Workday used its DevCon week to put a stake in the ground on enterprise agent governance, launching Agent Passport with exactly one security partner attached: Cisco. Early access lands in Q3 2026, general availability before year end. The liability question, who pays when an attested agent goes rogue, is explicitly unresolved.
That last detail is the interesting one. Every other vendor pitching agent governance right now talks about trust, attestation, and standards. Workday's CTO said out loud that the blame model is still being negotiated. I'd rather hear that than a marketing deck.
At DevCon this week, Workday unveiled three connected pieces: Agent Passport, Developer Agent, and Agent-Ready Tools. As CIO reported, Agent Passport validates an agent's safety and compliance before deployment and continuously during operation, allowing, blocking, or routing agent actions in real time based on company policy.
The vetting covers five risk categories: prompt injection, jailbreak and goal hijacking, system prompt extraction, employee data leakage, and unsafe outputs. Tests are anchored to public standards including Mitre ATLAS, and critically, Workday is not running the tests itself. Security partners do that. Security teams then see a signed, auditable attestation showing who tested the agent and what was covered.
At launch there is one such partner. Cisco. That's it. Workday CTO Gabe Monroy framed the choice as deliberate: "It's difficult to really get ramped up in a standard with a lot of partners in the mix, so we want to get this right with just ourselves and Cisco." He added that broader rollout is coming "soon" without a date attached.
On the liability question, Monroy was candid that if a stamped agent misbehaves, ownership of the fallout is something "we're still wrestling with with our partners." Agent Passport enters early access in Q3 2026 with general availability targeted before end of 2026.
Alongside Passport, Developer Agent lets developers build AI apps and agents from inside Claude Code, Cline, Codex, Cursor, or Google Antigravity, deploying via the open AgentSkills standard (OASS). Agent-Ready Tools are enterprise connectors for autonomous agents that speak MCP and, per Workday, reduce hallucination and latency. Both ship to early access customers through Workday Extend Professional, with general availability in the second half of 2026.
Strip away the branding and Agent Passport is a runtime policy engine plus an attestation registry. The policy engine sits in the request path: an agent tries to do something, Passport checks the attestation and the policy, and returns allow, block, or route. That is a familiar pattern to anyone who has shipped an API gateway or a service mesh authorization layer. The novelty is what gets checked, not how.
The attestation layer is where the interesting design decisions live. By binding tests to Mitre ATLAS, which catalogs adversarial ML tactics the same way ATT&CK catalogs traditional ones, Workday is trying to make attestations comparable across vendors and testers. In principle a security team can put an agent from Vendor A tested by Cisco next to an agent from Vendor B tested by whatever partner joins next, and read them on the same axes. In practice that only works if the test methodology is public and reproducible. The source does not disclose how deep Cisco's test suites go or whether the raw test artifacts are inspectable, which matters because an attestation without inspectable evidence collapses to "trust the tester."
The runtime side does the heavier lifting. Prompt injection and goal hijacking are not static properties of a model. They emerge from the interaction of prompts, tools, and data at request time. Continuous validation, as Workday describes it, implies telemetry from the agent's actual execution feeding back into policy decisions. That is closer to how Anthropic's guidance on agentic tool use frames the problem: constrain the tool surface, monitor the tool calls, and gate the sensitive ones.
Agent-Ready Tools connecting via MCP is the sensible plumbing choice. MCP has become the default protocol for exposing structured tool interfaces to models, and having Workday's business objects speak it means agents built in Claude Code or Cursor can call Workday operations without a bespoke integration each time. Pipedream connectors extend that reach outside Workday. What we don't know yet: whether Passport's runtime checks apply to Pipedream-brokered actions with the same fidelity as native Workday tool calls, or whether the trust boundary weakens once the agent leaves Workday's own control plane. That bound is worth pinning down before any production deployment.
Enterprise platform teams currently piloting agents on Workday data have the cleanest upgrade path: wait for early access in Q3, put a real workload through Passport, and see whether Cisco's test coverage maps to your threat model. The teams with a problem are the ones already six months into homegrown agent governance built on their own eval harnesses. If Passport becomes the de facto attestation format inside Workday customers, internal frameworks either integrate with it or get retired.
The sole-partner launch is a two-edged sword. On one hand, one tester means one methodology, one contract, and faster iteration. On the other, it means Cisco is the single point of failure for the entire trust model until partner number two arrives. Security teams reading a Passport attestation in Q3 are, in practical terms, reading a Cisco attestation. That is a concentration risk worth naming.
The unresolved liability question hits legal and procurement harder than engineering. If a Passport-stamped agent leaks employee data, the source is explicit that Workday, Cisco, and the customer have not agreed who eats the loss. CIOs signing early-access agreements in Q3 should assume the answer defaults to the customer until proven otherwise. That is not a Workday-specific problem, every agent governance vendor has the same gap, but Workday is one of the few to say it in public.
Competing HR and finance suites (Oracle, SAP, ServiceNow) now have a reference architecture to react to. Expect at least one to announce its own attestation scheme before end of 2026. If Workday's bet plays out, we should see attestation-based procurement clauses start appearing in enterprise AI RFPs by Q1 2027. If they don't, Passport becomes another vendor-specific compliance checkbox and the standardization pitch quietly disappears.
For teams shipping agents this quarter, the practical moves are narrow and specific. First, map your current agent test coverage against the five Passport risk categories: prompt injection, jailbreak and goal hijacking, system prompt extraction, employee data leakage, unsafe outputs. If any category has zero automated tests, that is the gap to close before Q3, regardless of whether you adopt Passport.
Second, read the Mitre ATLAS matrix and pick the five tactics most relevant to your deployment. Build eval cases against those specific tactics rather than generic red-team prompts. Attestations that map to ATLAS will be comparable across vendors, so your internal evals should speak the same vocabulary.
Third, if you are building on MCP already, audit which tool calls are truly reversible and which are not. Passport's allow-block-route model only helps if your tools are designed so a "route to human" decision is meaningful for the sensitive ones. Agents that call irreversible operations without a human checkpoint gain little from a runtime policy engine.
Fourth, for developer tooling teams, Developer Agent's compatibility list (Claude Code, Cline, Codex, Cursor, Google Antigravity) is a decent signal for which IDE-adjacent agent runtimes have enterprise traction. If your internal platform supports none of these, you are outside the assumed developer surface for a large slice of enterprise agent tooling shipping in H2 2026.
Agent Passport is a runtime governance layer that validates an AI agent's safety and compliance before deployment and continuously during operation. It can allow, block, or route agent actions in real time based on company policy, and it produces signed attestations tied to public standards like Mitre ATLAS.
Workday plans to open Agent Passport for early access in the third quarter of 2026, with general availability expected before the end of 2026. Cisco is the sole security testing partner at launch.
That question is explicitly unresolved. Workday's CTO said the liability model is still being worked out with partners, which means enterprise customers signing early-access contracts should assume the risk defaults to them until agreements say otherwise.
Base44 just rolled out Base1, its in-house LLM trained on user data, betting that vertical integration beats renting Claude Opus by the token.
Two of Google DeepMind's biggest names walked out in 48 hours. The market wiped 5% off Google's shares. The engineering question is what that exodus actually signals.
Qlik's 16th straight year as a Gartner BI Leader arrives just as agentic AI resets the buyer criteria. Here's what that means for platform decisions this quarter.