterprise.
HR may prefer Workday to govern agents that touch payroll, benefits, recruiting, worker data, and finance approvals because Workday already understands the business object. IT may prefer Microsoft to register and manage agents that surface inside Microsoft 365. Operations may prefer ServiceNow because it connects governance to workflows, incidents, approvals, and CMDB context. Security may want all three records tied to identity, access, and detection tools.
That creates a new integration problem. A company may use a Workday-verified agent from a Microsoft front door that calls a ServiceNow workflow and reads a Greenhouse candidate record through MCP. Which desk is authoritative?
No single vendor can answer that alone.
Procurement should expect overlapping records. Workday can say whether an agent has been verified to touch Workday data. Microsoft can say whether the agent is visible and manageable in Microsoft 365. ServiceNow can say whether the agent’s actions are governed inside service workflows. Greenhouse or Workable can say what the agent did to recruiting records. Security can say whether the identity and network behavior matched policy.
That overlap is not waste. It is how evidence will be reconstructed.
The danger is assuming one control plane equals one source of truth. HR AI will not live in one system. Employees ask questions in Teams, Slack, Copilot, Gemini, and browser surfaces. Recruiters work in ATS, calendar, email, assessment, and sourcing tools. Managers read summaries in documents and dashboards. Payroll and finance actions land in HCM and ERP. Service cases live in workflow platforms.
An agent passport is strongest when it can travel across that route.
Recruiting Workflows Make Verification a Buyer Problem
Recruiting is where the passport idea becomes a buyer problem rather than a platform slogan.
On May 7, Greenhouse announced Greenhouse MCP, a governed way for approved AI tools to connect directly to Greenhouse. The company said it would roll out to customers starting in June. Greenhouse also said 30% of surveyed active job seekers were already using AI agents to search for openings, submit applications, and schedule interviews.
On May 13, Workable announced the general availability of its MCP Server. The release said compatible AI assistants could directly read and write Workable data across jobs, candidates, pipeline stages, offers, requisitions, employees, time tracking, time off, and calendar events. It said the product shipped with 38 MCP tools and was included across subscription plans. Workable also said it has supported more than 2.1 million hires and processed more than 930 billion AI tokens.
Those launches put recruiting data into the agent path.
ICIMS and Aptitude add the operator view. Trent Cotton, ICIMS’ head of talent insights, described the move from isolated AI use toward orchestration across sourcing, screening, and candidate engagement. Madeline Laurano of Aptitude warned that technology alone will not transform hiring without better decision-making and candidate trust. Tim Sackett, an Aptitude adjunct analyst, kept the human judgment point in the frame.
Those three comments describe the same pressure from different seats. TA operations wants orchestration. Recruiters want less administrative work without losing judgment. Candidates want a process that does not hide behind a machine. Legal wants a file that can be reviewed after an adverse outcome. A passport desk cannot satisfy all four needs by itself, but it can stop the organization from pretending that one approved connector solves them.
A recruiter can ask an assistant to find candidates stuck in phone screen. A hiring manager can ask for a shortlist. A TA operations lead can ask which roles have delayed feedback. An HR operations lead can ask about requisitions, time-off conflicts, or approvals. The assistant no longer needs a CSV export or a copied report. It can call live tools.
That is useful. It also means the buyer has to decide which agents are allowed near candidate records.
Candidate records are not ordinary productivity data. They contain resumes, interview notes, compensation expectations, demographic signals, assessment results, communications, scheduling history, referral context, and rejection reasons. In some workflows, they contain AI-generated material from the candidate and AI-generated material from the employer. A prompt injection hidden inside a resume, note, or attachment is not science fiction. It is a predictable risk when agents read untrusted candidate-provided text and can call tools.
The passport desk for recruiting should answer different questions from the payroll desk:
| Recruiting agent task | Verification issue | Required evidence |
|---|---|---|
| Candidate summary | Source fidelity and prompt injection resistance | Source links, ignored instructions, model route, reviewer note |
| Pipeline analytics | Permission scope and aggregate accuracy | Query scope, user identity, filters, data timestamp |
| Stage movement | Write authority and human approval | Tool call log, approver, reason, candidate notification status |
| Interview assistant | Disclosure, reviewability, and bias controls | Transcript, rubric, prompt version, human override path |
| Offer workflow | Compensation confidentiality and approval routing | Access record, approval trail, exception handling |
This is not just compliance. It is operating quality.
If a recruiter trusts a bad summary, the hiring manager may interview the wrong person. If an assistant creates a pipeline report using stale or partial data, TA operations may move recruiter capacity to the wrong role. If an AI tool writes candidate status updates without the right approval, the employer may create inconsistent candidate communications. If a model reads candidate-provided text without defenses, a malicious or accidental instruction could leak or alter data.
