Workday Agent Passport turns agent verification into KYA evidence
Workday's new Agent Passport and Agent-Ready Tools move enterprise AI agents closer to a reviewable compliance file: who built the agent, what HR or finance actions it can take, which MCP tools it can reach, what tests it passed, and who attested that it is safe to deploy.
Daily signal: Workday announced Developer Agent, Agent-Ready Tools, and Agent Passport on June 2, 2026. The official release says Agent-Ready Tools let agents act on HR and finance data through controlled guardrails and MCP while inheriting Workday's security, delegation, business-process controls, and audit trail. Agent Passport is positioned to test, verify, continuously monitor, and stamp agents against public frameworks including OWASP LLM Top 10, NIST AI RMF, and MITRE ATLAS. This is an enterprise product and attestation signal, not a formal Know Your Agent rule.
Why this matters for KYA
Enterprise finance agents are no longer only chat interfaces over records. They can retrieve data, update workflows, trigger approvals, call external connectors, and operate from developer tools that create agents in minutes. In that environment, KYA cannot stop at naming the human user or the legal entity that owns the account.
The Workday signal is useful because it separates three layers that KYA files should also separate. Developer Agent concerns how the agent is created. Agent-Ready Tools concern how the agent reaches HR and finance functions. Agent Passport concerns whether the agent has passed specific security and compliance checks before production and whether monitoring continues after deployment.
That pattern fits the APAC FINSTAB seven-dimension KYA model. A finance agent should have a stable operator identity, a precise mandate, a wallet or account-control boundary, scoped tool and venue access, attributable audit trails, security and abuse controls, and jurisdiction mapping for the countries and regulated functions it touches.
Screenshot-ready KYA compliance comparison table
| KYA dimension | Unverified enterprise agent posture | KYA-ready verification posture | Evidence reviewers should expect |
|---|---|---|---|
| Operator identity | The agent is listed as an app, integration, or developer project without a clear accountable owner. | The agent has a named business owner, developer owner, platform identity, verifier, lifecycle state, and deployment environment. | Agent registry record, owner approval, verifier stamp, version, environment, deployment date, retirement or revocation path. |
| Agent mandate | The agent is described broadly as HR automation, finance helper, or budget assistant. | The mandate defines allowed records, actions, workflows, approval triggers, prohibited actions, escalation conditions, and expiry. | Mandate document, business-process scope, approval threshold, prohibited-use list, policy version, exception log. |
| Wallet and custody | Budget, payroll, procurement, treasury, card, or ledger effects are treated as normal workflow updates. | Any financial-impacting action has separate limits, authorization, segregation of duties, reversal path, and custody or account-control evidence. | Budget or account limit, signer role, approval receipt, segregation-of-duties check, reversal workflow, custody boundary. |
| Tool and venue access | Agents inherit broad API scopes or MCP tools without reviewers seeing the exact business action surface. | Every Agent-Ready Tool, MCP server, external connector, and venue path is classified by data class, action type, risk tier, and runtime policy. | Tool inventory, MCP endpoint, connector owner, data scope, action tier, allow/deny rule, parameter validation, external venue mapping. |
| Audit trail | Logs show that a workflow changed but not which agent, prompt, tool, verifier, policy, or approval path caused it. | The audit trail links human controller, agent, tool call, business process, policy decision, verification stamp, result, and exception review. | Run ID, actor chain, tool-call log, business-process event, attestation record, approval event, denial reason, exportable audit packet. |
| Security and abuse | Testing is ad hoc, limited to model behavior, or performed only before launch. | Agents are tested and continuously monitored against recognized risk frameworks, with runtime controls, anomaly detection, and kill switches. | OWASP LLM Top 10 test, NIST AI RMF mapping, MITRE ATLAS mapping, monitoring alert, incident playbook, kill-switch drill. |
| Jurisdiction fit | The same agent acts across employee, finance, and external connector data without local legal mapping. | The file records where the agent may operate, what regulated functions it supports, what employee or finance data it touches, and which APAC controls apply. | Country scope, privacy basis, outsourcing review, HR-data rule, finance-control rule, retention period, incident escalation contact. |
The compliance lesson
Workday's language is especially important because it ties agent action to existing business-process controls and audit trails. For KYA, that is the right direction: the compliance file should not ask reviewers to trust the model. It should show how platform identity, tool scope, delegation, workflow controls, tests, attestations, and monitoring constrain the agent before and after it acts.
Third-party stamps are not a substitute for regulatory approval. They are supporting evidence. A verifier may confirm that an agent met a security framework, while the operator still needs to prove the agent's mandate, data access, financial authority, jurisdiction fit, and incident response path for the actual use case.
Practical KYA checklist
- Record the agent's builder, business owner, verifier, deployment surface, version, and lifecycle state.
- Separate creation evidence from tool-access evidence and post-deployment monitoring evidence.
- Map each MCP or Agent-Ready Tool to an allowed business process and a prohibited-action boundary.
- Require extra approval for workflows that affect payroll, benefits, procurement, budgets, ledgers, treasury, customer records, or external sends.
- Preserve test results and standards mapping as reviewable evidence, but label them as attestations rather than regulator adoption.
- Attach APAC privacy, outsourcing, employment-data, AML, record-retention, and operational-resilience controls where the agent touches local regulated activity.
Bottom line
Agent Passport is a strong market signal because it gives enterprises a vocabulary for production agent verification: tests passed, standards used, verifier identity, monitoring status, and deployment eligibility. KYA should extend that vocabulary into finance compliance by adding mandate, custody, tool, audit, abuse, and jurisdiction evidence around every agent that can affect money, records, workflows, or regulated decisions.
Sources reviewed: Workday newsroom release on Developer Agent, Agent-Ready Tools, and Agent Passport; ITBrief Asia coverage of Workday's secure AI agent tools; Accenture analysis of agentic commerce and payment governance; Microsoft Windows Developer Blog and Help Net Security coverage of Agent 365, MXC, agent registry, and agent audit controls; Robinhood Agentic Trading product page. These are product, security, and market-structure signals, not claims that any regulator or exchange has adopted a formal Know Your Agent rule.