Enterprise finance agent handoffs turn into KYA evidence
When enterprise AI agents move HR and finance work across Gemini, Workday, A2A, A2UI, and MCP-style handoffs, Know Your Agent becomes the evidence layer for who initiated the workflow, what authority moved with it, and which system enforced the approval boundary.
Daily signal: Workday and Google Cloud announced an expanded partnership on May 28, 2026 to bring HR and finance agents into Gemini Enterprise, with Workday permissions, business rules, approvals, Data Cloud access, and support for Agent-to-Agent, Agent-to-UI, and Model Context Protocol approaches. This is an enterprise workflow and governance signal, not a formal Know Your Agent rule.
Why this matters for KYA
Finance agents are no longer only narrow tools that answer accounting questions. The new enterprise pattern is a multi-agent workflow: one agent receives the request, another retrieves HR or finance context, another opens a case or request, and a system-of-record layer applies permissions, business rules, and approvals.
That pattern is useful, but it also creates a KYA problem. A reviewer cannot stop at the user identity or the model name. They need a readable chain of delegated authority: which agent handled which step, what data boundary applied, whether a handoff changed the mandate, whether an approval was required, and what evidence remains if the action is challenged by finance, audit, privacy, or a regulator.
Screenshot-ready KYA compliance comparison table
| KYA dimension | Weak enterprise-agent posture | Production-grade KYA posture | Evidence reviewers should expect |
|---|---|---|---|
| Operator identity | The workflow records the employee and vendor platform, but not the specific agent that interpreted or advanced the finance request. | Each Workday, Gemini, third-party, or internal agent has a stable identity, owner, version, purpose, deployment state, and system-of-record mapping. | Agent registry ID, provider, model or agent version, business owner, employee requester, service account, deployment record, lifecycle status. |
| Agent mandate | A conversational request such as create an expense case or check card eligibility becomes the only description of authority. | The mandate separates answering, data retrieval, eligibility analysis, case creation, approval routing, bulk manager action, and prohibited execution. | User prompt, workflow intent, allowed task class, policy basis, approval requirement, exception reason, revised mandate, rejected action logs. |
| Wallet and custody | Corporate card, payroll, travel, or payment context is treated as ordinary enterprise data rather than financial authority evidence. | Any agent touching spend guidance, card eligibility, payroll input, expense policy, or payment-adjacent workflow is tied to account, role, limit, and approval controls. | Corporate-card eligibility record, expense policy scope, payroll-input role, spend limit, funding or reimbursement perimeter, approver chain. |
| Tool and venue access | A2A, A2UI, MCP, marketplace agents, and data-cloud access are described as integrations without per-tool risk classification. | Every handoff and connector is permissioned by tool, system, data class, action type, and whether the agent can only read, draft, submit, approve, or execute. | A2A handoff receipt, A2UI action record, MCP tool list, Workday permission set, Gemini Enterprise scope, Data Cloud query boundary, third-party agent scope. |
| Audit trail | The system logs final case, request, or approval state, while intermediate agent reasoning and cross-agent handoffs remain fragmented. | The evidence chain links requester, agent, handoff, policy check, data access, draft action, approval, submission, result, and post-event change history. | Run ID, handoff ID, data query, policy check, approval event, case ID, workflow timestamp, manager bulk action, audit export, exception queue. |
| Security and abuse | Trust depends on platform-level security while prompt injection, overbroad tool scopes, silent handoffs, and excessive permissions are handled later. | Security controls inspect tool calls, enforce least privilege, block out-of-mandate actions, monitor anomalous handoffs, and make revocation immediate. | Least-privilege review, prompt/tool guardrail, anomaly alert, blocked action, revocation record, DLP signal, incident note, access recertification. |
| Jurisdiction fit | Global HR and finance agents apply a single workflow without preserving local employment, payroll, data-transfer, outsourcing, or financial-control constraints. | The KYA file records country eligibility, data residency, employment-law boundary, finance policy, outsourcing posture, and local approval requirements. | Country scope, data-residency evidence, HR policy jurisdiction, payroll restriction, APAC privacy basis, outsourcing review, complaint or escalation route. |
The compliance lesson
Enterprise finance agents make the handoff itself a compliance object. A finance request that starts in a general AI workspace may cross a marketplace agent, a Workday agent, a data-cloud query, a policy engine, a manager approval chain, and a case workflow before anything visible happens to the employee.
KYA should preserve that chain in a format finance, security, audit, and legal teams can read. The practical question is not whether an agent produced a useful answer. It is whether the organization can prove the answer or action stayed inside the employee's role, the agent's mandate, the system-of-record permissions, and the local jurisdiction's rules.
Practical KYA checklist
- Give each HR and finance agent a distinct identity record instead of treating all activity as one enterprise AI workspace.
- Classify every supported workflow as read, draft, submit, approve, execute, or escalate before connecting it to finance systems.
- Record A2A, A2UI, and MCP handoffs as audit events with source agent, target agent, task scope, data class, and approval state.
- Keep finance workflows separate from HR workflows where payroll, expenses, corporate cards, tax, or reimbursement duties create stronger evidence needs.
- Attach jurisdiction evidence to each workflow so APAC data, employment, outsourcing, and finance-control limits remain visible.
Bottom line
Multi-agent enterprise finance is moving from demo layer into daily workflow. That raises the value of KYA because agent identity alone is not enough. The record must show mandate, permissions, tool access, handoffs, approvals, financial perimeter, abuse controls, and jurisdiction fit for every agent that touches a finance outcome.
Sources reviewed: Workday and Google Cloud partnership announcement; Robinhood Agentic Trading and Agentic Credit Card support pages; TechCrunch coverage of Robinhood agentic trading and payments; Forbes analysis of consumer trust and financial-agent controls. These are product, workflow, and market-structure signals, not claims that any regulator or exchange has adopted a formal Know Your Agent rule.