Workday and Microsoft Launch Agent System of Record for AI Agents

Workday and Microsoft have quietly stepped into the next phase of enterprise automation: they’re building the plumbing to let agentic AI workers — digital agents created in Microsoft’s developer ecosystem — obtain verified identities, join a corporate directory, and be managed alongside human employees inside Workday’s new Agent System of Record (ASOR). This integration combines Microsoft’s Azure AI Foundry and Copilot Studio toolchain and identity controls with Workday’s agent lifecycle, governance, and business-context layers, enabling agents to interoperate, be provisioned and monitored, and—critically—be treated as accountable entities inside corporate HR and finance processes. (blogs.microsoft.com)

Background / Overview​

Workday has been positioning itself as more than an HCM and finance suite; the company now markets itself as a platform to manage not only people and money but also agents—software entities that perceive, reason, and act on behalf of users. Workday’s Agent System of Record (ASOR) is intended to be a centralized registry and management plane for those digital workers: onboarding, role assignment, access controls, cost tracking, performance monitoring, and marketplace deployment all flow through the ASOR. Workday announced the ASOR and its Illuminate agent strategy earlier in 2025 and followed with an Agent Partner Network and Agent Gateway to connect third-party agents into that system. (newsroom.workday.com)
Microsoft has been building the developer tools, identity fabric, and platform controls that enterprises need to scale agentic applications. Azure AI Foundry presents itself as an “agent factory” — a place to design, customize, and operate production-grade agents at scale — while Copilot Studio provides a lower-code canvas to build agents that can be embedded in Microsoft 365 experiences. Microsoft has also introduced Microsoft Entra Agent ID, a mechanism that assigns each agent a directory-backed identity in Entra (formerly Azure AD), making agents first-class subjects in the identity and access management (IAM) model. Microsoft documentation and blogs explain that agents created in Foundry or Copilot Studio are automatically assigned agent-specific identities and will appear in Entra for security teams to manage. (azure.microsoft.com)
Together, the two companies propose a model where an agent built in Microsoft tooling receives an Entra Agent ID, then registers or connects to Workday’s ASOR via the Agent Gateway so that the agent’s business context, assigned responsibilities, and governance policies live in Workday’s system—allowing agents to hand off work to one another or to human workflows within the enterprise. Workday’s Agent Gateway leverages shared protocols (Model Context Protocol and Agent-to-Agent Protocol) to enable agent collaboration across vendors and platforms. (newsroom.workday.com)

---

What exactly is being connected — technical components explained​

Microsoft: Azure AI Foundry, Copilot Studio, and Entra Agent ID​

• Azure AI Foundry: A developer platform for building, customizing, and operating AI agents at scale. It provides model selection, orchestration, observability, and enterprise-grade connectors to data sources like Microsoft Fabric, SharePoint, and Azure AI Search. Foundry emphasizes security-by-default features such as private networks, on-behalf-of authentication, and monitoring. (azure.microsoft.com)
• Copilot Studio: Microsoft’s low-code visual canvas for rapid agent creation and multi-agent orchestration inside the Microsoft 365 boundary. Copilot Studio targets quicker business adoption and native M365 integration (e.g., Copilot experiences in Teams or Outlook). Microsoft positions Copilot Studio as complementary to Foundry: studio for speed and native M365 integration, Foundry for pro-code scale and governance. (azure.microsoft.com)
• Microsoft Entra Agent ID: A directory identity issued per agent so that security teams can manage an agent’s lifecycle, permissions, and access the same way they manage service principals and applications. Entra Agent ID intends to prevent “agent sprawl” by making agents discoverable in the enterprise directory and enabling centralized policy enforcement. Microsoft documentation and blog posts cite Entra Agent ID as a lever for unified governance across people and agentic identities. (blogs.microsoft.com)

