Agents will be vetted for a series of risks, including prompt injection, jailbreak and goal hijacking, system prompt extraction, leaks of employee data, and unsafe outputs. Those tests will be tied to public standards such as Mitre ATLAS, and will be performed by security partners, not by Workday. Security teams can view those attestations, receiving a signed, auditable record of who tested the agent, and what it was tested for.
Because every check is tied to a public standard, security teams can compare agents from different vendors, tested by different partners, on the same terms.
The sole testing partner at launch is Cisco.
“It’s difficult to really get ramped up in a standard with a lot of partners in the mix, so we want to get this right with just ourselves and Cisco,” said Workday CTO Gabe Monroy. “We’ll be rolling it out more broadly soon.”
