ERP Controls / AI Governance
Finance AI agents can give ERP teams a stronger evidence loop.
ERP vendors are moving AI agents from demos into ledger, payables, expenses, payments, procurement, HR, and workflow execution. The finance teams that get the most from them will design the operating model around evidence first: scoped permissions, policy gates, human review, observable tool calls, and clean audit packets.
Thesis: finance agents should strengthen the system of record.
The practical question for CFOs is no longer whether AI will enter finance systems. It already has. Oracle says Fusion Cloud ERP Release 26B includes generally available finance agents for ledger, expenses, payables, and payments. Workday is building agent-ready tools for HR and finance data, agent verification, and controlled access over Model Context Protocol. Microsoft describes Dynamics 365 as combining agents, Copilot experiences, and AI capabilities across ERP and CRM. SAP positions Joule agents as context-aware agents grounded in business data, process knowledge, and centralized governance.
The opportunity is straightforward: agents can reduce follow-up work, speed exception handling, improve vendor and employee experience, and help controllers find variance explanations before the close becomes a reporting scramble. The control design should be equally straightforward. Finance agents must act inside the ERP control model, not around it. The ERP should remain the source of policy, permissions, accounting state, approvals, and evidence.
That makes the best finance-agent architecture boring in the right way. Let agents observe, recommend, draft, and coordinate. Let deterministic ERP rules decide whether an action is allowed. Let finance owners review high-risk work. Let every decision create an evidence packet that can be replayed during close, audit, incident review, and model evaluation.
Market context from public signals.
The X posts above are useful only as market context. The operating claims in this article are grounded in the source links below: ERP vendor release material, European Commission AI Act guidance, NIST's Generative AI Profile, and PCAOB staff observations on generative AI in audits and financial reporting.
The evidence-first operating model.
| Step | What happens | Evidence to retain |
|---|---|---|
| Observe | The agent reads ERP records, policy documents, open tasks, approvals, and prior exceptions under a scoped service identity. | Read scope, prompt template, retrieved records, source version, user context. |
| Recommend | The agent proposes an action such as invoice routing, variance investigation, payment timing, expense exception handling, or close-task follow-up. | Recommendation payload, confidence band, rationale, linked source records, rejected alternatives. |
| Gate | The ERP applies deterministic policy checks before the agent can post, approve, notify, enrich, or trigger a downstream workflow. | Policy version, authorization result, segregation-of-duties check, threshold result, blocked-action log. |
| Review | A finance owner accepts, edits, rejects, or escalates the recommendation based on materiality, risk, and process ownership. | Reviewer, timestamp, decision, edited fields, reason code, materiality assessment. |
| Execute | The system writes the approved action through ordinary ERP APIs so accounting state, subledger state, and workflow state stay synchronized. | API request, idempotency key, before and after state, posting status, integration response. |
| Evidence | The workflow stores the full decision record for close review, internal controls, audit samples, vendor governance, and model evaluation. | Evidence packet, control ID, model/tool version, retrieval trace, output, reviewer decision, exception outcome. |
Governance belongs in the workflow.
NIST describes its Generative AI Profile as a companion resource to the AI Risk Management Framework for incorporating trustworthiness into the design, development, use, and evaluation of AI systems. The finance translation is concrete: do not make the AI review a side process. Put governance into the workflow object itself.
A bill recommendation should know which vendor, policy, PO, tax rule, approval matrix, and duplicate-control result it touched. A ledger variance draft should know which balances, journal batches, and close tasks it retrieved. A payments agent should know which cash forecast, supplier term, bank rule, and approval gate it considered before suggesting a payment path.
Agent identity
Give every agent its own service identity and separate it from human user credentials.
Prevents borrowed privileges and makes every action attributable.
Scope by workflow
Restrict tools by finance process: AP, AR, expenses, treasury, close, procurement, reporting, or master data.
Limits blast radius and simplifies owner review.
Policy before action
Run deterministic checks before any state-changing action reaches the ERP.
Keeps approval limits, period locks, vendor controls, and SoD rules authoritative.
Human review by risk
Require review for material, unusual, first-time, sensitive, or policy-exception transactions.
Lets low-risk throughput improve while preserving judgment where it matters.
Evidence by default
Store prompts, retrieved records, outputs, approvals, overrides, and final ERP events together.
Turns agent work into auditable process evidence instead of screenshots and anecdotes.
Continuous evaluation
Track accepted recommendations, corrected recommendations, blocked actions, latency, cost, and exception recurrence.
Shows whether the agent is improving operations or just moving work into review queues.
What a good evidence packet looks like.
PCAOB staff observed that generative AI use in audits and financial reporting was limited but evolving quickly, with firms acknowledging the need for strong supervision to guard against risks such as data privacy and security. For preparers, this is a useful warning and a useful invitation. Finance can move faster when the agent output is reviewable, source-backed, and retained in the ordinary audit trail.