Workday: Agent System of Record (ASOR), Agent Gateway, and Marketplace​

• Agent System of Record (ASOR): A new Workday construct to register agents, define roles and permitted actions, assign them to teams or functions, budget for their operation, and monitor outcomes. Workday promotes ASOR as the place to unify governance for human and digital workers and to enable role-based agents that are more autonomous than task-based bots. (newsroom.workday.com)
• Agent Gateway: A bridge that allows third-party agents to securely connect to Workday, using common protocols so agents can exchange context and collaborate (MCP and A2A). The Gateway is a critical piece for interoperability with partner agents from Microsoft, AWS, Google Cloud, and others. (newsroom.workday.com)
• Workday Marketplace: A storefront for discovering and procuring agent capabilities (Workday calls them Illuminate agents), including both Workday-built role agents and partner agents. Organizations can deploy delivered agents via the ASOR and the Agent Gateway. (newsroom.workday.com)

---

How the integration works in practice — an end-to-end example​

• A developer or Citizen Dev creates an agent in Copilot Studio or Azure AI Foundry and configures its skills, data connectors, and action connectors.
• The agent is automatically assigned a Microsoft Entra Agent ID, which creates a directory entry for that agent and lets IAM teams see it in the Entra admin center. (azure.microsoft.com)
• The agent is published or connected to Workday via Agent Gateway, registering inside the Workday ASOR where business owners assign role, scope, data permissions, and cost center responsibilities. (newsroom.workday.com)
• During runtime, agents can hand off work: for instance, an employee can ask a Microsoft Copilot-based Employee Self Service agent to update career goals; that Copilot agent can delegate the required HR transaction to a Workday agent that has the required permissions and workflow access—completing the operation without the employee needing to leave the Copilot interface. This is the scenario Workday has described publicly to illustrate interoperability. (cio.com)

This flow shows three critical control planes: identity (Entra), business context & governance (Workday ASOR), and agent runtime & tools (Foundry/Copilot Studio). Each plane must be secured, traced, and auditable for enterprise adoption.

---

Why this matters: benefits for IT and business leaders​

• Unified governance and auditability: By giving agents identities and bringing them into a system of record, enterprises can include them in audits, access reviews, and policy enforcement cycles just like human users. This reduces blind spots from untracked bots. (blogs.microsoft.com)
• Lifecycle management at scale: ASOR introduces lifecycle hooks—onboard, tune permissions, track costs, retire—helping organizations avoid unmanaged “agent sprawl.” This matters because hundreds or thousands of lightweight agents can multiply rapidly if not controlled. (newsroom.workday.com)
• Interoperability and orchestrated workflows: Shared protocols and agent registries enable multi-vendor agent-to-agent coordination. That enables scenarios where a task begins in an M365 Copilot and is carried out by a Workday-controlled HR agent, preserving seamless user experience while keeping business logic centralized. (newsroom.workday.com)
• Role-based agents with business context: Workday’s emphasis on role-based agents (rather than narrow task bots) aims to create agents that understand responsibilities and can perform dozens or hundreds of related tasks under a governed remit. For enterprises that already organize by role, this model aligns with existing operational structures. (investor.workday.com)
• Security integration: Microsoft’s identity-first approach (Entra Agent ID) combined with Foundry’s on-behalf-of authentication and Purview integration promises a model where agents honor existing data permissions when invoking systems like SharePoint or Fabric. This is a practical advantage over ad-hoc bots that often bypass enterprise authorization rules. (azure.microsoft.com)

---

Risks, trade-offs, and unresolved questions​

The technical promise is clear, but the integration model surfaces new responsibilities and risks that CIOs and security teams must confront.

