Workday DevTalk: Compliance Plays Key Role in Developing Innovative and Responsible AI

Kathy Pham: Hello, and welcome back to Workday DevCon. I’m Kathy Pham, Workday’s vice president of AI, and I’m joined by Andy Cannon, vice president and deputy general counsel, Product and Technology, at Workday. Today, we’re going to be talking about the important role of compliance when it comes to building innovative and responsible AI applications. One of my favorite topics. Thanks for being here today, Andy. Can you tell our viewers a little bit about your background in your current role at Workday?

Andy Cannon: Well, I know we were talking about this before, but before I got into legal and compliance, I was actually a developer, so about 15 or 20 years ago. And so I started out as a full-stack developer, and then I had an engineering team for many years, and along the way, I started working with our legal and compliance folks. And I mean, call me crazy, but I kind of got into that, went to law school, and then I’ve been at Workday for eight years now, working with the product and technology teams on the legal side.

Pham: That’s amazing. We’re so lucky to have Andy here with us because you understand so much of what it takes to build systems. And now you also understand the compliance and legal aspects of that to really help our product team. So building on that, how do you view the importance of collaboration between the product teams and the legal teams in developing applications?

Cannon: Well, I mean, from my perspective, I think it’s really of the utmost importance. One of the things that we just recently did is, with this big boom in AI and understanding that our customers are at different steps of their AI journey, we came out with a new contracting model called the Universal MSA, as you know. And the point of that is, is so that our customers can sign one agreement and be able to uptake all of the AI that Workday is delivering to the customers at once without having to sign separate contracts, which I’ll tell you when I do negotiations with vendors and sign stuff for Workday that we use internally, there’s always more documentation to do, and nobody wants to do that. So we’ve started out on this journey. And then, more importantly, we’ve worked with your team and some of the other technology folks to deliver a data governance UI inside Workday. And the whole point of that is so that when customers buy Workday, they can see all of the AI applications that are available to them in one spot, which was not the case before.

It also gives them a compliance dashboard where they can see the data that we’re using to personalize the features for them, gives them complete control over that data. So wherever they are in their journey, they can uptake the AI that is right for their organization to increase the productivity with their workforce. And it’s even more than that. We have security groups that you can set up where, if our team did it, they could put me in the security group, and I can say, “Okay, this is great from a legal compliance and security perspective.” So at the end of the day, when we’re delivering products to our customers, it doesn’t really mean much if they can’t adopt them. And so what we try to do with my team, legal and compliance, we try to make sure that we’re partnering so that we have as much adoption as possible so that our customers can enjoy all of the nice products that we’re building.

Pham: What I think is so powerful and exciting about this story is that when we think about different legal agreements for the sharing of our data, it sounds like your team really took into account the customer experience and the user experience of what it looks like to even share data with Workday. And you built a whole experience for them around that. So building on that, how do you think about partnerships with product and legal teams to enhance the different functionalities we have?

Cannon: Well, I think you just touched on it. So we talk with a lot of our customers all the time, specifically their legal compliance and security groups, and we know what they want. And we know that that’s a barrier to adoption a lot of times. If you don’t have that story right and you don’t have those materials for them, it’s a big deal because they just can’t uptake it. So a lot of times we see it get to kind of almost the finish line, and we can’t get across it because vendors that bring it to us, they’re just not ready for that. So we try to give that perspective to the product and technology teams at Workday. And like I said, with this data governance UI, customers can take information out of Workday, you can deliver it to these compliance and legal teams throughout your organization, and you can just ensure that when you're ready to do it, we're ready to do it and vice versa.

And another thing that I know that you specifically have been working on is we’ve been really expanding our AI fact sheets. And so when customers go on our customer community website, they can see the explainability aspect of AI. They can see what we’re doing with their data. They can see the control and transparency that they have. And at the end of the day, a lot of our customers leverage the Workday ecosystem and the Workday products because of the trust factor with us. And so we just want to ensure that they understand that AI is no different than anything else at Workday. We’re building it in the same trust model, same world-class security and privacy. And we want our customers to be comfortable to uptake all of these features rather than maybe go outside the ecosystem to somebody else.

Pham: Yeah, I love your point about explainability so much. I love our fact sheets. If you haven’t seen them on community, check them out. But it shows that we do explainability at the point of documentation, but there’s also explainability at the point of the user interface. And we figure out how that shows up at different points in the journey of our users and our customers. So thanks for highlighting what having amazing product counsel looks like for partnering with our product teams.

Cannon: Thank you. Well, let me ask you a question now. As a product expert and engineer, I’d love to hear some examples about how you’ve involved the legal team early, and then maybe it’s helped you to positively impact a final product that you've developed.

