Time for tech to reconsider ERP compliance

Most firms need to consider AI-driven ERP functions for their transformation roadmap, but they also need to plan function implementations with an awareness of the risks. It’s important to take measures that ensure compliance in the initial implementations, as well as any future activations or integrations.

Machine learning data weaknesses

With machine learning capabilities, the system can revise its model by learning from itself, from user interactions and from other data sets. “You need to make sure that the data it’s pulling in has been validated, is trustworthy and that there’s human intervention in the process,” Frye said. Without human intervention, systems can be subject to model development that leads to misguided conclusions or hallucinations.

Hallucinations

“AI technologies have gotten pretty good at helping users aggregate data that's contained in the ERP system,” Frye said. But, as AI solutions gather data and conclusions, they can be subject to hallucinations that produce seemingly irrational outputs. Even if solutions have controls that reduce potential hallucinations, firms need to consider data integrated from non-ERP solutions.  

Insufficient automation controls

“Modern ERPs can get insights and data from the system, leveraging AI and automation functionalities,” Frye said. When AI and automation technology gathers data and draws conclusions, it can save time and effort — but it’s especially important to include controls and human intervention in such systems. Automations can connect to customer relationship management systems, external billing platforms or other solutions to save significant time, as long as sufficient controls are in place.

Insufficient framework isolation

Firms need to ensure that AI frameworks are configured with the necessary isolation in the data they analyze and the models they implement. “Ensure that you have accountability for the AI frameworks that the platform is using,” Frye said. “When a solution is providing insights, make sure it is using the correct datasets, and the AI models are not expanding into other companies that operate on that same platform but in a different tenant.”

Complexity increases in an environment with significant merger and acquisition activity. One firm might be operating across multiple entities and multiple geographies with different solutions and requirements. Firms might have disparate ERP systems in their environments, and they need to be thoughtful about how to configure solutions to work cross-company and cross-geography.

Data privacy complexities

Even if companies have data privacy measures in place, new AI capabilities can expand data connections and introduce risks. Firms need to work with software vendors to confirm that new AI capabilities maintain data privacy. “Data privacy expansion is a key factor,” Frye said. “You want to have that structured legally in your contracts so that, if there is a breach, you have recourse to action.”

Firms also need to be mindful of any integrations they build into a platform, and how the systems access or share data out of the ERP system with other platforms or systems they use and operate. Integrations require structures and controls designed to fit the consumption of source data, where it is going and what systems are using it.

“A lot of SaaS solutions are very robust and do have their own mechanisms to ensure privacy of the data, so that’s helpful,” Frye said. “But firms cannot minimize the impact that a breach could have.”

When tech firms understand the potential risks of AI-driven ERP capabilities, they can identify the roles and actions that help ensure ongoing compliance. “There are two parts: You need to have the right governance structures in place, and then you need to have the mechanisms to test and ensure you have a secure control environment,” Frye said.

When tech firms implement an ERP system’s AI-driven capabilities, who’s responsible to ensure that the system remains compliant?

AI compliance roles

Small start-ups might have limited back-office staff where individuals wear multiple hats. These small teams might fail to sufficiently address new risks — but a larger company might fail to adequately address risks because its ERP system or systems extend data to a larger number of integrations, teams and users.

Firms should establish AI governance boards that are responsible for ensuring it establishes processes, frameworks, rules of engagement and other measures to manage risks related to AI. It’s important to engage the board for new AI-driven ERP enhancements and identify where and how the firm must manage risks beyond the controls already in place.

To evaluate new ERP AI capabilities, teams can use a checklist that covers important concerns.

ERP compliance checklist

1. Data governance and privacy

• Centralized data management with role-based access controls
• Automated data retention and deletion policies
• Audit trails for data access and changes
• Encryption of sensitive data at rest and in transit
• GDPR, CCPA and HIPAA compliance modules

2. AI and algorithmic accountability

• Tracking and documentation of AI model inputs and outputs
• Version control for AI models and training datasets
• Bias detection and explainability tools integrated into workflows
• Compliance flags for high-risk AI use cases, such as facial recognition

3. Cybersecurity and incident reporting

• Real-time monitoring of system vulnerabilities
• Automated alerts for suspicious activity
• SEC-compliant incident disclosure templates
• Integration with SIEM or third-party security platforms

4. Supply chain and vendor compliance

• Supplier onboarding with compliance documentation tracking
• Conflict minerals and forced labor screening tools
• Export control and sanctions compliance checks
• ESG and sustainability reporting capabilities

5. Regulatory horizon scanning

• Integration with regulatory update feeds or APIs
• Automated workflow updates triggered by new regulations
• Role-based alerts for compliance teams

6. Internal controls and audit readiness

• Segregation of duties enforcement
• Automated approval workflows for financial and operational processes
• SOX compliance support, such as change management logs
• Customizable audit report generation

7. Youth protection and content moderation (if applicable)

• Age verification and parental consent tracking
• Content flagging and moderation workflow integration
• Compliance with online safety laws

Even as firms are cautious about implementing AI capabilities, it’s important to recognize their potential. When empowered by the comprehensive data and integration of an ERP system, these capabilities can give a tech firm differentiating advantages.

Strategic insights can be realized by aligning data across enterprise platforms (e.g., for customers, vendors, transactional detail and contracts) that give the business a better understanding into trends, opportunities and challenges. Frye identified several questions that AI can dynamically analyze with greater depth than before:

• What are customers buying and what market factors are impacting trends?
• Where are opportunities to expand customer relationships?
• What market sectors are you performing well in?
• What industries are you performing well in, and which ones are you not?
• Where do you need to make a concerted effort to expand or build out campaigns?
• What are potential additional revenue opportunities to grow the business?

“ERP systems are becoming more flexible in how they capture data throughout the business lifecycle,” Frye said, so ERPs with embedded AI can answer dynamic questions like “How much have we billed this customer over the last five years, and what specific products are they more likely to buy from us?” or, “Where can expand and try to sell them additional services?”

“It complements a customer relationship management system that’s focused on the customer relationship, providing the backing to say where the company can expand in a market based on data from the ERP that establishes where the firm is performing well or not,” Frye said.

The future vision

“Really, you want an ERP system to help drive insights for management, to identify markets and industries that are untapped or ripe for expansion, designing strategies to target those opportunities,” Frye said. That’s where AI-driven capabilities can tap into the ecosystem of enterprise platforms to help highlight unmet needs and drive growth. Using the data in these connected systems, AI capabilities can also help firms analyze current customers, understand how to prioritize new initiatives and dynamically derive financial performance metrics about areas where initiatives need to grow or contract.

“It’s important for firms to think holistically about their entire enterprise application environment,” Frye said, and AI capabilities can play an essential part in integrating ERP solutions across that environment.

“Companies can start reimagine what their enterprise system footprint looks like — across CRMs, ERPS, human capital management system, operational platforms and more,” Frye said. “Advanced functionalities in the ERP system really help to empower that consolidated view of the enterprise system footprint, where capabilities can complement each other to drive additional revenue and growth.”

Contacts: