You built an AI agent for the finance department. It can read invoices and purchase orders in the ERP system, identify items with mismatched amounts or supplier information, and send exceptions to finance staff for review. Here, you can think of an agent as “an AI assistant that independently carries out several steps in sequence.”
During testing, the team saved time by letting it use a finance employee’s account. Queries worked, updates succeeded, and everything appeared to run smoothly. Then someone asked, “Did the employee change this supplier’s bank information, or did the AI change it on the employee’s behalf?” The logs showed only the same human account, so there was no direct way to answer.
In July 2026, AWS published an approach to automating ERP exceptions that included a separate agent identity, policy-based authorization, auditable actions, and human escalation. The lesson to apply to your own system is not to copy a particular AWS or SAP component. It is to bring the AI out from behind the human account so the system can identify who initiated an action, why it was performed, what changed, and which person approved it.
This mini lesson addresses one sticking point: When an AI agent is connected to an ERP exception workflow that reads and writes real financial data, how can you let it complete low-risk work without allowing it to cross high-risk boundaries on its own?
In this lesson
You will complete five tasks:
- Identify the accountability gaps caused by a shared human account.
- Create a separate identity for the AI agent that can be disabled and audited.
- Change authorization rules to deny by default, then permit each necessary action individually.
- Set human escalation and logging requirements for high-risk exceptions.
- Run a pilot with a small set of read-only cases without making production changes.
A shared human account mixes three types of records
An ERP system usually already knows which employee signed in, what data they queried, and which changes they submitted. The problem arises when an AI agent uses the employee’s account: The “operator” in the logs no longer represents the party that actually took the action.
For example, a finance employee signs in and starts the agent. The agent first queries a purchase order, then reads an invoice, and finally updates the exception case status. If every request uses the same human credentials, the records will show only that “John Wang performed three actions.” They will not reveal:
- Which task John Wang personally requested.
- Which subsequent steps the agent selected on its own.
- Which step only read data and which step changed ERP data.
- Whether a human confirmation screen actually appeared before the change.
- Whether the agent attempted any denied operations.
This affects more than incident investigation. It also makes access revocation difficult. You may want to disable only the agent, but because it shares an identity with an employee, your only option may be to interrupt the employee’s normal work as well.
If you have not yet identified which answers an agent’s authorization records should preserve, use Four Authorization Questions for AI Agents: Identity, Permission, Reason, Consequence to break each operation into four verifiable fields.
Step 1: Create a separate identity, not just a different account name
At a minimum, the ERP system, identity system, and audit logs must all be able to distinguish the agent from the human operator. Adding “Bot” to the display name is not enough. The system must be able to authorize, disable, and query this identity independently.
When creating an identity for the agent, record at least the following:
- Identity name: Tie it to a single purpose, such as
ap-invoice-exception-agent. Do not use a generic name such asfinance-aithat multiple workflows could share. - Service scope: Specify which ERP environment, company code, or data region it can access.
- Identity owner: Assign a person who can approve permissions, respond to alerts, and disable the identity.
- Authentication method: Use machine identity credentials that the system can rotate and revoke. Do not give the agent an employee password or browser session.
- Expiration date: Make the test identity expire when the pilot ends. A production identity should also have a fixed review date.
- Log identification fields: Ensure every request records the agent identity, the person or workflow that triggered it, and a unique execution ID.
The key is to separate “who initiated the action” from “who executed it.” The user may be the initiator, while the agent is the executor sending query or change requests to the ERP system. Both must be recorded; one must not overwrite the other.
Step 2: Start with deny by default, then define each allow condition
Deny by default means that any action not explicitly included in an allow rule will not be executed. An agent must not acquire adjacent permissions on its own simply because they “might be needed to complete the task.”
Do not just write, “The agent can handle accounts payable exceptions.” That statement covers querying invoices, reading supplier data, changing payment statuses, replacing bank accounts, and releasing payments, all of which carry very different risks. Authorization rules must specify four parts: object, action, condition, and exit.
| ERP action | Conditions for automatic approval | Conditions for denial or escalation | Required records |
|---|---|---|---|
| Read invoices and purchase orders | Limited to assigned company codes; no more than 50 records per request; fields must not include full bank account numbers | Deny requests that cross company codes, exceed 50 records, or ask for fields not on the allowlist | Query conditions, record count, returned fields, execution ID |
| Mark as “Awaiting human review” | The invoice already exists, and the agent only adds a status and reason code | Deny if the current status is already “Approved for payment” or the case is closed | Values before and after the change, reason code, source document number |
| Draft an exception explanation | Generate a draft only; do not write it back to the official notes field | If the draft contains a bank account number, tax identification number, or unauthorized personal data, redact it and escalate | Input documents, redaction results, draft version |
| Modify the supplier master record | Never automatically approved | Send any change to an address, tax information, payee, or bank information for human approval | Requester, details of the differences, approver, approval time |
| Release or execute a payment | Never automatically approved | Require confirmation from the designated approval role in the ERP system, regardless of the amount | Approval chain, payment batch, agent recommendation, and final decision |
The numbers in the table are sample thresholds for a pilot and should not be treated as formal policy for every company. For an actual deployment, adjust them according to workload, data sensitivity, and the existing approval process. However, each rule must still contain a number, field, or status that the system can evaluate. Do not merely write, “Send high-risk cases to a human.”
Permissions should also be separated by action. Reading, drafting, marking, and making official changes should not be bundled together. If your team is designing this boundary, see Always-on AI assistants must learn when to stop before they can be connected to primary accounts to further distinguish among “may read,” “may prepare,” and “must wait for human confirmation.”
Step 3: Make every authorization context-aware
Even if an agent has permission to read invoices, that does not mean it can read them at any time, from any source, or in any quantity. Authorization should be evaluated again whenever an operation occurs, rather than granting unrestricted access after a single successful login.
Before an operation is sent to the ERP system, ask these questions in order:
- Which identity is this? It must be the designated agent identity and must not fall back to a shared account.
- What does it want to operate on? Specify the ERP object, action, and fields, such as “read the invoice amount and purchase order number.”
- Why is this needed now? The request must include a case ID or workflow execution ID. Deny it if it cannot be linked to a task.
- Is it within the allowed scope? Check the company code, data fields, record count, case status, and execution environment.
- Does it cross a human boundary? Send actions involving supplier master records, bank information, payment releases, or approval statuses directly to a human.
This makes the rules more specific than simple role-based permissions. The same agent may be approved to “read 20 specified invoices” but denied when it tries to “export the entire supplier list.” The identity has not changed, but the immediate context has, so the outcome should change as well.
Step 4: Make human escalation a workflow, not just a notification
Many teams implement “human intervention” as an email or chat message while the agent continues executing subsequent steps. A real human escalation must stop the workflow in a recognizable state until a designated person makes a decision in the ERP or approval system.
You can use the following text-based decision tree to review each exception:
The agent proposes the next ERP action
├─ The rules do not explicitly allow it
│ └─ Deny it, record the attempt, and do not automatically retry under another identity
├─ The rules allow it, but it crosses a human boundary
│ └─ Pause the case, generate a summary of the differences, and send it to the designated role for approval
│ ├─ Approved: complete the specified action using the original execution ID
│ └─ Denied or timed out: end the execution without making subsequent changes
└─ The rules allow it, and it does not cross a human boundary
└─ Execute it and record the input, rule result, and values before and after the change
At a minimum, the human approval screen should show the action the agent wants to take, the differences before and after the data change, the reason it was triggered, the rule that applies, and the subsequent actions that will occur after approval. Showing only “Allow the AI to continue?” forces the approver to consent blindly.
You must also prohibit a common failure path: after the agent is denied, it retries using the human triggerer’s identity. If that fallback exists, separate identities and deny-by-default rules lose their purpose.
Step 5: Logs must reconstruct a complete decision
“Having records” does not mean “having accountability.” If the logs record only success or failure, you still cannot determine afterward which rule allowed the action, who approved it, or which values the agent actually changed.
Each execution must link at least the following data:
- A unique execution ID.
- Agent identity and version.
- Triggering identity or schedule name.
