[startups]June 2, 2026 3 min read

AI agent bottleneck: it's not model performance, it's permissions

The real AI agent bottleneck isn't model intelligence — it's permissions. Every enterprise agentic workflow eventually hits the same wall: what is this agent allowed to touch, on whose behalf, and how does the system actually verify that? Those are governance questions, not AI questions, and most companies building agents are discovering them the hard way.

How we got here

Enterprises spent decades building identity and data systems in separate silos. When agentic workflows started connecting all of it, the fragmented permission model became an immediate liability. Companies trying to bolt AI agents onto raw data access quickly found that the security and approval logic they'd built into their core systems simply didn't travel with the data.

What Workday is doing about it

Workday launched Sana in March as its agent system of record, and has now expanded its partnership with Google to make Sana agents discoverable within Gemini Enterprise. The architecture layers Gemini as the base conversational reasoning surface, then stacks Workday's context engine and business process logic on top, with verification and classification models that "interrogate" outputs before anything executes. Gerrit Kazmaier, Workday's president for product and technology, put it plainly: "The richness of the security model gets lost and the results become overly broad" when customers try DIY AI by accessing raw data directly. Under Sana, a user authenticates and gets authorized through Workday's identity model — the agent only acts within that user's current permissions. Audit trails follow the same logic: Gemini retains interaction logs, while the primary audit record stays inside Workday.

What this actually means

In HR and finance, "almost right" is not a viable output. Kazmaier's framing is worth taking seriously: "Think about paying people correctly, closing the books, or managing work schedules reliably." Unlike most generative AI contexts, there's often no correction loop — by the time a paycheck processes wrong or an interview gets scheduled incorrectly, the damage is already done. Accuracy and identity turn out to be the same question: does the system know enough about the agent, the authorizing human, and the current state of the record to act correctly? Workday's structural advantage is that third-party identity providers like Okta already verify information by checking Workday, making it the de facto system of record for organizational context across many large enterprises.

Two independent practitioners made the same point from the outside:

Dan Obendorfer, director of product at Würk: "It has to live in the system of record — that's not a preference, that's the only way it works. If your permissions are defined somewhere outside of where the data actually lives, you've already lost."
Kadan Stadelmann, CTO and co-founder of Compance.AI: "Without agent ownership, performance, costs or actions, chaos ensues."

What this means for the industry

Workday is quietly repositioning itself from HR software vendor to agentic governance infrastructure — a much stickier and more defensible category. Any AI vendor that lacks a system of record of its own, or a deep integration with one, is going to hit the same permissions wall when enterprise customers try to scale. The Gemini partnership also signals something broader: major model ecosystems need partners who can solve the permissions layer, because the models themselves can't do it alone.

The open question is whether the rest of the industry builds its own governance layers or ends up consolidating around the systems of record that already exist.