AWS releases agentic AI framework for SAP exception handling
Open-source toolkit automates invoice matching, PO approvals, and reconciliations while maintaining audit trails and human oversight.

AWS targets ERP exception handling with agentic framework
AWS has released an open-source framework designed to automate the manual exception handling that occupies finance teams at large enterprises. The AWS Agentic AI Solutions Framework for SAP use cases addresses tasks like matching bank payments to invoices, resolving blocked purchase orders, and completing intercompany reconciliations—work that traditional ERP automation leaves unfinished.
The framework runs on Amazon Bedrock AgentCore and uses Strands, AWS's open-source agentic SDK. A single AI agent reads standard operating procedures written in plain language, identifies the appropriate procedure for each exception, and executes the steps across SAP and connected systems. Business teams maintain the SOPs directly, so process changes require only updating the procedure document rather than modifying code.
Why it matters
Exception handling represents a stubborn automation gap in enterprise finance operations. While robotic process automation breaks when interfaces change and classical machine learning can only predict exceptions without resolving them, foundation models can reason through written procedures and maintain context across multi-step workflows. This framework demonstrates how agentic AI can tackle work that has resisted previous automation approaches while meeting the compliance and auditability requirements of financial systems.
Trust through progressive autonomy
The framework implements a staged trust model. Agents begin in advisory mode, where humans approve every action. As confidence builds, agents advance to supervised execution and eventually to autonomous resolution, acting independently only when confidence exceeds defined thresholds. This allows organizations to expand automation at the pace trust is established.
Determinism anchors the design. Because language models produce probabilistic outputs, the framework applies layered controls: controlled model parameters, structured prompts, retrieval from approved SOP content and live system data, runtime guardrails, and multi-agent cross-verification. Grounding responses in retrieved documents keeps agents reasoning from authoritative sources and reduces hallucinated API calls.
Audit trails and access control
Every action ties to an authenticated identity. During autonomous work, the agent uses its own service account through OAuth 2.0 two-legged authentication. When human intervention occurs, AgentCore Identity switches to three-legged authentication and carries the person's verified identity to the target system. This separation meets Sarbanes-Oxley requirements for distinguishing agent-initiated actions from human-approved ones in audit logs.
Cedar, AWS's open-source authorization language, governs permissions. Policies consider the principal's identity, the tool being called, the resource, and the request context, denying everything by default. Teams can write rules allowing an agent to read any purchase order but post journal entries only below specified dollar thresholds.
A dedicated state layer in DynamoDB captures the complete exception lifecycle as immutable, append-only records: reasoning traces, tool invocations with authenticated identities, escalation events, human decisions, and resolution outcomes.
Production deployment
A global manufacturer applied the framework to more than $250 million in custom tooling purchases across over a thousand active purchase orders. The agent retrieves the applicable SOP, resolves each order through the correct workflow, and creates parked journal entries in SAP for finance approval. Work that previously required over a month of manual effort per close cycle now completes in minutes per order.
The detection loop uses Amazon EventBridge to trigger a Lambda function on a schedule defaulting to every five minutes. That function polls SAP OData services for new exceptions and writes each to DynamoDB. When an exception meets the confidence threshold and requires no approval, the agent acts. When it crosses a materiality threshold or confidence runs low, a structured email goes out through Amazon SES and the case awaits a reply.
AWS published the reference implementation as open-source sample code on GitHub, including the Strands agent, an MCP server connected to SAP OData, DynamoDB state management, and the human-in-the-loop workflow. A Streamlit dashboard provides visibility into the process.
These details were first reported by Help Net Security.
This is an original analysis by the Omega editorial team. Source reporting: Automation Watch.
Want systems like this working for your business?
Book a Call
