Skip to main content
June 9, 2026Anthropic Launches Claude Fable 5 with Runtime Fallback Safeguards and Mandat...

OPERATIONAL FRAMEWORKS

Your Systems of Record Are Now Agent Infrastructure. Most Organizations Don't Know It Yet.

A two-tier diagnostic for regulated enterprises deploying AI agents on top of Jira, Salesforce, ServiceNow, SAP, Workday, and the Microsoft stack.

v1.0 · April 2026Sougata Roy, sougataroy.com

Free to read and cite with attribution to Sougata Roy and sougataroy.com. Do not republish, rebrand, or claim authorship of any framework, term, or model as your own.

Explore all frameworks

Two tiers, one gap

The substrate can be structurally ready while the organization is not authorized.

The framework separates the technical properties of the system of record from the organizational decision to let an agent use those properties.

Use this overview to ask both questions before assessing any system: can the substrate support agent action, and has the organization authorized the agent to act?

In a twelve-month window ending May 2026, major enterprise systems of record opened their state to AI agents. Atlassian's Rovo MCP Server reached general availability February 3, 2026. Salesforce-hosted MCP servers reached general availability April 28, 2026. ServiceNow's Action Fabric, which opens the full ServiceNow system of action to any external AI agent via a generally available Model Context Protocol server and agent-to-agent protocols, reached general availability May 5, 2026, at Knowledge 2026. SAP announced MCP Gateway capabilities within SAP Integration Suite at TechEd in November 2025, with general availability targeting Q1 2026. Workday's Agent Gateway, built on MCP and A2A protocols, was announced June 2025.

Every one of those announcements describes how agents can read and write inside these systems. None of them addresses who authorized the agent to do so, what business state transition it was sanctioned to perform, or whose name is on the record when something changes.

That gap is not a technology problem. It is an organizational design problem. And it compounds every time an enterprise adds another agent on another substrate with another permission model.

Picture the situation plainly. Your organization deploys a procurement agent that has been tested, approved by IT, and granted the correct technical permissions inside SAP. Six weeks later, a vendor gets flagged incorrectly in a risk workflow because the agent updated a status field that a human would have recognized as a compliance hold. The action was technically permitted. It was not organizationally authorized. The audit log shows the agent ran. It does not show who sanctioned that specific state transition or whether any human reviewed the business condition before the write occurred. When a regulator asks who approved the action, the answer is: the permission model allowed it. That is not the same answer.

Guidance on agentic AI addresses this gap as an observability problem. It strengthens logging requirements. It does not establish accountability where the underlying system cannot express it.

The Agent Substrate Readiness Model separates two questions that enterprise AI governance has been treating as one.

The first question is structural: does this system of record have the technical properties agents need to operate reliably? Durable state outside any single conversation. Defined ownership fields. A state machine with legal transitions. Queryable audit history. A permission model with enforcement.

The second question is organizational: has your enterprise actually authorized agents to use those properties? Not configured them. Not connected them. Authorized them, with a named sponsor, a defined scope, an approval condition for consequential writes, and a clear answer to the question of who is accountable when the agent acts.

Most enterprise AI deployments in 2025 and 2026 can answer the first question. Almost none can fully answer the second.

Tier 1

Structural Readiness

Each question has two possible answers. The system either has the property or it does not. There is no partial credit for "we're working on it."

Closing test

Systems that score five of five on this tier are structural substrates. Systems that score fewer than three need either a structural layer added on top or they should not be in the agent's operating scope.

Tier 2

Substrate Authorization Readiness

Structural readiness tells you whether a system can support agents technically. Substrate authorization readiness tells you whether the system can enforce governed agent action, not just permit it.

Closing test

These are questions about the substrate itself, not about what your organization has decided. If the substrate cannot produce attribution, authorization, and business-state justification on its own, the logging layer your organization adds becomes evidence of activity, not evidence of accountability. What your organization must decide about each agent before deployment is covered by the Organizational Agent Controls framework, which is the companion to this one.