Security and identity risks​

• Agent impersonation and supply chain risk: Giving agents identities expands the attack surface. A compromised agent identity could be used to perform unauthorized actions at machine-speed. Entra Agent IDs mitigate discovery problems but introduce credential lifecycle management and secrets protection challenges. The risk increases when agents call out to third-party connectors or model providers. (blogs.microsoft.com)
• Privilege escalation: Role-based agents with broad skills or actions are powerful. Without strict least-privilege enforcement and fine-grained authorization, an agent could perform activities beyond its intended remit. IAM teams must treat agent permissions like service principals and enforce short-lived credentials, conditional access, and Just-In-Time access where possible. (azure.microsoft.com)

Data governance and compliance​

• Data residency and access boundaries: Agents often need access to sensitive HR, payroll, or financial data. Enterprises must confirm whether agent runtime and model processing happen inside the organization’s data boundary or if any data is transmitted to third-party model providers. Microsoft emphasizes on-behalf-of authentication and private networks in Foundry, and Workday stresses controlled access via ASOR, but every integration must be validated against local compliance obligations. (azure.microsoft.com)
• Audit trails and explainability: Regulators and internal auditors will want clear logs showing which agent took which action and on whose behalf. The combination of Entra identities, Workday ASOR records, and Foundry observability features covers most of this need on paper; operationalizing tamper-evident logs and preserving causal trails through multi-agent handoffs remains a non-trivial engineering task. (azure.microsoft.com)

Operational and human factors​

• Agent sprawl and governance overhead: Registering agents is only step one; governance frameworks, cost allocation rules, performance monitoring, model validation, and retraining processes must be established. Without clear ownership and SLOs, instrumented agents can create noise rather than value. Workday sells ASOR as the governance plane, but enterprises still need internal RACI and change-control processes. (newsroom.workday.com)
• Human accountability and ethical concerns: As agents take on tasks, accountability lines blur. Who signs off on a personnel change an agent makes? Who is responsible for biased decisions or erroneous automated actions? Workday emphasizes human oversight, but companies must define escalation paths and approval gates for high-impact actions. (newsroom.workday.com)

Vendor lock-in and interoperability limits​

• Standards versus platform extensions: Workday’s Agent Gateway uses MCP and A2A protocols to enable agent-to-agent interactions. These protocols aim for cross-vendor interoperability, but practical interop depends on adoption and open specifications. Enterprises should evaluate how easily agents can be migrated between platforms or how Workday’s ASOR will coexist with other systems of record should they emerge. (newsroom.workday.com)

---

Practical guidance: What CIOs and IT leaders should do now​

The arrival of identity-backed agents and agent registries changes the operational checklist for AI adoption. Here are prioritized steps and a practical governance checklist.

1. Inventory and policy: Bring agents into the directory now​

• Treat agents like service principals: require Entra Agent IDs or equivalent for any production agent.
• Add agents to IAM inventory, include them in access review cycles, and map each agent to an owner and business purpose. (blogs.microsoft.com)

2. Establish least-privilege and JIT controls for agent access​

• Enforce role-based access control for agent actions.
• Use short-lived credentials and conditional access for high-risk actions.
• Apply fine-grained connector permissions rather than blanket API keys. (azure.microsoft.com)

3. Define agent lifecycle and cost ownership in ASOR or equivalent​

• Assign cost centers and budget owners for each agent to avoid hidden cloud spend.
• Define decommissioning processes and model retraining cadences.
• Track performance metrics and ROI for each agent. (newsroom.workday.com)

4. Secure data flows and validate model boundaries​

• Require on-behalf-of authentication for connectors and ensure data stays within approved boundaries unless explicitly allowed.
• Document which model providers process sensitive data and under what legal terms. (azure.microsoft.com)

5. Operationalize observability, auditing, and incident response​

• Correlate Entra logs with Workday ASOR events and Foundry observability metrics to create a single timeline for agent actions.
• Extend incident playbooks to cover agent identity compromise and rogue agent behavior.
• Preserve immutable logs for audits. (azure.microsoft.com)

6. Build governance for human-in-the-loop escalation​

• Require human approval for high-risk HR, finance, or compliance-affecting agent actions.
• Maintain a human sign-off trail for irreversible changes. (newsroom.workday.com)

