AWS Agentic Standard Operating Procedures (SOPs) for ERP Automation

6 hours ago 4

According to recent research (McKinsey), large number of manual interventions ripple through enterprise ERP systems worldwide every month. For example – in a global manufacturing firm where incoming bank payments remain unmatched to invoices for days, degrade cash flow and inflate days sales outstanding as accounts receivable (AR) teams manually reconcile hundreds of transactions daily. Now imagine proposing to your Internal Controls manager that “AI will reconcile and post these payments automatically.” The inevitable response: “How do you know it won’t make mistakes?” Trusting AI to successfully execute complex business process remains one of biggest challenges many users are facing today.

Even sophisticated built-in automations like SAP’s three-way match fall short, with manual interventions spanning invoice exceptions, purchase order (PO) approval blocks, month-end close, and intercompany reconciliations across virtually every industry. Earlier automation approaches fared no better. Robotic Process Automation (RPA) automated UI clicks but broke when screen layouts changed. Classical ML could predict exceptions but not resolve them.

Your IT landscape keeps getting more complex with a sprawling patchwork of SAP instances, legacy systems, cloud services, and third-party applications, each with incompatible protocols and fragmented data. SAP serves as the validated core of financial reporting. Any cross-system automation must therefore enforce secure access controls, verified user identities, and complete audit trails to satisfy Sarbanes-Oxley Act (SOX), ISO, and internal audit requirements.

What has changed is the emergence of foundation models that can reason over unstructured procedures, invoke tools across system boundaries, and maintain context across multi-step workflows.

Resolving these exceptions at scale requires Agentic Standard Operating Procedures (SOPs): a single, unified AI-driven agent that interprets enterprise procedures from a knowledge base and autonomously resolves multi-step exceptions across SAP and non-SAP systems. Human-in-the-loop controls engage where judgment or approval is required.

Agentic AI offers a compelling path forward, but it introduces a new challenge: agents are proliferating faster than you can govern them. Building agents that securely integrate across fragmented systems is complex and costly. Rather than an unconstrained “build an agent for every problem” approach, you need a structured framework that matures incrementally, delivers value at each stage, and earns human trust progressively.

This post introduces the AWS Agentic AI Solutions Framework for SAP use cases, a production-grade approach built on five core capabilities: progressive trust with human-in-the-loop controls, a unified SOP-driven agent architecture, a guarded MCP server for deterministic and auditable actions, identity-aware security and compliance, and persistent state management for audit-grade documentation. It then walks through a reference architecture and technical best practices for deploying this framework against SAP environments using Amazon Bedrock AgentCore.

Working with customers across industries and lines of business, AWS has converged on a set of core capabilities customer’s agentic AI system must deliver to operate safely and effectively in enterprise ERP landscapes. The reference architecture in the next section addresses each of these capabilities.

Earn trust progressively while reducing risk: Agents start in advisory mode, where humans take every action. As confidence builds, agents move to supervised execution, and eventually to autonomous resolution, acting independently only when confidence exceeds a defined threshold. You expand automation only as fast as you establish trust.

Deploy one agent for all your processes: Instead of building a separate agent for every business process, a single agent dynamically interprets and executes SOPs from a curated knowledge base, invoking the right tools at runtime based on exception type and process context. Your business teams author and own the SOPs in natural language, so changes require an SOP update, not a code redeployment. The agent treats SOPs as reasoning context, not rigid rules, and keeps every step deterministic and auditable through curated prompts, structured tool orchestration, and guardrails.

Get consistent, repeatable outcomes: The same input must produce the same output every time. Because large language models are probabilistic by nature, achieving determinism (preventing the model from hallucinating or producing inconsistent results) requires deliberate controls. The solution enforces this through controlled model parameters, structured prompt engineering, retrieval from authoritative SOP content and live system data to prevent hallucination, runtime guardrails for policy and grounding validation, and multi-agent cross-verification of recommendations before action is taken.

Know exactly who did what, and when: You must attribute every agent action to the right identity. When the agent acts autonomously, it authenticates with its own service account; when a human intervenes, the system switches to the human’s verified identity. This separation lets your compliance team distinguish agent actions from human-approved actions. Every tool invocation, data read, and action is logged with a tamper-evident trail that satisfies SOX, ISO, and internal audit requirements.

Satisfy auditors and operations teams from day one: A dedicated persistent state layer captures the complete exception lifecycle: agent reasoning traces, tool invocations with authenticated identities, human escalation events, and resolution outcomes, all as immutable, append-only records. Real-time observability monitors agent performance and alerts operations teams when behavior deviates from expected baselines.

At a high level, the architecture detects ERP exceptions on a schedule, invokes an AI agent to retrieve the relevant SOP and resolve the exception across SAP and connected systems, and logs every step for audit compliance. When confidence is low or approvals are required, the agent escalates to a human and resumes once they respond.

Figure 1 below illustrates the end-to-end architecture. The architecture has three boundaries: your SAP environment, the AWS Cloud, and an optional user interface. Here is how a single exception flows through the system, from detection to resolution.