Tier 1

Structural Readiness

Each question has two possible answers. The system either has the property or it does not. There is no partial credit for "we're working on it."

Use these five cards to determine whether the system is a structural substrate or just a content surface the agent will have to interpret.

Editorial system diagram comparing durable systems of record with unstructured content surfaces for agent readiness.

Tier One visual

System of record versus content surface

Durable state, owner fields, state machines, structural verbs, and queryable history determine whether a substrate can support agent action.

01Structural property

Records or content?

Does this system store durable, identifiable records that persist outside any single session? A Jira issue, a Salesforce opportunity, a ServiceNow incident, an SAP purchase order. These are records. A Slack thread, an email chain, a shared document. These are content. Agents can read content, but they cannot reliably act on it without inventing structure that was never formalized.

Risk of absence

The agent has to infer structure from content, which makes action unreliable.

02Structural property

State machine or labels?

Does the system enforce legal state transitions, or does it allow any label at any time? An issue that moves from Open to In Progress to In Review to Closed under defined conditions is a state machine. A tag that anyone can apply or remove at will is a label. Agents need the former to know what they are allowed to do next.

Risk of absence

The agent can move records without a governed transition path.

03Structural property

Explicit ownership or inferred?

Is ownership a field with a named value, or is it something the team figures out from conversation? An assignee field with a current value is ownership. "Whoever last touched it" is inference. Agents cannot act on inference.

Risk of absence

The agent cannot identify the responsible human from the substrate itself.

04Structural property

Structural verbs or conversational ones?

Does the system define actions with formal semantics? Create, assign, resolve, close, escalate, block, approve. Or does it only have reply, forward, comment, and share? Structural verbs are what give an agent a grammar to work with.

Risk of absence

The agent has no formal action grammar to constrain what it may do next.

05Structural property

Queryable history or visible-only?

Can the audit trail be searched, filtered, exported, and used as evidence? Or can it only be seen in a UI? An agent that cannot produce a reconstructable history of its actions is not auditable. A system whose history cannot be queried is not audit-ready.

Risk of absence

The organization cannot reconstruct the agent's action history as evidence.

Tier 2

Substrate Authorization Readiness

Structural readiness tells you whether a system can support agents technically. Substrate authorization readiness tells you whether the system can enforce governed agent action, not just permit it.

Logging captures attribution. Accountability requires attribution, authorization, and business-state justification. The five tests below identify whether the substrate can produce all three. Use these cards to test whether the substrate can support governed agent action, not just technically permitted action.

Editorial evidence record showing a permitted agent write, permission boundary, authorization record, review trigger, and remediation path.

Tier Two visual

Permission is not approval

A technically permitted write still needs a business authorization record, owner field, review trigger, evidence trail, and remediation path.

01Authorization test

Does this substrate distinguish agent identity from human identity in its own audit trail?

Jira, Salesforce, ServiceNow, and SAP each log actions differently. The question is whether this specific system can attribute a write to a non-human actor and distinguish it clearly from the human who invoked it. An audit log that says "modified by integration user" tells you nothing about which agent ran, under whose authorization, or what business condition triggered the action.

Risk of absence

The audit trail cannot prove whether the write was performed by a human, an agent, or an integration account.

02Authorization test

Does this substrate support operation-level authorization, or only resource-level access grants?

Most enterprise systems grant access to objects, tables, or endpoints. That is resource-level control. The governance question is whether this substrate can express something narrower: this agent may change status from Open to Closed only under these defined business conditions, and any other transition requires human review.

Risk of absence

The substrate can permit access without expressing the business condition under which the agent may act.

03Authorization test

Does this substrate's audit trail capture enough to reconstruct the full business state at the time of a write?

Most enterprise systems log what changed and when. Fewer log what the record state was immediately before the change, what condition triggered the agent action, and whether any human approval was part of the workflow.

Risk of absence

The audit trail may show what changed without showing the business state and approval condition at the time of the write.

