AWS ERP agent controls turn identity and deny-by-default rules into KYA evidence

ERP automation is becoming a practical test case for Know Your Agent. When an AI agent can resolve finance exceptions, create parked journal entries, call SAP-connected tools, and escalate material cases to a person, compliance teams need more than a productivity story. They need proof of agent identity, mandate, tool scope, policy enforcement, human approval, and immutable audit state.

Daily signal: Discord tech-intel channel 1468032405695627386 was readable through the OpenClaw Discord path, but its last-24-hour digest surfaced only broad tech items such as ChatGPT Work and EU Chat Control, not a high-relevance KYA finance topic. Web fallback found Help Net Security coverage of AWS Agentic AI Solutions Framework for SAP use cases, including separate agent identity, OAuth identity switching for human intervention, Cedar deny-by-default authorization, immutable DynamoDB state, CloudWatch monitoring, and human escalation thresholds. This is a platform-control signal, not formal Know Your Agent adoption by AWS, SAP, a regulator, or an exchange.

Why this matters for KYA

Accounts receivable matching, blocked invoices, purchase-order approvals, month-end close, and intercompany reconciliation are not abstract AI demos. They sit inside regulated finance operations, accounting controls, audit evidence, outsourcing reviews, and financial-statement risk. If an agent can read standard operating procedures, retrieve live ERP data, decide which workflow applies, call SAP-connected tools, and prepare entries for approval, then the agent is an operational actor inside the finance control environment.

The notable KYA signal is the separation of agent action from human action. Help Net Security described autonomous work using the agent's own service account through OAuth 2.0 two-legged authentication, while human intervention switches to three-legged authentication carrying the person's verified identity into the target system. That distinction is central to KYA: the audit record should show whether a finance outcome was agent-initiated, human-approved, policy-blocked, or escalated because confidence or materiality thresholds were not met.

Deny-by-default authorization is the second signal. Cedar policies can evaluate the principal, tool, resource, and request context before a call reaches SAP. A rule may allow purchase-order reads while limiting journal-entry posting to a defined amount. For KYA, that means mandate evidence can become executable policy rather than a static procedure document.

Screenshot-ready KYA compliance comparison table

KYA dimensionWeak ERP-agent postureKYA-ready finance-agent postureEvidence reviewers should expect
Operator identityThe agent is treated as an automation feature inside ERP, with unclear separation between vendor platform, deploying company, workflow owner, service account, model runtime, and human approver.The KYA file binds the ERP agent to the legal operator, finance-control owner, service account, runtime, model/tool version, connected systems, escalation owner, and accountable executive.Agent ID, service account, runtime and model version, SAP or ERP tenant, workflow owner, controller, deployment approval, change log, human approver roles, revocation path.
Agent mandateThe agent is broadly allowed to resolve exceptions or follow SOPs, but the mandate does not separate advisory mode, supervised execution, autonomous execution, parked entries, approvals, and rejected cases.The mandate states which exception classes the agent may read, classify, draft, post, park, escalate, or reject, with thresholds for confidence, materiality, timing, and human review.SOP version, mandate version, exception taxonomy, approval threshold, autonomous-resolution threshold, materiality limit, blocked-task list, expiry date, exception approval, policy test results.
Wallet and custodyThe workflow is framed as accounting automation only, so downstream value movement, bank matching, treasury, payment, journal, and reconciliation authority are not mapped to the agent record.The KYA file states whether the agent can affect cash application, invoice status, journal entries, payment release, treasury movement, customer balances, settlement records, or custody evidence.Value-impact classification, bank-payment matching scope, journal-entry limit, payment-release prohibition or approval path, treasury-system boundary, custody or settlement link, rollback process.
Tool and venue accessSAP OData, MCP servers, email workflows, data stores, dashboards, and finance tools are connected as one automation surface, with inherited or overbroad permissions.Each tool is classified by read, classify, draft, park, post, notify, export, or escalate, and calls are denied by default unless identity, resource, amount, and context match policy.Tool inventory, SAP endpoint list, MCP server scope, email/escalation scope, Cedar or equivalent policy, request context, amount limit, allowed resource list, denied-call log.
Audit trailThe system records an ERP update, but reviewers cannot reconstruct the SOP section, retrieved data, reasoning trace, tool call, policy decision, human response, and final resolution as one evidence chain.Immutable, append-only state links exception intake, SOP retrieval, reasoning trace, authenticated tool invocation, policy decision, escalation, human approval, resolution outcome, and monitoring alert.Run ID, exception ID, SOP version, retrieved data snapshot, reasoning trace, tool-call log, policy result, human decision, parked-entry ID, final outcome, CloudWatch or SIEM alert, retention status.
Security and abuseControls depend on ERP login, broad service-account trust, or after-the-fact review, with limited protection against prompt drift, SOP tampering, overbroad posting authority, or anomalous behavior.The agent uses approved SOP retrieval, controlled model settings, runtime guardrails, cross-verification, least privilege, deny-by-default policy, anomaly monitoring, human escalation, and rapid revocation.SOP approval, prompt and retrieval controls, guardrail result, verification output, least-privilege review, anomaly alert, escalation ticket, revocation record, incident response, regression test.
Jurisdiction fitThe same ERP-agent workflow is reused across entities without mapping SOX controls, local accounting rules, data residency, outsourcing, audit retention, privacy, and financial-reporting obligations.The KYA file maps entity, country, ledger, accounting standard, audit-control rule, data location, outsourcing chain, record-retention duty, and supervisory or auditor escalation before launch.Entity and country matrix, SOX or local-control mapping, ledger scope, accounting-policy note, data-residency setting, outsourcing review, privacy review, retention schedule, auditor evidence pack.

The compliance lesson

The important shift is not that an agent can read procedures. It is that a procedure can become a live policy boundary for a machine actor. If finance teams want agents to move from advisory mode to supervised execution and then to autonomous resolution, the KYA file must make each step auditable before the confidence bar is raised.

In crypto, payments, and exchange operations, the same control pattern applies to reconciliations, listing operations, settlement exceptions, market-maker invoices, exchange API key workflows, stablecoin treasury operations, and customer remediation queues. A KYA-ready agent should not inherit broad system access because a human finance user has it. It should have its own identity, its own mandate, its own deny rules, and its own reconstructable audit trail.

Practical KYA checklist

Bottom line

Finance-agent control is becoming concrete. Separate agent identity, human identity switching, deny-by-default policy, immutable state, and staged autonomy are exactly the evidence fields KYA needs. A firm should be able to prove not only that an ERP agent completed a task, but why it was allowed to act, which identity acted, where the human stepped in, and how the full decision path can be audited.

Sources reviewed: Discord tech-intel channel 1468032405695627386 daily digest (July 10, 2026); Help Net Security, "AWS gives its ERP agent deny-by-default rules and a separate identity" (July 10, 2026); Brave, "BAT Roadmap 4.0" (July 2026); MetaMask, "Why every AI agent needs a wallet" (July 8, 2026); TechTimes and Crypto Economy coverage of XRPL AI payments (July 9-10, 2026). These are platform, security, wallet, and market-structure signals, not formal regulatory adoption of Know Your Agent.