Workday launches Agent Passport for AI verification

Show Notes

AI is moving faster than the systems designed to control it. Today's episode focuses on how governance, verification, and security are becoming the real constraints as firms adopt AI inside sensitive environments. Workday's new Agent Passport signals a shift from building AI to proving it is safe. At the same time, Cisco and Anthropic are accelerating the pace of vulnerability discovery and response, forcing firms to rethink how they handle patching, monitoring, and vendor risk. The result is a new operating reality where speed without control creates exposure. We also cover a major supply chain attack tied to Red Hat packages and what it reveals about CI pipeline risk, along with key moves in M&A, SaaS financing, and AI-related litigation. Learn more at https://crestvale.io

Transcript

0:00

The bottleneck in AI just shifted. It is no longer about building agents. It is about proving they are safe enough to touch your most sensitive systems. This is the Crestvale Newsroom Daily Podcast. Workday just made a very deliberate move. It is turning AI agents into a governed development layer inside HR and finance systems. That matters because those are the systems firms trust the least when it comes to experimentation. The headline feature is something called agent passport. This introduces third-party verification before an AI agent is allowed to operate on sensitive data. Think payroll, compensation, financial records. Cisco is providing independent validation against standards like the National Institute of Standards and Technology and OWASP. That is the shift. Anyone can build an agent now. That is easy. What has been missing is proof that the agent will behave safely inside systems that carry regulatory and financial risk. Workday is solving that directly. At the same time, it is making agent development faster. Teams can generate production ready agents from plain language inside tools like clawed code and cursor. What used to take days of integration work now takes minutes. But speed is not the story. Control is. Agents connect through structured tools that inherit Workday's existing security model. That means audit trails, permissions, process controls, all built in from the start. Nothing is bolted on after the fact. That is exactly what enterprise buyers have been waiting for. Here is why this matters. If your firm runs on platforms like Workday, the constraint is no longer technical capability. It is governance. The firms that figure out how to verify and audit AI agents first will move faster without increasing risk. Everyone else will slow down, not because they lack tools, but because they cannot prove safety. Now, that shift toward machine speed is showing up even more clearly in cybersecurity. Cisco just doubled its patch disclosure cadence. Instead of monthly updates, fixes will now come twice a month. That sounds incremental. It is not. It is a response to AI systems finding vulnerabilities faster than human teams can respond. Tools like Anthropics Mythos have already surfaced more than 10,000 high severity issues across major software. That changes the rhythm of security operations. Cisco is also leaning into automated defense. Systems designed to detect and block threats before patches are even applied. This is the direction of travel. Security is moving from scheduled work to continuous response. If your firm still treats patching as a calendar event, you are already behind. Meanwhile, Anthropic is scaling that same pressure globally. Its mythos cybersecurity model is now expanding to more than 15 countries and roughly 200 organizations. This is no longer a controlled rollout. It is a broad release of tools that can discover vulnerabilities at scale across critical infrastructure and widely used software. The important detail is where the bottleneck moved. It is no longer finding vulnerabilities. That is now fast and constant. The constraint is fixing them, verifying them, managing downstream risk. Anthropic expects similar capabilities to spread widely within the next year, including from competitors with fewer guardrails. That means your exposure increasingly depends on how well your vendors and partners handle security, not just your own internal controls. And then there is the supply chain risk that keeps proving the point. A recent attack hit more than 30 Red Hat NPM packages. But the packages were not the real target. The attack compromised a CI pipeline using GitHub actions. That gave access to credentials and publishing rights. In plain terms, attackers went after the keys, not the code. More than 100,000 downloads were affected across dozens of versions, and the malware was designed to steal credentials and wait. This is part of a pattern. Similar attacks have already hit SAP tooling, Microsoft ecosystems, and AI libraries. The playbook is consistent. Get into the pipeline, steal secrets, use them later. If your firm builds or integrates software, this is now a primary risk surface. Rotation of credentials is no longer optional after incidents like this. It is immediate. Here is what else is worth knowing today. Acuity expanded into Hawaii with another acquisition. Even regional firms are building scale instead of staying local. Aprio added another deal in Philadelphia. Larger firms are moving quickly to lock in key metros. CapChase raised $200 million to embed financing directly into SaaS transactions. Payment terms are becoming a competitive lever. Diligent is pushing cyber risk reporting directly into board-level workflows. Clients will expect clearer answers from leadership, not just IT. Amazon is facing a class action tied to facial recognition and ring. Consent and data handling are becoming legal flashpoints for AI features. Before we close out, here is a quick look at where markets landed. Equities finished higher, with both SPY and QQQ moving up together, suggesting a steady risk-on tone. The 10-year treasury yield moved down, easing slightly from recent levels. In commodities, gold and oil both pushed higher. That points to continued sensitivity around inflation and global demand. Bitcoin pulled back on the session. Here is the takeaway. If you cannot verify and continuously secure your AI and software stack, speed will become your biggest liability, not your advantage. Tomorrow we are watching how firms operationalize continuous security and whether vendors begin enforcing verification standards by default. If this was useful, follow the Crestvale Newsroom Daily Podcast so you don't miss it. Thanks for listening.