04Authorization test

Does this substrate have a formally defined remediation path for incorrect agent writes?

A misclassified incident in ServiceNow is an edit. A posted payment in SAP is an accounting event with downstream journal entries. A closed deal in Salesforce may have triggered commission calculations and revenue recognition. The question is whether the substrate's own data model and process design supports clean remediation of an incorrect agent action.

Risk of absence

An incorrect agent write can become a downstream business event without a clean remediation path.

05Authorization test

Does this substrate's MCP or API exposure preserve its internal access controls, or create a bypass path?

The question for each substrate is whether its external interface enforces the same access model the UI enforces, or whether MCP or API exposure creates an access path the substrate's own permission model would not have permitted through the UI.

Risk of absence

The external interface may create an access path that differs from the substrate's own UI permission model.

System-by-system

Substrate profiles for systems of record.

Assess each substrate separately. A system can have strong structural readiness and still leave the organization with an unresolved authorization gap.

Open the profile for the system you are assessing, answer Tier One and Tier Two, then write the gap statement in one sentence.

Substrate profile

Jira

Tier One status

A Jira issue is a durable record with identifiable state, ownership, structural verbs, and history.

Tier Two considerations

The question is whether the organization has authorized the agent to perform the issue transition, not merely whether Jira permits the transition technically.

Remediation boundary

Define which issue transitions an agent may perform, under what business conditions, and when a human must approve the transition.

Substrate profile

Salesforce

Tier One status

Salesforce opportunities and related CRM objects are durable records with ownership, state, structural actions, and audit-relevant history.

Tier Two considerations

The governance question is whether an agent is authorized to change commercial state, not only whether it has object-level access.

Remediation boundary

Bound agent writes to defined sales operations, approval conditions, and accountable ownership for consequential changes.

Substrate profile

ServiceNow

Tier One status

ServiceNow incidents and workflows provide durable records, assignment, state transitions, structural verbs, and queryable operational history.

Tier Two considerations

The question is whether the agent is authorized to update operational state and whether remediation exists when the write is wrong.

Remediation boundary

Separate permitted service actions from consequential operational actions that require review before the agent writes.

Substrate profile

SAP

Tier One status

SAP purchase orders, vendor records, and financial objects are durable systems of record with structured state and consequential writes.

Tier Two considerations

The scenario is explicit: the permission model may allow a procurement agent to update a status field, but that is not the same as organizational authorization.

Remediation boundary

Require approval conditions for consequential writes and document who sanctioned each business state transition before the agent acts.

Substrate profile

Workday

Tier One status

Workday records are systems of record for workforce state, ownership, approvals, and business process transitions.

Tier Two considerations

The governance question is whether the organization has authorized agents to act inside employee and workflow state, not merely connected them through a gateway.

Remediation boundary

Constrain agent actions to explicitly authorized workforce processes and require review for consequential state changes.

Substrate profile

Microsoft stack

Tier One status

Microsoft Entra Agent ID and Purview provide agent identity, sponsorship models, Conditional Access, lifecycle governance, risk signals, and interaction auditability.

Tier Two considerations

Identity and interaction auditability are not authorization completeness. Purview can show that an interaction happened; it does not prove that a named business decision sanctioned the write.

Remediation boundary

Use Entra Agent ID and Purview as substrate evidence, then attach the organizational authorization record above the platform telemetry.

Primary sources

Primary sources, verified March to May 2026.

This framework draws on primary sources from Atlassian, Salesforce, ServiceNow, SAP, Workday, Microsoft, IETF, OWASP, NIST NCCoE, Cloud Security Alliance, FINRA, NSA, CISA, and FBI publications verified between March and May 2026.

Use this section to support the substrate-readiness finding with the verified platform and governance-source base.

Primary source

Microsoft Entra Agent ID documentation

Primary source

Microsoft Agent Framework and Purview integration documentation

Primary source

Microsoft Copilot Studio documentation

Primary source

Atlassian, Salesforce, ServiceNow, SAP, and Workday platform announcements referenced in this framework

Primary source

IETF, OWASP, NIST NCCoE, Cloud Security Alliance, FINRA, NSA, CISA, and FBI publications verified between March and May 2026

Connected frameworks

Where substrate readiness connects to the rest of the governance system.

