Love this use case, and I’m curious how you’re thinking about mitigating the lethal trifecta here.
Untrusted input (vendor names, memo fields, invoice text all originate outside the org), sensitive data (GL detail, materiality, JE logic), and external action (writes workpapers, posts to Slack, drafts JEs). All three in one agent puts it at risk for data exfiltration.
Anyone who can submit an invoice can potentially get instructions into a memo or description field the agent reads. And even without an attacker, the agent might get confused or try to be helpful in an unintended way and leak data.
The human reviewer is a good control, but they’re checking output after the agent has already taken action. Subtle manipulation (wrong account, plausible-but-wrong vendor coding) might be hard for a human to catch.
okay this is the kind of post that makes us want to go rebuild our internal stack tonight. thank you for actually writing out the config-vs-skill split
This is the use case I point to when founders ask where to start with agents. Not a horizontal copilot or AI-assisted dashboards. Once specific bottleneck with clear inputs, clear success criteria and a high cost of doing it manually.
Instead of shopping for AI products, teams should be mapping their most expensive recurring friction first.
Love the practical breakdown of building agents for accounting workflows! Connecting an MCP straight to an ERP is incredibly powerful, but it exposes a couple of serious infrastructure and security gaps—mainly prompt injection via untrusted inputs (like vendor invoices/memos) and the lack of deterministic execution guards over sensitive ledger data. You might want to try it with using something like https://docs.withaileron.ai to add governance and runtime constraints.
The MCP-to-ERP connection is the unlock that most finance teams miss — but there's a procurement risk embedded in it. Most ERP contracts (NetSuite, SAP, Oracle) have API call limits defined in the base license, and agent-level automation burns those at a rate orders of magnitude higher than human user sessions. Several major ERPs are now moving to agent-tier API pricing. The build-vs-buy ROI on this changes significantly if your ERP vendor starts metering agent calls.
At SourceMind AI we track exactly these vendor pricing shifts — including how accounting AI platforms compare to build-your-own on total cost of ownership at 50-500 person companies. sourcemind.substack.com
Love this use case, and I’m curious how you’re thinking about mitigating the lethal trifecta here.
Untrusted input (vendor names, memo fields, invoice text all originate outside the org), sensitive data (GL detail, materiality, JE logic), and external action (writes workpapers, posts to Slack, drafts JEs). All three in one agent puts it at risk for data exfiltration.
Anyone who can submit an invoice can potentially get instructions into a memo or description field the agent reads. And even without an attacker, the agent might get confused or try to be helpful in an unintended way and leak data.
The human reviewer is a good control, but they’re checking output after the agent has already taken action. Subtle manipulation (wrong account, plausible-but-wrong vendor coding) might be hard for a human to catch.
For sure. This is just the recon process so separate from the AP process but I will share what I am doing in AP soon 😎
okay this is the kind of post that makes us want to go rebuild our internal stack tonight. thank you for actually writing out the config-vs-skill split
Trying to write helpful stuff and not just fluff!
This is the use case I point to when founders ask where to start with agents. Not a horizontal copilot or AI-assisted dashboards. Once specific bottleneck with clear inputs, clear success criteria and a high cost of doing it manually.
Instead of shopping for AI products, teams should be mapping their most expensive recurring friction first.
Love the practical breakdown of building agents for accounting workflows! Connecting an MCP straight to an ERP is incredibly powerful, but it exposes a couple of serious infrastructure and security gaps—mainly prompt injection via untrusted inputs (like vendor invoices/memos) and the lack of deterministic execution guards over sensitive ledger data. You might want to try it with using something like https://docs.withaileron.ai to add governance and runtime constraints.
The MCP-to-ERP connection is the unlock that most finance teams miss — but there's a procurement risk embedded in it. Most ERP contracts (NetSuite, SAP, Oracle) have API call limits defined in the base license, and agent-level automation burns those at a rate orders of magnitude higher than human user sessions. Several major ERPs are now moving to agent-tier API pricing. The build-vs-buy ROI on this changes significantly if your ERP vendor starts metering agent calls.
At SourceMind AI we track exactly these vendor pricing shifts — including how accounting AI platforms compare to build-your-own on total cost of ownership at 50-500 person companies. sourcemind.substack.com