SOP Agent Architecture

    1. Exception Detection: Amazon EventBridge triggers an AWS Lambda function on a configurable schedule (default: every five minutes) that polls SAP OData services for new exceptions: blocked invoices, unmatched payments, missing accruals, or any exception type your SOP defines.
    2. State Initialization: The poller writes each new exception to an Amazon DynamoDB state table with a status of detected, capturing the minimum context needed for resolution (PO number, general ledger (GL) account, cost center). Deduplication checks prevent the same exception from being processed twice.
    3. Agent Invocation: The system invokes the agent, either autonomously via a DynamoDB Streams trigger or manually through a user interface. The agent runs on Amazon Bedrock AgentCore, a fully managed service for building, deploying, and scaling AI agents, and the agent framework is Strands, AWS’s open source agentic SDK.
    4. Tool Connectivity: to give your agent access to SAP and other systems without custom integration code, it connects through one of two managed paths:
      • An MCP server hosted on AgentCore Runtime (included in the sample code)
      • AgentCore Gateway for managed, governed tool access at scale
    5. SOP Retrieval: to verify every resolution follows your approved process, the agent’s first tool call retrieves the relevant SOP from an Amazon Bedrock Knowledge Base, a fully managed RAG capability that indexes, chunks, and retrieves enterprise content, establishing the decision tree for the exception type it is handling.
    6. SAP Execution: to eliminate hardcoded API mappings and reduce your maintenance burden, the agent uses a second Knowledge Base containing SAP OData API specifications, to discover the correct endpoints and fields at runtime, then executes read and write operations against SAP. This prevents hallucinated API calls. The agent only invokes endpoints it can find in the documentation.
    7. Audit Trail: at each step, the agent appends to an immutable processing_history list in DynamoDB, capturing:
      • Reasoning traces: step-by-step logic and SOP sections retrieved
      • Tool invocations: inputs, outputs, timestamps, and authenticated identity
      • Resolution outcomes: final action taken and SAP transaction references
      • This append-only log (records can be added but never modified or deleted) is the tamper-evident audit trail for SOX and internal audit compliance.
    8. Human Escalation: if the exception requires human judgment (the amount exceeds a materiality threshold, or the agent’s confidence is below a defined level), the agent sends a structured escalation email via Amazon SES, updates the case status to awaiting_human_input, and stops.
    9. Human Response: when the human replies, SES stores the email in Amazon S3, which triggers a Lambda function that parses the full email thread and re-invokes the agent with the response. The agent picks up exactly where it left off, with full context continuity.
    10. Interface Layer: The user interface is intentionally thin and swappable. The sample code ships with a Streamlit dashboard, but any client that can invoke the AgentCore runtime endpoint works:
      • A React or custom web app
      • An SAP Fiori tile for native SAP integration
      • Amazon Quick Apps: for governed, no-code approval experiences
      • No interface at all: for fully autonomous operation

Example: Automating purchase order accruals at scale. A global manufacturer applied this framework to manage over $250 million in custom tooling purchases across 1,000+ active POs. The agent autonomously retrieves the applicable SOP, resolves each PO through the appropriate workflow, and creates parked journal entries in SAP for finance approval. A process that previously consumed over 30 days of manual work per close cycle now completes in minutes per PO.

An agentic system that works in a demo is straightforward. Production-grade reliability, auditability, and cost-effectiveness require deliberate engineering choices. The following practices, drawn from production deployments, address the most common gaps.

Determinism

The same input must produce the same output. You achieve this through layered controls, not any single mechanism:

  • Structured prompts: Use explicit templates, system-level rules, behavioral hooks, and output format constraints to anchor reasoning to defined patterns.
  • Retrieval-Augmented Generation (RAG): ground every response in retrieved SOP content and live system data via Amazon Bedrock Knowledge Bases, so the agent reasons from authoritative sources rather than parametric memory.
  • Runtime guardrails: apply Amazon Bedrock Guardrails for context grounding verification and policy-based content filtering.
  • Multi-agent cross-verification: where the stakes are high, use a supervisor agent to orchestrate specialized sub-agents that cross-verify recommendations before action is taken.

Identity Propagation

You must attribute every agent action to the right identity. The architecture supports a dual-identity model:

  • Autonomous operations: the agent authenticates with its own service account via OAuth 2.0 two-legged (2LO) authentication, establishing a machine-to-machine trust relationship with each downstream system.
  • Human-in-the-loop operations: AgentCore Identity transitions to OAuth 2.0 three-legged (3LO) authentication, propagating the human’s verified identity through the agent to the target system.

This separation lets your compliance team unambiguously distinguish agent-initiated actions from human-approved actions in the audit log, a core SOX controls requirement.

