AI inside an ERP creates value when it cuts down on classification, search and decision-prep work, but it should never gain permissions equivalent to an administrator. Low-impact functions can be automated with sampling; payments, closings, vendor onboarding, tax changes and decisions about people require deterministic rules, validation and approval.
Use cases by risk level
| Case | Benefit | Control |
|---|---|---|
| Classify documents | Less manual work | Sampling |
| Extract fields | Faster data entry | Per-field validation |
| Forecast demand | Better planning | Baseline comparison |
| Detect anomalies | Early warning | Human investigation |
| Draft journal entry | Time savings | Accounting approval |
| Create payment | High impact | Dual approval |
| Change master record | Cross-system effect | Controlled workflow |
Autonomy only increases with evidence.
Architecture
AI should never write directly to the ERP's tables. The system exposes bounded tools through APIs or services that validate schema, identity, permission, rule and context before executing any action.
The layers of this architecture are:
- User and agent identity.
- Access policy.
- Retrieval of authorised data.
- Model.
- Tool.
- Deterministic validation.
- Approval.
- Traceability.
Data and master records
A model working on duplicate or incomplete data speeds up errors instead of reducing them. Before rolling out any feature, customers, products, taxes, vendors, units and statuses must be reviewed.
Inferred outputs are flagged as proposals, never as facts. The system keeps the source, the confidence level and the person who validated each piece of data.
Document extraction
For invoices, orders or contracts, accuracy is measured field by field. The tax ID, the amount, the date, the IBAN and the tax rate carry different weight if they fail. Critical fields require mathematical validations and cross-checks against the master data.
AI does not decide on its own whether a document is legitimate.
Forecasting
Demand or cash-flow forecasting must always be benchmarked against simple methods. The reference metrics are:
- Absolute error.
- Systematic bias.
- Coverage.
- Stability.
- Cost of overestimation and underestimation.
If the model does not beat a simple baseline, it doesn't justify the added complexity.
Agents with tools
An agent can check stock and draft a purchase order, but it must not approve the purchase without limits. Every tool separates read from write and defines a maximum amount, approved vendors and idempotency.
OWASP identifies excessive agency as a risk specific to these systems. Controls must live outside the prompt, not inside it.
Human oversight
The approval screen must always show:
- The proposed action.
- The source data.
- The rule applied.
- The exact changes.
- The impact.
- The alternative.
- Whether it can be reverted.
Rubber-stamping is not oversight.
Permissions
The agent uses its own identity, never that of an administrator. Permissions are restricted by:
- Company.
- Module.
- Operation.
- Amount.
- Time window.
- Environment.
- Recipient.
A person's termination or role change must automatically revoke the permissions of their associated agent.
Security
The main threats to watch are:
- Prompt injection in invoices or emails.
- Fake vendor.
- Data extraction.
- IBAN change.
- Duplicate actions.
- Contaminated memory.
- Information leakage between companies.
Allow-lists, segregation, multi-factor authentication, validation and alerts are applied. Text embedded inside a document cannot override the system's instructions.
Traceability
Every execution must log:
- Model and version.
- Prompt and policy applied.
- Data queried.
- Tools used.
- Arguments.
- Validations performed.
- Approval.
- Result.
- Cost and latency.
Logs are minimised and protected.
Quality and regression
The test suite must cover closings, taxes, refunds, duplicates, incomplete data and attacks. It runs every time the model, the prompt, the connector or the ERP version changes.
Critical classes have zero tolerance.
Cost and ROI
Cost per valid task is calculated by adding up model, infrastructure, integration, review, support and incidents. Theoretical savings don't count if they end up increasing rework.
90-day plan
Days 1-30
Scoped use case, baseline, data and permissions.
Days 31-60
Integration, testing, logs and oversight.
Days 61-90
Pilot, metrics, risk and decision.
Common mistakes
- Turning on features without an owner.
- Granting the agent administrator permissions.
- Relying on poor-quality master data.
- Measuring speed alone.
- Allowing direct writes to the ERP.
- Not validating IBAN and taxes.
- Approving by default.
- Not versioning prompts.
- Mixing data across companies.
- Scaling without regression tests.
Checklist
- Use case and baseline defined.
- Data and master records reviewed.
- Identity and permissions configured.
- Tools bounded.
- Deterministic validation implemented.
- Effective oversight in place.
- Adversarial security considered.
- Logs and versions controlled.
- Cost per valid task calculated.
- Kill-switch plan defined.
Frequently asked questions
Can AI post accounting entries automatically?
It can prepare journal-entry proposals. Full automation depends on risk, rules, accumulated evidence and human approval.
Can AI make payments?
It shouldn't, without strict controls, amount limits and dual approval outside the model itself.
Does AI replace BI?
No. BI describes and monitors; AI can forecast or assist, but it needs quality data and metrics to do so reliably.
At Summum Sistemas we help integrate AI into the ERP with permissions, testing and oversight suited to each risk level.