AWS gives its ERP agent deny-by-default rules and a separate identity

Accounts receivable teams at large companies spend hours each day matching incoming bank payments to invoices by hand. When those payments sit unmatched for days, cash flow suffers and days sales outstanding climbs. The same pattern repeats across blocked invoices, purchase order approval holds, month-end close, and intercompany reconciliations in almost every industry. Built-in ERP automation, including SAP’s three-way match, still leaves plenty of these exceptions for people to sort out.

agentic AI ERP automation

AWS has released a framework meant to hand much of that work to a single AI agent. The AWS Agentic AI Solutions Framework for SAP use cases runs on Amazon Bedrock AgentCore and uses Strands, the company’s open source agentic SDK. One agent reads standard operating procedures written in plain language, pulls the right one for a given exception, and works through the steps across SAP and connected systems. Business teams own the procedures, so a change to how an exception gets handled means editing the SOP, and code stays untouched.

Earlier automation methods struggled with this kind of work. Robotic process automation copied UI clicks and broke the moment a screen layout changed. Classical machine learning could predict where exceptions would appear. Resolving them stayed out of reach. Foundation models changed the equation by reasoning over written procedures, calling tools across system boundaries, and holding context through multi-step work.

Trust that grows in stages

“Agents start in advisory mode, where humans take every action. As confidence builds, agents move to supervised execution, and eventually to autonomous resolution, acting independently only when confidence exceeds a defined threshold. You expand automation only as fast as you establish trust,” the AWS team explained.

Determinism sits at the center of the design. Because language models produce probabilistic output, the same input can yield different results, so the framework applies layered controls to pin behavior down. Controlled model parameters, structured prompts, retrieval from approved SOP content and live system data, runtime guardrails, and multi-agent cross-verification each play a part. Grounding responses in retrieved documents keeps the agent reasoning from authoritative sources and cuts hallucinated API calls.

Who did what, recorded for auditors

Every action gets tied to an identity. During autonomous work, the agent authenticates with its own service account through OAuth 2.0 two-legged authentication. When a person steps in, AgentCore Identity switches to three-legged authentication and carries that person’s verified identity through to the target system. Compliance teams can then separate agent-initiated actions from human-approved ones in the log, a requirement under Sarbanes-Oxley controls.

Cedar, AWS’s open source authorization language, governs what each identity may do. Policies weigh the principal’s identity, the tool being called, the resource, and the request context, and the system denies everything by default. A team can write a rule allowing the agent to read any purchase order and to post journal entries only below $50,000, and AgentCore Policy enforces it at the gateway before the call reaches SAP. Policies can be authored in Cedar syntax or in plain English, with automated reasoning flagging rules that grant too much or too little.

A dedicated state layer in DynamoDB captures the whole exception lifecycle as immutable, append-only records: reasoning traces, tool invocations with authenticated identities, escalation events, human decisions, and resolution outcomes. Amazon CloudWatch watches agent performance and alerts operations staff when behavior drifts from expected baselines.

Purchase order accruals at one manufacturer

A global manufacturer applied the framework to more than $250 million in custom tooling purchases spread across more than a thousand active purchase orders. The agent retrieves the applicable SOP, resolves each order through the right workflow, and creates parked journal entries in SAP for finance to approve. Work that once took over a month of manual effort per close cycle now finishes in minutes per order.

The detection loop leans on Amazon EventBridge, which triggers a Lambda function on a schedule set by default to every five minutes. That function polls SAP OData services for new exceptions and writes each to a DynamoDB table. When an exception meets the confidence bar and needs no sign-off, the agent acts. When it crosses a materiality threshold or the agent’s confidence runs low, a structured email goes out through Amazon SES and the case waits for a reply.

AWS published the reference implementation as open source sample code on GitHub, complete with the Strands agent, an MCP server tied to SAP OData, DynamoDB state management, and the human-in-the-loop workflow. A Streamlit dashboard ships with it for teams that want a window into the process.

Download: Secure Foundations for AI Workloads on AWS

Don't miss