Evidence packet example
{
"evidence_packet_id": "aep_close_2026_07_00042",
"workflow": "month_end_variance_review",
"agent": {
"name": "ledger_variance_agent",
"version": "2026.26B.4",
"service_identity": "svc_finance_agent_ledger_read_draft"
},
"request": {
"requested_by": "controller_01",
"prompt_template_version": "var_review_v7",
"period": "2026-06",
"materiality_threshold": 25000
},
"retrieval": {
"records": [
"gl_balance:revenue:2026-06",
"journal_batch:revrec_manual_2026_06",
"close_task:variance_review_revenue"
],
"policy_versions": [
"close_policy_v12",
"journal_review_matrix_v5"
]
},
"recommendation": {
"summary": "Revenue variance is primarily explained by approved June catch-up invoices.",
"proposed_action": "draft_variance_comment",
"confidence": "medium",
"requires_human_review": true
},
"policy_gate": {
"status": "passed",
"reason": "draft-only action; no posting authority requested"
},
"review": {
"decision": "accepted_with_edits",
"reviewed_by": "controller_01",
"reviewed_at": "2026-07-03T16:41:20Z"
}
}agent.recommendation.created
agent.policy_gate.passed
agent.policy_gate.blocked
agent.review.accepted
agent.review.edited
agent.review.rejected
agent.action.executed
agent.evidence_packet.finalized
Implementation checklist.
- Inventory every AI feature already enabled in ERP, EPM, procurement, expense, payments, workflow, document capture, and analytics tools.
- Classify each agent by workflow, data scope, action scope, user group, jurisdiction, and whether it creates external communications or public-facing content.
- Start with recommendations and draft actions before allowing autonomous execution of accounting, payment, master-data, or filing steps.
- Create one finance AI control owner for each workflow, not one generic AI owner for the whole company.
- Map agent actions to existing controls: approval matrix, vendor change control, payment release, period lock, journal review, revenue policy, tax review, and disclosure review.
- Define materiality and sensitivity thresholds that decide when human review is mandatory.
- Log retrieved records, prompt templates, tool calls, model or agent version, policy decisions, and reviewer outcomes in one evidence packet.
- Measure cycle-time improvement, first-pass acceptance, override rate, false positives, blocked actions, cost per completed task, and audit-request readiness.
Constructive failure modes to design around.
Unclear ownership
Assign one finance owner per agent workflow and one technical owner per integration path. Shared ownership works only when the handoff is explicit.
Invisible prompts
Version prompt templates and retrieval sources the same way finance teams version report mappings, approval policies, and close checklists.
Overbroad tools
Give agents narrow tools first: read a vendor, draft a bill comment, propose a variance note, prepare a payment option. Expand after evidence supports it.
Review queue buildup
Use risk-based routing so reviewers see material exceptions, not every low-risk recommendation. Otherwise the agent becomes another inbox.
Weak audit replay
Preserve the source records and tool outputs that existed at decision time. Re-running the agent later is not the same as retaining evidence.
Cost drift
Track tokens, retrieval volume, tool calls, and retries by workflow. Finance agents should earn their place through throughput, control quality, and lower rework.
Questions for ERP and AI vendors.
The vendor demo should show more than a smooth chat panel. Ask for the action boundary, evidence boundary, security model, evaluation model, and recovery path. If the agent touches ledger, payments, payroll, expenses, revenue, tax, or vendor master data, the answer should be precise enough for a controller to test.
Which finance agents can change ERP state today, and which only recommend or draft?
Can each agent run under a distinct service identity with least-privilege permissions and workflow-specific tool scopes?
Does the product preserve prompts, retrieved records, tool calls, model or agent version, policy gate results, reviewer decisions, and final ERP events?
Can finance define materiality thresholds and require human review for sensitive vendors, bank details, journals, payments, revenue, tax, and reporting outputs?
How are agent recommendations evaluated over time, and can the finance team export acceptance, override, rejection, cost, and latency metrics?
Can the system prove that AI-generated public-interest text, external communications, or customer-facing content was reviewed and labelled where required?
The practical path forward.
Finance teams do not need to wait for a perfect cross-company AI governance program before learning from agents. They need one well-scoped workflow, one clear owner, one policy gate, one evidence packet, and one measurement loop. Start where the ERP already has strong state and controls: invoice exceptions, close follow-up, expense review, payment options, vendor data enrichment, variance comments, or procurement intake.
The upside is real. A finance agent can turn hidden follow-up work into visible process data. It can help controllers see recurring exceptions earlier. It can help AP and treasury teams coordinate vendor, cash, and approval decisions with less waiting. It can help ERP buyers ask sharper questions about governance before implementation, not after the first incident. The teams that win will treat agents as controlled participants in the finance workflow, with the ERP as the place where authority, evidence, and outcomes converge.
Sources
Public source links used for the article.
- Oracle Fusion Insider: Agentic AI in ERP, four finance agents generally available in Release 26B
- Workday: build, connect, and verify AI agents for HR, finance, and IT
- Microsoft Learn: Agents, Copilot, and AI capabilities in Dynamics 365 apps
- SAP: Joule Agents and Joule Assistants
- European Commission: AI Act application timeline and risk-based approach
- European Commission: Code of Practice on Transparency of AI-Generated Content
- NIST: Artificial Intelligence Risk Management Framework, Generative AI Profile
- PCAOB: staff observations on generative AI in audits and financial reporting