Workday MCP: What HR Leaders Need to Know

As AI agents become a practical part of how enterprise teams operate, the question of how those agents access Workday data is becoming urgent. Workday has committed to supporting the Model Context Protocol (MCP) as part of its Agent Gateway and Agent System of Record (ASOR) strategy. But the native implementation is not publicly available yet. What is available today is a growing ecosystem of third-party MCP connectors that let AI agents query Workday data right now.

This post covers where Workday stands, what you can do today, what MCP does and does not give you, and the security questions enterprise buyers should be asking before connecting AI agents to their HR system of record.

Where Workday actually stands on MCP

Workday has made its direction clear. At DevCon 2025 (June 2025), Dean Arnold, VP of Agent System of Record, stated: "We're going to make capabilities in our platform available through MCP and through A2A. We want agents to collaborate with agents. We want tools and APIs and data to be surfaced in MCP." Workday's blog post on AI agent protocols elaborated on their strategy: MCP will provide AI agents with access to business data and tools, while Google's Agent-to-Agent (A2A) protocol will enable agent collaboration within the Workday platform.

The Agent Gateway was announced in June 2025 alongside an Agent Partner Network that includes Accenture, AWS, Google Cloud, IBM, Microsoft, and others. Early-adopter availability was slated for end of 2025. As of April 2026, there has been no public launch.

Workday does not have a public MCP server listed in the official MCP registry, their developer documentation, or GitHub. The commitment is real. The native implementation is not yet shipping to customers.

How to connect AI agents to Workday today

While Workday's native MCP support is still on the horizon, several third-party providers have built MCP servers that connect to Workday's existing APIs. These are production-ready today and let AI agents (Claude, ChatGPT, Cursor, and others) query and act on Workday data through the MCP standard. The notable ones: Zapier (wraps Workday actions like approving tasks, hiring employees, and creating requisitions into its broader MCP infrastructure), CData (read-focused, translates natural language queries into Workday API calls for headcount, payroll, and performance data), and Knit (serverless MCP server exposing HRIS actions like leave requests, compensation updates, and document uploads).

For enterprise Workday buyers, Merge is the one worth looking at closely. Its MCP server covers absence management (PTO balances, leave requests, eligible absence types), custom object definitions, and worker data. What sets it apart is built-in data loss protection (DLP): Merge scans tool inputs and outputs for sensitive information and can block, redact, or mask fields like SSNs or passport numbers before they reach the AI agent. It also provides full request logging, which matters for the governance questions in the next section.

All of these connectors sit between Workday's existing API layer and the MCP protocol. They are translating Workday's REST and SOAP APIs into MCP-compatible tool interfaces. None are using a native Workday MCP server. That distinction matters for governance.

The governance question enterprise buyers actually ask

When the topic of connecting AI agents to Workday comes up in enterprise environments, the first response is rarely "what can it do?" It is "who controls what it can access?"

This is well-founded. Enterprise Workday customers are raising these questions in community forums, vendor evaluations, and internal security reviews. The core questions are consistent:

Permission inheritance. Do the AI agent's queries respect Workday's existing security groups and role-based access controls? With third-party connectors, the answer depends on how the connector authenticates. Most use a service account or OAuth token, which means the agent operates at whatever permission level that account has been granted. This is not the same as inheriting the requesting user's permissions. Enterprise teams need to scope these accounts carefully.

Data residency and PII exposure. Workday tenants contain some of the most sensitive data in any organisation: compensation, performance reviews, personal identifiers, immigration status, medical leave. Connecting an MCP server means that data can flow to an AI client. Merge's DLP rules are one approach to containing that risk. Others rely on network-level controls or restricting which Workday API endpoints the connector can access.

Audit trails. When an AI agent queries "list all employees in the London office with salaries above £80,000," who logged that request? Third-party connectors vary in their audit capabilities. Merge provides full request logging. Others may log at the connector level but not at the Workday level. Enterprise buyers should verify that the audit trail is continuous from the user prompt through to the Workday API call.

SSO and identity. Most connectors authenticate at the application level, not the user level. That means the AI agent doesn't know who is asking the question, only that the connector has access. For read-only analytics queries, this may be acceptable. For anything involving PII or write actions, tying the request back to a specific user identity (via SSO or IDP integration) is a baseline requirement.

Workday's own ASOR framework, when it ships with native MCP, promises centralized agent registry, access controls, policy enforcement, and real-time monitoring. That is the enterprise-grade governance model these teams are waiting for. In the meantime, third-party connectors require more manual governance setup.

The gap MCP doesn't close

Whether you connect to Workday through a native MCP server or a third-party connector, the outcome is the same: AI agents can query your HR data. They can answer questions about headcount, check who is on leave, pull compensation bands, and surface org structure.

What they cannot do is create the employee experience that turns that data into outcomes.

MCP will not send the welcome message to the new hire that Workday just provisioned. It will not run a structured onboarding track across their first 90 days. It will not deliver the compliance training that the org structure says they need. It will not announce the work anniversary that the records flag. It will not introduce them to their buddy on day two.

These are not data queries. They are workflows: triggered, sequenced, scheduled, and delivered in the tool employees actually use. MCP surfaces the data. The last-mile experience layer is still missing.

Where Doozy fits

Doozy connects to Workday and turns HR data into Slack-native employee experiences. New hire data triggers onboarding flows. Birthday and anniversary dates trigger celebrations. Role and department data drive learning paths and introductions. All of it runs automatically in Slack, where your team already works.

MCP is the data protocol. Doozy is the experience layer. They solve different problems, and enterprise teams running Workday need both. Doozy is SOC 2 Type 2 certified and processes only the HRIS fields its workflows require.

Doozy's existing Workday integration is live now. The coming MCP layer will add AI agent coordination on top: agents that can query onboarding progress, check training completion, or trigger specific workflows alongside your Workday and Slack MCP data in a single conversation.

If you are evaluating how to connect Workday to Slack, start with what is available today. The HRIS integration handles the experience layer. MCP (through the third-party connectors above, and eventually through Workday's native support) handles the data query layer. Running both gives your team the full picture.

For more on how MCP fits into the broader HR stack, see Gusto MCP and what AI agents mean for HR teams.

Getting started

Doozy's Workday integration: available now. Connect Workday to Doozy and your HRIS data drives Slack workflows automatically: onboarding, celebrations, introductions, learning, and time-off announcements.

Third-party Workday MCP connectors: available now. Zapier, CData, Knit, and Merge all offer production-ready MCP servers for Workday data access.

Workday's native MCP support: announced, not yet shipping. When it lands, expect tighter governance integration through the Agent System of Record.

Add Doozy to Slack · See the Workday integration · Explore all HRIS integrations