Greenhouse and Workable have both framed their MCP products around governed access, permissions, and live data. A Workday-style passport logic asks a harder question: has the specific agent been tested for the way it will act in that recruiting workflow?
This is where broad HR AI procurement changes. A buyer should stop asking only whether the ATS has MCP, whether the assistant works with ChatGPT or Claude, or whether the agent can save recruiter time. The purchasing team should ask for a pre-production verification file for each material workflow.
The file should name the agent, owner, use case, connected tools, data classes, write permissions, test standard, attestor, failure modes, runtime monitors, and revocation trigger.
If that sounds like too much paperwork for a recruiter assistant, the assistant may be doing less than the vendor claims. If it touches live candidate data and affects workflow decisions, the file is not paperwork. It is the cost of letting a non-human actor into the hiring process.
Colorado Adds a Documentation Clock
Regulation gives the passport desk a deadline.
Colorado’s SB26-189, signed in May, requires developers of covered automated decision-making technology that materially influence consequential decisions to provide deployers with technical documentation starting January 1, 2027. The summary lists intended uses, categories of training data, known limitations, instructions for appropriate use, and human review. Developers and deployers must retain records necessary to demonstrate compliance for at least three years. Deployers must give point-of-interaction notice and, after an adverse outcome, provide a plain-language description of the covered ADMT’s role within 30 days. Consumers can request personal data, correction of factually incorrect data, meaningful human review, and reconsideration.
Employment is a consequential decision category under the law.
This does not mean every HR agent is a covered ADMT in every use case. A drafting assistant that helps HR write a policy email is not the same as a model that materially influences candidate advancement, promotion, scheduling, compensation, or termination. The point is narrower and more practical: HR buyers need to know which agents can cross into covered-decision territory before they deploy them broadly.
Agent verification can become the map.
If a recruiter assistant only summarizes publicly available job descriptions, its passport may be simple. If it summarizes candidates, ranks applicants, drafts rejection reasons, recommends interview questions, or updates stage movement, the file becomes heavier. If it affects compensation, benefits, leave, performance, or internal mobility, the buyer needs a higher bar.
The Colorado rule structure also puts pressure on vendor documentation. A deployer cannot provide useful notice, explanation, correction, human review, or reconsideration if the vendor cannot provide technical documentation and records that survive scrutiny. A generic safety statement will not reconstruct a decision.
The passport file should therefore connect security testing to decision documentation.
Security asks whether the agent can be attacked, leak data, or act outside policy. Compliance asks whether the agent’s intended use, limitations, data categories, human review instructions, and decision role can be explained. Operations asks whether the agent can be paused, restricted, or replaced when the workflow fails. Procurement asks who pays for all of that.
Those are not separate files in practice. They are the same agent record viewed by different teams.
SHRM’s State of AI in HR 2026 shows why this matters. SHRM reported that 39% of organizations have AI adopted in HR functions and another 7% intend to launch this year. Recruiting is the most common HR AI practice area at 27%. Yet only 16% of HR professionals said they use their own ROI metric to assess AI success, and 56% said they do not formally measure the success of AI investments at all. SHRM also found that 57% of HR professionals in states with workplace-related AI laws were not aware of those policies.
This is the readiness gap the passport desk will run into.
Vendors are building faster ways to create agents. Platforms are creating easier ways for agents to call live tools. Regulators are asking for more documentation and review. Many HR teams still do not measure AI value formally and may not know which local laws apply.
The verification desk becomes a forcing mechanism. It can make the buyer classify the agent before rollout:
| Classification | Example | Buyer response |
|---|---|---|
| Low-risk productivity | Drafts internal FAQ text from approved policy | Standard security review and owner assignment |
| HR service action | Checks PTO balance or routes a benefits case | Identity, permission, audit, and service recovery checks |
| Recruiting evidence | Summarizes candidates or interview records | Source links, review packet, disclosure, and override controls |
| Covered decision support | Scores, ranks, recommends, or materially influences employment outcomes | Technical documentation, human review instructions, retention, and legal review |
| People and money action | Updates payroll, benefits, compensation, or approvals | Strong attestation, runtime monitoring, revocation, and incident response |
This table will be messy in real companies. The mess is the point. Agent verification exposes where the organization has not decided what an agent is allowed to become.
What Buyers Should Ask Before the Agent Gets In
The agent passport conversation should start before the pilot.
Once the agent is popular, the company loses bargaining power. Recruiters rely on the summaries. Employees use the HR service agent. Managers expect faster approvals. Finance likes the productivity story. IT has already wired the tool. Legal is told the workflow is business critical. At that point, a missing verification file becomes an operating dependency.