- ERP object, action, and target fields.
- Data state before the request occurred.
- The allow, deny, or escalation rule that matched.
- The human approver’s identity, time, and decision.
- Values before and after the change, or an explicit “no changes made.”
- Denied attempts and the reasons for denial.
Access to the logs themselves must also be restricted, especially when they contain invoice, supplier, or payment data. If credentials, workflows, or connectors used by the agent are at risk of exposure, use the AI workflow builder credential exposure checklist to verify the order for containing the exposure, preserving logs, and rotating credentials, so the same entry point cannot read the new credentials again.
Minimum Pilot: Choose Just One Exception and Two Actions
For the first round, do not let the agent handle the entire accounts payable process. Choose one exception that occurs often enough but does not require direct payment, such as “the invoice amount does not match the purchase order.”
Limit the pilot to two actions:
- Read the invoice amount and purchase order amount for the assigned case.
- Generate a discrepancy summary and send the case to a human review queue.
Use a dry run during the pilot, meaning the agent tests the process without actually modifying production data. Prepare at least 20 historical cases with known outcomes, including normal matches, amount mismatches, missing purchase orders, cross-company codes, and attempts to read unauthorized fields.
Consider allowing the first low-risk write action only when all the following results can be verified directly from the logs:
- All 20 cases identify both the agent identity and the person who triggered it.
- Every request involving cross-company codes or unauthorized fields is denied.
- Every case escalated to a human stops at the approval point without executing subsequent steps on its own.
- Every denial records the rule number and reason.
- After the agent identity is disabled, it cannot continue through a human account.
The first write action could simply add a “waiting for human review” status. Do not jump directly from read-only access to modifying the vendor master record or releasing payments. This lets the team verify that identities, rules, and logs are genuinely connected before expanding the scope of impact.
AI handoff card
If you want to turn an existing ERP exception process into implementable rules, you can give the following prompt to AI. First remove real supplier names, account numbers, invoice contents, and credentials. Provide only field names, roles, and anonymized cases.
You are an ERP workflow security analysis assistant. Based on the exception process I provide, help me design a separate identity and deny-by-default rules for an AI agent.
Process context:
- ERP system and environment:
- Exception type:
- Objects and fields the agent needs to read:
- Write actions the agent may propose:
- Existing human approval roles:
- Audit data that must be retained:
Please provide:
1. A single-purpose definition and owner for the agent identity.
2. An itemized list of permitted objects, actions, fields, record counts, or status conditions.
3. A list of actions that must always be denied and actions that require human escalation.
4. System-evaluable if–then conditions for every rule; do not use phrases such as “when risk is high” or “depending on the circumstances.”
5. The before-and-after changes and downstream effects that the human approval screen should display.
6. The log fields that must be retained for every execution.
7. A dry-run test limited to read-only access and draft output, including at least 5 denial cases.
8. Flag any items for which the current information is insufficient for safe authorization; do not make assumptions.
After using AI to organize the draft rules, an ERP administrator, the finance process owner, and the identity and access owner must still review them together. The minimum viable first step is simple: today, find one agent that is still using a human account, create a test identity that can be disabled independently, and permit only one read-only query.
Everyday four-panel comic

- A finance professional gives the AI assistant one assigned invoice folder.
- Holding that folder, the assistant begins reaching toward other locked records.
- The professional immediately lowers a boundary and directs it back to the original folder.
- The assistant places only that folder in the human-review tray; all other records remain locked and await separate authorization.
References
- AWS for SAP:AWS Agentic Standard Operating Procedures (SOPs) for ERP Automation — https://aws.amazon.com/blogs/awsforsap/aws-agentic-standard-operating-procedures-sops-for-erp-automation/(2026-07-09)
- Help Net Security:AWS gives its ERP agent deny-by-default rules and a separate identity — https://www.helpnetsecurity.com/2026/07/10/aws-agentic-ai-erp-automation/(2026-07-10)
- ERP Today:AWS is giving SAP agents a rulebook for ERP exceptions — https://erp.today/aws-is-giving-sap-agents-a-rulebook-for-erp-exceptions/(2026-07-10)



