More than $285 billion has been wiped from software stocks since early February. The catalyst was Anthropic’s Claude Cowork launch, but the roots run deeper - public SaaS growth rates have been declining every quarter since the 2021 peak, and AI gave the market permission to reprice what the fundamentals had been whispering for three years. SaaS price-to-sales ratios have compressed from 9x to 6x. The median EV/Revenue multiple for public SaaS has fallen to 5.1x, down from a pandemic peak of nearly 19x.

This is creating what I believe will be one of the best buying opportunities in enterprise software we’ll see in a generation. But I want to be honest: we’re probably not at the bottom. The dust could take another 12 to 18 months to settle. Workday reports earnings tonight, and I expect another sell-off regardless of what they say. Salesforce reports later this week, and that will likely trigger a second wave. The market isn’t listening to nuance right now.

But that’s exactly why this matters.

My focus has been on SaaS companies that function as systems of record - the legally mandated, deeply embedded platforms that hold an enterprise’s most sensitive and regulated data. I’ve written about why this distinction matters here and explored the broader framework here.

What has seemed obvious to me from the start (and perhaps why I’ve been early rather than right) is that it seems quite simple as to why enterprise systems of record should do well in an AI world. Perhaps they won’t grow as fast as they once did, but that deceleration was already happening before AI entered the conversation. Strip out price increases from recent earnings across the sector, and net new customer numbers were weak across the board. Growth was already coming from vendors raising prices on captive customers, not from explosive new logo acquisition.

Meanwhile, the rotation out of software and into consumer staples like Coca-Cola is, to put it bluntly, insane. If you think enterprise software growth is slowing, fine. But are Coca-Cola and Procter & Gamble going to grow at rates that justify the P/E premiums they’re currently commanding? The market is paying up for “safety” in businesses with low single-digit revenue growth while dumping companies with 15-20% growth rates and enormous competitive moats. That math doesn’t hold over any reasonable time horizon.

Workday has always been, to me, the epitome of what protects a system of record from AI disruption. With their earnings approaching tonight (and with the likely sell-off that follows no matter what management says), here’s what I think makes a system of record not just resilient to AI, but potentially stronger because of it.

The Bear Case Has a Fatal Flaw in Its Pricing Model

This might be the single most important insight in this entire analysis, and it’s the one the market seems to be completely ignoring.

The dominant bear narrative goes like this: AI reduces the number of “seats” enterprises need, compressing SaaS revenue. For per-user-seat software (project management tools, writing assistants, analytics platforms) this logic holds. AI genuinely does threaten those businesses.

But the bears have applied this same logic uniformly across the entire software sector, and that’s where it falls apart for Workday.

Workday charges $34–42 per employee per month (PEPM) based on total headcount - not per user seat. Revenue is a function of how many people are on the company’s payroll, not how many HR administrators log into the system. If AI allows an HR department to operate with 50 admins instead of 500, Workday’s revenue doesn’t change at all, because Workday was never charging for those admin seats. It charges for the 50,000 employees those admins manage.

The only scenario where Workday’s revenue actually shrinks from “seat compression” is if companies reduce their total workforce - meaning massive unemployment and workforce displacement. That’s a macroeconomic catastrophe affecting all sectors, not a SaaS-specific disruption.

And here’s the logical contradiction the market hasn’t reconciled: the SaaS sell-off has been sector-specific while the S&P 500 trades near record highs. The market is simultaneously pricing in two contradictory scenarios - an economy healthy enough for a broad market rebound, but enterprises firing enough people to crush headcount-based software revenue. Both can’t be true.

Salesforce follows similar logic. Their seats are primarily for sales reps who need pipeline visibility, relationship management, and activity logging for commissions. Even if AI helps reps work faster, the rep still needs their seat.

The Compliance Fortress

Let’s say you wanted to replace Workday. You’d need to replicate this compliance stack, which represents years of investment and tens of millions in audit fees:

• SOC 1 Type II — internal controls over financial reporting

• SOC 2 Type II — all five Trust Services Criteria plus NIST CSF and 800-171 mapping

• ISO 27001 / 27017 / 27018 / 27701 — information security, cloud security, PII protection, privacy management

• ISO/IEC 42001 — AI management systems (Workday is one of the first major SaaS providers to achieve this)

• HIPAA Attestation — protected health information handling

• FedRAMP Moderate — US federal government cloud security

• EU Binding Corporate Rules — cross-border data transfers approved by EU DPAs

• APEC CBPR & PRP — Asia-Pacific cross-border privacy

• TX-RAMP Level 2 — Texas state agency data protection

• G-Cloud — UK government cloud services

Now imagine you’re a Fortune 500 CHRO. You walk into the board meeting and propose ripping out the platform that holds every employee’s social security number, salary, health data, and performance records - with SOC 2, FedRAMP, HIPAA, GDPR BCRs, and ISO certifications - and replacing it with something your team vibe-coded over a few weekends. Or maybe you want to pipe all that data into Claude or GPT, are Anthropic and OpenAI going to be taking on this liability? - Ask their chatbots and find out.

The General Counsel would block it. The CISO would escalate to the board. The audit committee would shut it down before you finished the sentence.

This is arguably the strongest pillar of the bull case, and the market is completely ignoring it.

The Data Privacy Wall

Beyond Workday’s own compliance infrastructure, there’s an even bigger barrier: the regulatory environment around using AI with employee data is actively tightening.