Fine-Grained Authorization with Cedar Policies

Knowing who is acting is necessary but not sufficient. You also need to control what each identity can do. AgentCore Policy uses Cedar, AWS’s open source authorization language, to enforce fine-grained permissions on every agent-to-tool interaction routed through AgentCore Gateway. Cedar policies evaluate four attributes:

  • Principal identity: OAuth claims such as username, role, or scope (from the 2LO/3LO identity model above)
  • Action: the specific tool being invoked (for example, invoke_sap_odata_service or send_email)
  • Resource: the Gateway the request is routed through
  • Request context: tool input parameters, enabling attribute-based access control (for example, restricting write operations to invoices below a dollar threshold

The system denies all actions by default. You author policies in Cedar syntax or in natural language. AgentCore Policy interprets plain-English rules, generates candidate Cedar policies, and uses automated reasoning to flag overly permissive or restrictive policies before enforcement. For example, you can enforce rules like “the agent may read any PO but may only post journal entries below $50,000”, deterministically at the Gateway layer, before the tool call reaches SAP. For common patterns, see AgentCore Policy documentation.

Prompt Improvement

The system prompt is where determinism starts. Three patterns matter most:

  • Explicit compliance framing: Frame SOP compliance as non-negotiable using explicit priority signals (all-caps labels, mandatory language). This reduces the likelihood of the model “optimizing” the workflow in ways that violate the procedure.
  • Anti-hallucination guardrails: Instruct the agent to stop and escalate rather than simulate evidence or approval when blocked waiting for human input. This directly addresses one of the most dangerous failure modes in agentic systems.
  • Exemplars: Include concrete examples of correct behavior, date calculation formats, escalation email templates, OData query patterns, directly in the prompt. The agent performs better with reference implementations than when generating from scratch.

Iterate on prompts using real exception data and track output quality across versions.

Evaluations

Agentic systems require evaluation at multiple levels:

  • Unit-level: Test individual tool calls for correctness. Does the OData query return the expected fields? Does the email contain the right context?
  • End-to-end: Test complete workflows against known exception scenarios with expected outcomes. Build a regression suite from resolved cases so that prompt or SOP changes do not degrade existing behavior.
  • Operational metrics: Track what matters for your business: resolution accuracy, escalation rate, time-to-resolution, and false positive rate.
  • Real-time monitoring: Use Amazon CloudWatch GenAI observability capabilities for AgentCore to monitor model invocation latency, token consumption, tool call success rates, and confidence score distributions.

Cost Optimization

To keep per-exception costs predictable as you scale:

  • Right-size the model: Use smaller models for routine exceptions; reserve larger models for complex cases.
  • Cache frequently retrieved content: SOP documents and API documentation that rarely change can be cached to reduce Knowledge Base query volume.
  • Intelligent prompt routing: Use Amazon Bedrock’s prompt routing to automatically select the most cost-effective model for each invocation.
  • Operational resilience: implement exponential backoff with jitter at peak volumes and track token consumption by exception type for cost visibility.

Observability and State Management

To satisfy both your operations team and your auditors, production agentic systems need three layers of state:

  • Short-term session memory: maintains context within a single resolution: conversational history, tool call results, and intermediate reasoning.
  • Long-term memory: via AgentCore Memory persists learned patterns across sessions. For example, recognizing a vendor that consistently triggers exceptions due to a known PO format issue.
  • Persistent audit-grade state: in DynamoDB captures the complete exception lifecycle as immutable, append-only records: reasoning traces, tool invocations with authenticated identities, escalation events, human decisions, and resolution outcomes.

Agentic AI fundamentally reshapes the economics of ERP exception management. Rather than building and maintaining discrete agents for every process, organizations can deploy a single, SOP-driven agent capable of interpreting procedures at runtime, invoking the appropriate tools, and escalating to human judgment when conditions warrant. The progressive adoption framework verifies automation expands only as fast as trust is established, and the identity-aware architecture guarantees that you can fully attribute and audit every action, whether agent-initiated or human-approved.

The reference implementation is available as open source sample code, including the Strands agent, MCP server with SAP OData integration, DynamoDB state management, and the human-in-the-loop workflow. It ships with a Streamlit dashboard for visualization. Adapt it to your exception types by updating the SOP in the Knowledge Base, no code changes required.

To get started, download ERP exceptions management solutions from Github repository and set up AWS for SAP MCP Server for SAP OData integration.

For deeper dives into the services referenced in this post, see Amazon Bedrock AgentCore, Amazon Bedrock Knowledge Bases, and Strands Agents SDK.

About the authors

Sagar Tallapragada photo Sagar specializes in guiding enterprises through digital transformation at AWS, leveraging Agentic AI and Generative AI to automate business processes and modernize legacy systems. He focuses on SAP workloads, building tools and solutions that help customers migrate, modernize, and automate with AI. Outside of work, he balances his passion for technology with cherished moments spent with family, a deep love for Formula 1, and enduring admiration for Sachin Tendulkar’s cricketing legacy.
Zach Daniels photo Zach Daniels is a Solutions Architect at AWS, specializing in AWS for SAP with a focus on agentic AI applications for ERP. He works with customers to design scalable, well-architected SAP environments on AWS. Based in Seattle, he brings a background in startups and technical engineering to his work with enterprise customers.
Abhijeet Jangam photo Abhijeet is Data and AI leader with 20+ years of SAP techno functional experience leading strategy and delivery across multiple industries. He leads AWS SAP data analytics strategy, Agentic code modernization, AI-driven process automation initiatives. He enjoys hiking and skiing in Colorado mountains.
Read Entire Article