---

Technical checklist for architects and security teams​

• Confirm that agent identity provisioning (Entra Agent ID) is enabled and integrated with your IAM workflows. (blogs.microsoft.com)
• Validate Foundry or Copilot Studio connector permissions and ensure they enforce on-behalf-of access to data stores. (azure.microsoft.com)
• Ensure the Agent Gateway connection to Workday is authenticated and encrypted; validate protocol and schema compatibility for MCP/A2A interactions. (newsroom.workday.com)
• Instrument end-to-end traces: agent request → Entra auth → Foundry runtime → Workday ASOR action → audit log. Correlate these traces for forensics. (azure.microsoft.com)
• Test attacker scenarios such as token theft, model-injection attacks, or lateral movement through agent connectors and remediate with policy and technical controls. (crn.com)

---

The competitive and strategic angle​

Workday’s move to be a formal controller of agent identities and responsibilities positions it as the enterprise’s agent governance hub. For Microsoft, integrating Entra Agent ID and Foundry with Workday extends Copilot and M365 agent reach into the HR and finance domain—two areas where Workday historically holds the data and business logic. For enterprises, the partnership promises faster time to production for agentic workflows, but also a need to negotiate vendor roles and long-term strategy.
There’s also a broader ecosystem play: Workday’s Agent Partner Network includes AWS, Google Cloud, Salesforce, Deloitte, and others. That suggests the ASOR is intended to be multi-cloud and multi-vendor rather than a Workday-only lock-in—if the advertised protocols and marketplaces prove genuinely interoperable. Enterprises should nonetheless plan for platform-specific lock-in costs (training data formats, proprietary connectors, vendor-specific governance features) and make architecture choices that prioritize portability where feasibility allows. (newsroom.workday.com)

---

Remaining unknowns and things to watch​

• Standards maturity: Will MCP and A2A become widely adopted and standardized? Interoperability depends on broad vendor commitment and clear, open specs. (newsroom.workday.com)
• Regulatory attention: Agent identities and autonomous workplace actions are likely to draw scrutiny from privacy and labor regulators. Enterprises should monitor regulatory updates, particularly around automated decision-making and employment law. (newsroom.workday.com)
• Operational scale: The real test is whether observability and cost controls hold up when hundreds or thousands of agents are deployed across a business; pilot projects should stress-test these systems. (azure.microsoft.com)
• Third-party model governance: How will enterprises ensure that LLMs or models behind agents remain aligned, safe, and patched over time—especially when built with mixed-model stacks (OpenAI, Anthropic, Mistral, internal models)? This is an active operational challenge. (azure.microsoft.com)

---

Conclusion: a pragmatic assessment​

The Workday–Microsoft alignment on agent identity and management moves the industry from proof-of-concept chatbots to a more disciplined approach for agentic AI workers. The combination of Microsoft Entra Agent ID, Azure AI Foundry / Copilot Studio, and Workday’s ASOR and Agent Gateway is a credible technical stack for enterprises that want to scale autonomous assistants while preserving governance and business context. Public documentation and vendor announcements confirm the technical building blocks and integration pathways, and both companies emphasize enterprise-grade controls. (blogs.microsoft.com)
However, maturity is still catching up with ambition. Organizations that rush to deploy role-based agents without rigorous identity controls, data boundary validation, and human accountability frameworks risk operational disruption, compliance failure, or security incidents. The path forward for IT leaders is to treat agents as a new worker class: register their identities, budget them, limit their powers, instrument their actions, and require human oversight where decisions materially affect people or money.
If the industry standardizes agent identity and interop protocols, and if enterprises operationalize the controls described here, the promise is large: faster, safer automation with agents that can collaborate across platforms and carry business context with strong auditability. Until then, cautious pilots, strong IAM discipline, and explicit governance will be the safest route to realizing the productivity benefits while managing the new risks of agentic AI workers. (azure.microsoft.com)

---

Source: cio.com Microsoft and Workday collaborate to manage agentic AI workers