Under GDPR, employee consent cannot serve as the legal basis for AI processing of their data due to the employer-employee power imbalance. Any information provided to freely accessible LLMs will generally be shared with the developer of that system, making public AI tools fundamentally incompatible with employee data handling requirements. A Data Protection Impact Assessment is legally required before deploying any new AI technology that processes personal employee data.

The EU AI Act goes further. It specifically classifies AI systems used in employment decisions as high-risk. Any AI used to recruit, hire, terminate, allocate tasks, or evaluate workers triggers mandatory documentation, detailed risk assessments, and human oversight obligations. This applies extraterritorially to any company processing EU employee data.

The practical implication: an enterprise legally cannot just open up its system of record data to a third-party LLM. The regulatory environment makes it nearly impossible. This isn’t a feature gap that gets closed in the next model update - it’s a structural legal barrier that gets more restrictive over time, not less.

The Walled Garden: Why Workday’s AI Architecture Is the Right Answer

Where Salesforce built a bolt-on “Einstein Trust Layer” to mask PII before sending data to external LLMs, Workday took a fundamentally different approach: the data never leaves the building.

Workday runs its own LLMs, optimised for HR and finance data, directly inside its own infrastructure under the Workday Illuminate brand. Customer data is contractually guaranteed never to be shared to train third-party models. Because AI processing happens entirely within the already-audited, SOC 2 compliant perimeter, there’s no need for a data masking layer at all.

The AI inherits the exact security profile of the user interacting with it. If a login can’t access a specific compensation plan in the normal dashboard, the AI is physically incapable of querying that data. This eliminates the biggest enterprise fear around AI - the intern asking a chatbot “What is [Insert colleague’s I want to know gets paid more than me’s name] salary?” and actually getting an answer.

Salesforce secures AI by putting a heavy filter on the exit door. Workday secures AI by never letting the data leave the building in the first place. In a world where CISOs hold veto power, that architectural difference matters enormously.

AI as Growth Vector, Not a Replacement

Workday announced Workday Build at their Rising 2025 conference - a developer platform that transforms the company from an AI consumption model to an AI creation platform. Key components include:

Agent System of Record (ASOR): MCP-compliant APIs that connect third-party AI agents to Workday, enabling agent registration and agent-to-agent collaboration. This positions Workday as the system of record for AI agents themselves - which for an agent wanting access to the HR and Finance systems of record, this is the only path allowed without the LLM’s taking on the compliance liability themselves.

Zero-Copy Data Cloud: Customers can connect HR and finance data to platforms like Snowflake and Databricks without the data ever leaving Workday’s perimeter. External tools query it; Workday retains custody.

Flex Credits: A consumption-based pricing layer sitting on top of the existing PEPM subscription. This adds a new revenue stream without cannibalising the core model.

Sana Labs Acquisition ($1.1B): An AI knowledge management firm whose agent and learning platforms will be integrated into Workday, positioning it as “the new front door for work.” Importantly, with the compliance pass to access the systems of record directly.

Every enterprise developer who builds on Workday Build instead of vibe-coding a standalone tool is deepening the moat, not eroding it. AI isn’t the threat to Workday - it’s the next expansion vector.

The Framework: Systems of Record vs. Systems of Intelligence

The February sell-off (and continuation of) treated all SaaS uniformly, but AI disruption is causing a massive split in the software market. The framework is straightforward: the further a product is from “helping humans think and create” and the closer it is to “being the legally mandated single source of truth for regulated data,” the safer it is.

Genuinely vulnerable - project management tools (a PM could rebuild one in Replit over a weekend), content creation assistants (directly replaced by LLMs), basic support chatbots (commodity AI), workflow automations and admin dashboards, simple BI tools.

Protected - multi-country payroll engines with tax compliance across 50+ jurisdictions, benefits enrolment with carrier integrations, SOX compliance for financial close (audit trails are not optional), workforce planning tied to headcount budgets, core ERP, HCM, and financial management platforms.

There’s a deeper distinction here too. AI excels at probabilistic tasks - systems that can tolerate errors like chatbots, content recommendation, and basic support. But deterministic systems, where a correct answer is required 100% of the time, are actually strengthened by AI as a complementary layer. A system that provides the correct answer six out of ten times is useless for underwriting, payroll, or regulatory compliance. These processes demand 100% consistency.

LLMs interpret human intent. Deterministic systems execute actual work. The deterministic systems aren’t being disrupted, the operator is. Workday sits firmly on the deterministic side.

Going Into Earnings

The risk tonight isn’t that Workday’s business is broken. The evidence across every angle - ground-level developer sentiment, pricing model analysis, compliance architecture, regulatory barriers - points to a significant disconnect between the market’s pricing and the actual threat from AI disruption.

Even if management articulates the distinction between Workday and genuinely vulnerable SaaS names, gives strong guidance, successfully addresses the AI fear narrative and goes unchallenged on the call, the stock likely sells off further. If they clearly communicate that pipeline is strong, retention rates haven’t moved, and that their compliance moat and AI architecture make them fundamentally different from point-solution SaaS, I expect another sell-off tonight. And probably another when Salesforce reports. The market isn’t in a mood to listen.

But this is a sentiment and valuation story, not a fundamental business deterioration story. The market applied a generic narrative uniformly across the entire sector without differentiating between Saas companies.

That’s a potentially meaningful mispricing - if you’re willing to be patient for 12 to 18 months while the dust settles.

Not financial advice. Based on publicly available information and research.