Organizational Agent Controls is the companion to this one: this framework tests what the substrate can enforce; Organizational Agent Controls tests what the organization must decide before the agent goes live.

Use these cards when the substrate finding points to missing intent architecture, readiness measurement, or chain authorization.

Connected framework

The Intent Architecture Stack

The operating model for documenting context, intent, and governance before an agent is authorized to use a substrate.

Open framework

Connected framework

The Governance Readiness Matrix

Measures whether the organization can count deployed agents and produce the authorization coverage ratio.

Open framework

Connected framework

Chain Authorization Gap

Extends substrate readiness into orchestration chains where one agent calls another.

Open framework

Companion framework

The Organizational Agent Controls

The companion to this one: defines the organizational decisions every enterprise must make before any agent goes live.

Open framework

Cross-platform risk surface

One agent. Five compounding governance problems.

When one agent operates across Jira, Salesforce, ServiceNow, and SAP simultaneously, the enterprise does not have four governance problems. It has five compounding ones.

Use this section after the substrate profile when the agent crosses more than one system of record.

Editorial risk pathway showing one agent crossing multiple systems of record and creating entitlement drift, attribution drift, separation-of-duties drift, audit fragmentation, and rollback asymmetry.

Risk pathway

One agent across five substrates

The same agent action path can compound five different governance problems when evidence, permission, and rollback paths fragment across systems.

Entitlement drift

Each system can enforce least-privilege access within its own boundary. No system reasons over the combined business privilege that results when an agent can read in one, infer in a second, and write in a third.

Attribution drift

One substrate may log the agent identity. A second may log the integration user. A third may log the service principal that granted the role. The action was one. The audit trail is three separate stories.

Segregation-of-duties drift

Each platform enforces its own SoD rules. None of them natively enforces SoD across a business process that spans all four.

Audit fragmentation

Each substrate can tell part of the story of what the agent did. None can alone reconstruct the full justification chain from human intent to business state transition to record change.

Rollback asymmetry

Undoing an incorrect agent action is simple in some systems and consequential in others. A misclassified incident in ServiceNow is an edit. A posted payment in SAP is an accounting event.

A CISO who cannot answer "who authorized that state change, and what was the business condition that made it valid" across all five of these dimensions should not treat the authorization problem as a future-state concern.

Microsoft Entra Agent ID is among the most complete agent identity platforms currently available in the enterprise market. It provides immutable object identities, sponsorship models, Conditional Access, lifecycle governance, and risk signals for agents built on Microsoft platforms.

What it does not cover is documented in Microsoft's own materials. Entra Agent ID governs agents created inside Microsoft Foundry, Copilot Studio, Security Copilot, and Microsoft 365 Copilot, and third-party agents that integrate via the Agent Identity platform. There is no Microsoft documentation claiming that Entra Agent ID governs tool-level authorization inside Salesforce, ServiceNow, SAP, or Workday once the agent is through the door.

Purview addresses interaction auditability, not authorization completeness. The question "did the agent log this interaction" and the question "was this action sanctioned by a named business decision" are different questions, and Purview answers only the first.

After both Entra Agent ID and Purview are deployed in a regulated enterprise, the hardest governance questions remain open: who approved the write, not just the prompt. What policy evaluated the state transition, not just the token request. Whether a downstream record change violated a business control, not just whether the interaction happened.

That is the gap the Agent Substrate Readiness Model is designed to surface before it becomes a finding.

Editorial target-state governance model showing an authorization layer, consequence owner, defined scope, review trigger, evidence trail, production boundary, and systems of record.

Target state

Authorization above the substrate

The governed state puts consequence ownership, scope, approval conditions, audit evidence, and production boundaries above the systems of record before agent action is allowed.