The purchasing team should ask nine questions before the agent enters production.
| Buyer question | Evidence to request | Owner |
|---|---|---|
| Who owns the agent? | Business sponsor, technical owner, support owner, retirement owner | HR operations and IT |
| What can it touch? | Data classes, tools, records, write actions, downstream systems | Security |
| What was it tested against? | Standards, test categories, date, attestor, failures, remediation | Security and procurement |
| What can it not do? | Excluded actions, known limitations, escalation rules | HR operations |
| How does human review work? | Reviewer role, evidence packet, override path, training | Legal and HR |
| What does it record? | Tool calls, source links, prompts where available, outputs, reviewer notes | Audit and data governance |
| How can it be stopped? | Revocation owner, runtime blocks, downgrade path, manual fallback | IT and operations |
| Who pays for evidence support? | Vendor support SLA, export fees, audit assistance, incident response | Procurement |
| How is value measured? | Cost, time saved, error rate, review quality, candidate or employee trust | Finance and HR |
Those questions will feel heavy to a team trying to ship an agent quickly. That tension is real. It is also why Workday’s packaging is commercially clever. Developer Agent sells speed. Agent-Ready Tools sell connection. Agent Passport sells the right to let speed and connection reach sensitive data.
Buyers should not let the passport become the only control. A signed attestation does not prove the workflow is good. It proves that a set of tests were run and a result was recorded. The customer still has to decide whether the agent belongs in the process, whether human reviewers have time and authority, whether users understand the limits, whether candidate or employee communications are adequate, and whether the vendor will support review requests.
Verification is the entrance check. It is not the operating model.
That distinction protects buyers from two opposite mistakes.
The first mistake is treating every agent as too risky. That slows useful automation and pushes teams toward shadow tools. A read-only HR policy assistant, a benefits FAQ summarizer, or a requisition analytics helper can produce value if it has scoped access, a named owner, and a clear escalation path.
The second mistake is treating every attested agent as safe for every use. A verified payroll agent may still be inappropriate for a special compensation exception. A verified recruiting assistant may still need role-specific disclosure. A verified case-routing agent may still need manual fallback for protected leave. A verified manager assistant may still be too risky for performance calibration.
The passport should include scope.
Scope is where budget enters. Attestation, monitoring, audit logging, incident support, evidence export, and human review all cost money. A company deploying ten low-risk assistants may not need the same verification budget as a company deploying a write-capable HR agent across payroll, recruiting, benefits, and finance approvals. A vendor that promises automation should show the cost of the controls required to make that automation defensible.
Finance should ask for the verification cost in the business case. Not as a footnote. As a line item.
The line item may include third-party testing, security review, legal review, policy mapping, human reviewer training, audit storage, support SLAs, incident playbooks, evidence export, and transfer support after termination. If the agent’s value disappears after those costs are included, the use case was weaker than the demo suggested.
If the value holds, the agent is more likely to survive real scrutiny.
Ninety Days Later, the Stamp Has to Hold
Picture the first quarterly review after a large HR agent rollout.
Security has the passport records. HR operations has the service metrics. Finance has usage and support costs. Legal has a list of notice and review obligations. Recruiting has candidate files touched by AI. Payroll has exceptions that required manual correction. The vendor has an adoption deck.
The meeting should not start with adoption.
It should start with the exceptions.
Which agents were blocked? Which tool calls were routed to manual review? Which agents changed scope? Which users tried to push the agent outside its intended task? Which candidate or employee files needed reconstruction? Which third-party attestations expired or required re-testing? Which agents produced enough value to justify their verification cost? Which should be retired?
If the passport desk cannot answer those questions after 90 days, the stamp did not travel into operations.
The useful metric is not how many agents were approved. It is how many agent actions remained explainable after they touched real work.
That is the buying surface Workday exposed on June 2. The company is not only selling customers more ways to build agents. It is selling a way to say which agents are allowed to stand at the edge of payroll, benefits, finance, recruiting, and HR service work.
ServiceNow, Microsoft, Greenhouse, Workable, Cisco, and other vendors will all have their own version of the answer. Some will start from enterprise workflow. Some will start from admin registry. Some will start from ATS data. Some will start from security testing. The buyer’s job is to make those records meet inside one operating file.
Before an HR agent updates a record, moves a candidate, answers an employee, or touches a paycheck, it should be able to show more than a demo.
It should show who tested it, which standards applied, what it can touch, what it cannot touch, who can stop it, and what record will remain if someone asks later.
That is what a passport desk is for.
This article provides a deep analysis of Workday Agent Passport, HR AI verification, third-party attestation, MCP recruiting workflows, and agent governance for people and money systems. Published June 6, 2026.