Pham: Yeah, so I have always felt like having amazing legal teams and product counsel is essentially your superpower. And if you’re lucky enough to have someone who went into legal after being a developer, you’re even luckier. And what I mean by that is when we’re developing, we want to focus on our users and our customers in solving business problems. And depending on what domain area we happen to be in—maybe it’s HR, maybe it’s finance, maybe it’s government—some of these have maybe higher risk. Some of these actually have legal implications. And when you have someone along the way who’s a partner, you’d be like, “Oh, hey. If you pick that data field,” or, “Hey, if you release a documentation like this, have you considered these compliance issues?” And you have it pretty much at every sprint, maybe even every standup. Someone can constantly be a partner to bring up. So it becomes this power, superpower of unblocking any potential blockers in the future. And at DevCon, we have been talking about building with confidence. It has given me this incredible confidence to go ahead and know that there isn’t going to be some scenario at the end where I’m like, “Oh, man. I didn’t think about that.” And you had to roll back all these changes, or worse, we launch and then someone else catches it. That’s what I love so much about working with legal and product counsel teams.

Cannon: Wow, I know we’re recording this, so [laughter] I'm going to bring that home with me and share it with my team, but that’s very well said.

Pham: It’s the best. You’re one of the best. [laughter] I’m going to turn it back to you. What strategies do you employ to ensure that developers understand and prioritize compliance requirements when developing applications?

Cannon: So, I mean, this is probably any organization. One of the things I’ve learned in my time at Workday is: Building relationships is key. When you’re working with your legal compliance and security folks, like you said, I think communication in the beginning is really of the utmost importance. So we hear from our customers, like I said. We know the pain points that they have, and we share that and partner with the product and technology teams all the time. The best thing we can do is when we see something or we hear something changing in the regulations, like we know we have the EU AI Act coming, and we want to inform everybody of what that's going to mean for our organization and even our partners and our ecosystems, like we’re talking about here at DevCon. But if we do that properly, then as the product rolls out, there’s no surprises. And it’s just a really smooth process. And I think that's what we really try to do here at Workday. And I feel like we’ve been pretty successful with it, at least in my time at Workday. And it just seems like it’s getting smoother and smoother, because the more we do that, it’s almost like the product and technology folks are becoming like legal and compliance folks too, which just makes me really, really happy.

Pham: Yeah, and then the legal and compliance folks understand a lot about product technology as well. You mentioned the EU AI Act. Can you share an example of where your team has been able to bring in a piece of regulation or compliance into product and engineering, what that looks like?

Cannon: Yeah, I think, we talked about it before with this data governance dashboard and UI that your team has built along. We’ve partnered with you guys on that, and that’s a really good example of the transparency that’s going to be required. So when we get into high-risk use cases, which we know is going to happen, it’s going to make it that much easier where you can look at our AI fact sheets. We’re going to be testing these features to make sure that they’re compliant with all of the laws, but we really are putting in place something not only just for us, but we’re encouraging our customers to put together a governance program because we know that it’s going to be required for them. So we’re kind of setting the stage for them early. And as we speak to them, when they’re uptaking products at Workday, we’re letting them know that the reason we’re building this is because we want you to be in compliance too. So you should have your lawyers, your security folks, your privacy folks—all part of that—have a seat at the table.

And I think we’re making it easier for them in the UI. One of the things that’s frustrating for me in the industry is when things change, I don’t know what it is. They come to legal once and everything’s good, and then something changes and you hear about it later. But with this new program that we’re building, if there’s a change from the product and technology team, we use the Workday notifications to notify that security group, which could include folks like you and I. And then also, if you have it set up, it’ll email you too. So you’re always going to be in control. It’s always going to be transparent with what Workday’s doing. That is going to help all of our customers comply with all these laws coming down the pipeline, including the EU AI Act.

Pham: Ah, love that example of using process to keep folks informed. And then we build better products along the way. That’s such a great example. Finally, you have worked with so many developers and product managers and clearly have built so much trust with these teams. What advice do you give to developers, product managers, given that we’re at DevCon, to better facilitate collaboration with teams like yours so that we can build better products, we can innovate and stay within regulatory and compliance requirements?

Cannon: So like I said, I think it’s about building relationships. I think what people don’t understand is from a product lawyer perspective or the product compliance perspective, we’re just happy to hang out with the cool kids. [laughter] What I would say is just give us a chance. We might not understand it right away, but we’re trying really, really hard, and we want the same thing that you all want. We want to deliver these products to our customers. We want them to have a great experience with Workday, and we really enjoy partnering with the product and technology folks. And I mean, I've been really, really lucky, like I said, at Workday, to have great partners like you along the way. And I hope that all of our developer community that’s here this week, I hope that they can foster those relationships and have the same experience that I have.

Pham: Yeah. Well, you all are the cool kids to me, [laughter] and you give us superpowers when we develop products. So thank you so much for being here. I look forward to our continued partnership. And to all of our viewers, thank you for tuning in today.