The Architecture of 'Yes'
Why True Governance Lives Inside the System
Kelly Trindel
Chief Responsible AI Officer
Workday
Why True Governance Lives Inside the System
Kelly Trindel
Chief Responsible AI Officer
Workday
Across industries, I’m watching a familiar pattern play out.
Companies spin up AI councils, publish thick policy binders, and stand up responsible AI working groups with the best of intentions. A few months later, the business leaders trying to actually build or use AI start referring to all of this as: the funnel of “no” or "slow".
No one sets out to build a bottleneck. The purpose of a trust or risk officer isn't to shut things down; it’s to figure out how to use these powerful technologies safely—and at speed.
Report
The teams moving the fastest on AI adoption right now aren’t expediting in spite of governance. They’re succeeding because of smart governance.
The teams moving the fastest on AI adoption right now aren’t expediting in spite of governance. They’re succeeding because of smart governance.
At Workday, we're an example of this: we build AI into core systems for HR, finance, and IT, backed by a Chief Responsible AI Officer role, a dedicated Responsible AI team, and a mature governance framework. That infrastructure is what lets us move fast with AI—the framework enables speed, it allows teams to be agile.
Many of our customers aren’t tech companies—they are world-class at running hospitals, universities, retail chains, and manufacturing plants. Now, they are being asked to govern complex AI deployments sprawling across their entire organizations. When governance turns into a bottleneck for them, it’s usually a clear sign that something upstream is off.
What I see, over and over again, is that the struggle is rarely about intentions. It comes down to two connected design choices:
When those two pieces are misaligned, even the most well-written policies start to work against innovation instead of for it.
Modern AI models are probabilistic by nature. Ask the same model the same question twice and you may get two different, reasonable answers. That variability is the magic—it’s what makes AI brilliant for generation, synthesis, and exploration.
Enterprises, however, are built entirely on deterministic systems. Submit the same expense report twice, and you expect the exact same workflow, the same controls, and the same result. Determinism is what makes systems auditable. This is how we demonstrate compliance.
The friction happens when we drop chaotic, probabilistic models directly into deterministic environments without adjusting the underlying architecture.
This challenge becomes even more acute with AI agents—autonomous systems that can act across multiple tools and systems. As Workday CTO Gabe Monroy put it, "What I like to refer to is the concept of lawless agents. They're omniscient. They can see all the things, they can touch and do all the things through lots of tools, but they're fundamentally lawless."
When AI is living in isolated side-car tools and browser extensions outside your systems of record, governance teams face three massive blind spots:
In that setup, risk mitigations like testing, monitoring, explainability, fairness, and record-keeping all become grueling problems. The risks are real—and they are much tougher to manage when AI sits just outside the infrastructure designed for policy enforcement and accountability.
But when AI is built directly into systems of record, that same probabilistic intelligence runs on deterministic rails:
This is what makes governance an accelerator, not a brake. The architecture gives governance teams the visibility they need to say "yes" with real confidence.
Most of the leaders I talk with are dealing with a scattered landscape of "bolted-on" AI. A manager uses a consumer chat tool to draft performance feedback. A recruiter leans on an external, unvetted résumé parser. A finance analyst runs sensitive vendor language through an off-platform summarizer.
On a productivity dashboard, that looks like efficiency. In a system of record, it looks like a human just typed a final answer.
By contrast, when customers use AI that’s embedded in platforms like Workday, they’re benefiting from a different design decision: AI operates where permissions, workflows, and audit trails already live. That makes it much easier for their legal, compliance, risk, and emerging AI governance teams to:
An AI model behaves very differently from a governance standpoint depending entirely on where it runs. Built-in vs. bolted-on is not just a technical detail; it is a profound governance choice.
Governance cannot live only in documents. It has to live in how systems behave.
Before deployment, every AI solution must complete a Risk Evaluation that automatically triggers a set of required safeguards. These include; human-in-the-loop review capabilities, explicit user notices, content moderation, and synthetic content declarations. Steps that ensure the technology has earned its digital clearance to enter the enterprise.
These benchmarks are increasingly tied to public or industry standards as well (e.g.., ISO 42001, NIST AI RMF, ISO 27001, ISO 27701, etc.), giving security and governance teams a clear view of what was tested, who did the testing, and how different systems compare.
Once in use, the AI is continuously monitored at runtime so that policies can allow, block, or revoke actions as conditions change, rather than relying on one‑time approvals.
For governance leaders, that kind of built-in control layer gives them something much sturdier than crossed fingers and a policy PDF. It turns the question, “Is this safe and trustworthy?” from a single moment of judgment into an ongoing capability.
The real test of AI governance isn’t whether you have a committee or who’s on the committee. It’s whether your best people feel they can use AI confidently in the work that matters most.
That confidence comes from a small number of design decisions made up front:
If those pieces are in place, AI governance teams don’t have to constantly be the “no” blocker. They can say “yes, here’s how,” because the architecture is doing the heavy protective work by default.
We’re still early in this journey. We are all learning how to walk a trail that doesn't have a perfect template standing ahead of us. But the pattern is clear: organizations that prioritize built-in AI, backed by clear ownership, move faster and with more confidence than those chasing bolt‑on tools from the edges.
Report