By Errin O'Connor — Founder & Chief AI Architect, EPC Group · Microsoft Solutions Partner across all six designations · G2 Leader in BI consulting
Andrew Ng — the most influential AI educator alive, full stop — has spent the past two years teaching the industry a lesson that is now conventional wisdom: agentic workflows, where AI systems plan, use tools, and iteratively improve their own output, dramatically outperform one-shot prompting. He is right, the benchmarks agree with him, and the enterprise has heard him: agents are being wired into procurement, accounts payable, treasury, and claims workflows across every industry we serve.
Meanwhile Gartner has published the counterweight: a prediction that over forty percent of agentic AI projects will be canceled by the end of 2027 — cost, unclear value, or inadequate risk controls. Both statements are true at once, and the space between them is where this article lives. Because I know exactly where the difference between Ng's promise and Gartner's graveyard gets decided, and it is not in the model card. It is in the vendor master file — the most boring, most neglected, most financially explosive table in your enterprise.
The most dangerous table in the company
Every finance leader knows the vendor master is a mess; almost none can say how big. The same supplier spelled six ways across two ERPs. Banking details updated by email request. Dormant vendors nobody deactivated since the 2019 acquisition. Duplicate entities created because search didn't find the original. In human-speed finance, that mess is friction — caught by the AP clerk who thinks "wait, didn't we pay these guys already?" That clerk's pattern-matching pause is an internal control nobody ever wrote down.
Now give Ng's agentic workflow write access. The agent matches invoices, resolves discrepancies, and iterates toward completion — exactly as designed — at machine speed, without the pause. An agent that "resolves" a discrepancy by paying both spellings of the same supplier has not malfunctioned; it has optimized the objective you gave it against the data you gave it. Fraudsters have already industrialized the human version of this — business email compromise against vendor banking details is a multibillion-dollar annual loss category — and an agent with standing write access to the vendor master is the most attractive social-engineering target finance has ever deployed. Prompt-inject the agent, or simply feed it a convincing document, and the "iteratively self-improving workflow" becomes an iteratively self-improving exfiltration channel with a payment run attached.
The controls exist. They were written for humans. Rewrite them for agents.
Here is the good news, and it is genuinely good: finance already invented every control this problem needs. Segregation of duties. Dollar-threshold approvals. Out-of-band verification for banking changes. Maker-checker on master-data edits. Audit trails. The failure mode isn't missing controls — it is that enterprises wire agents around controls that assume the actor is a person. So the translation work, which is the entire game:
Segregation of duties becomes segregation of agents — the agent that proposes a vendor change is never the agent that approves it, enforced by separate Entra workload identities with disjoint permissions, not by prompt instructions. Dollar thresholds become autonomy thresholds — the agent completes under $X autonomously, queues $X-to-$Y for one human click, and cannot even draft above $Y. Out-of-band verification survives untouched — no banking-detail change executes on any channel an agent (or its attacker) can also write to. Maker-checker becomes human-checker on master data, always — the master file is the one table where machine speed is a bug. And the audit trail becomes per-agent, per-action, deposition-grade logging — because "the workflow did it" is not an answer your external auditor accepts.
There is a second layer most finance teams have never run, and it is the one I push hardest: graph analysis against the vendor master itself. Relationship analytics across entities — shared bank accounts, shared addresses, shared registration agents — is the technique enforcement agencies use to find related-party fraud, and most CFOs have never pointed it at their own table. Before an agent touches that data, run the graph. You will find things. Clients always do.
The controls translation table
| Traditional Control | Agent-Native Equivalent |
|---|---|
| Segregation of duties | Separate Entra workload identities with disjoint permissions for propose/approve — never the same agent |
| Dollar-threshold approvals | Autonomy thresholds: $X autonomous / $X–$Y one-click human / >$Y no-draft — encoded in approval flows, not prompts |
| Out-of-band verification | Unchanged — no banking-detail change on any channel an agent (or its attacker) can also write to |
| Maker-checker | Human-checker always on master data — the vendor master is the one table where machine speed is a bug |
| Audit trail | Per-agent, per-action, deposition-grade logging with retention schedule |
| Pre-deployment review | Graph analysis across the vendor master (shared bank accounts, addresses, registration agents) before any agent write access |
The insurance dimension nobody prices until renewal
Here is where this stops being an architecture article and becomes a balance-sheet one. Carriers writing cyber and errors-and-omissions coverage are tightening around exactly this scenario — autonomous systems taking financially consequential actions without documented human oversight. The underwriting questions arriving at renewal are precisely the controls above: autonomy thresholds, kill switches, human-in-the-loop inventories, out-of-band authentication for high-risk AI actions, per-agent identity. Documentation does not guarantee coverage or a lower premium — nothing does — but arriving at renewal without it converts a negotiation into a letter you can only accept. That evidence package is exactly what EPC Group's AI Insurance Readiness practice assembles, and the six controls carriers now ask about are documented in our white paper.
What I tell clients to do
One. Run the graph analysis on the vendor master before any agent gets write access. Clean the table, dedupe the entities, and deactivate the dormant rows — the agent inherits whatever you leave.
Two. Translate your existing financial controls into agent-native form — segregated identities, autonomy thresholds, out-of-band verification, human-checker on master data. Do not write new controls. Rewrite the actors in the old ones.
Three. Set the autonomy matrix with the CFO and General Counsel in the room, in writing, with dollar figures. "The agent handles routine cases" is not a threshold. "$2,500, single-invoice, existing vendor, no master-data change" is.
Four. Build the insurance evidence package before renewal season, not during it. The carrier's questionnaire is coming either way; the only variable is whether you negotiate or accept.
Where I land
Ng gave the industry the right architecture, and Gartner gave it the right warning — and the forty percent that get canceled will overwhelmingly be the ones that pointed iterating agents at un-governed financial data with inherited permissions and called it transformation. The winners will be boring: clean master data, segregated agent identities, dollar thresholds a General Counsel signed, logs an auditor can love, and an evidence file a carrier will underwrite. In finance, boring is not the consolation prize. Boring is the whole trophy.
The data behind this (sources and verification)
- Andrew Ng — agentic workflow thesis — Iterative agents that plan, use tools, and self-improve outperform one-shot prompting; now conventional wisdom across enterprise procurement and finance workflows.
- Gartner — agentic AI project cancellation prediction — Over 40% of agentic AI projects predicted canceled by end-2027 — cost, unclear value, or inadequate risk controls. Gartner June 2025 press release.
- FBI IC3 annual report — business email compromise — BEC against vendor banking details is a multibillion-dollar annual loss category; the human-speed version of the attack that agents accelerate.
- ICML 2026 — role-confusion / CoT Forgery finding — Approximately 60% attack success rate via CoT Forgery; why prompt-level instructions are not financial controls.
Third-party figures above are attributed to their named sources as of the Last verified date. EPC Group audit figures are directional findings from client engagements. Items marked [VERIFY] must be confirmed before external quotation.
Frequently asked questions
Why is the vendor master file the highest-risk table for agentic AI?
It controls where money goes, it is chronically duplicated and stale, and agents act on it at machine speed without the AP clerk's pattern-matching pause. The same supplier spelled six ways, banking details updated by email request, and dormant vendors from a 2019 acquisition are friction at human speed — caught by the clerk who thinks "wait, didn't we pay these guys already?" That pause is an internal control nobody ever wrote down. Remove it by giving an agent write access and you have replaced an informal control with an automated gap.
Can an agent approve payments?
Below a board-approved dollar threshold, with segregated identities and full logging — and never a payment involving a master-data change the same agent also made. The proposing agent and the approving agent must be separate Entra workload identities with disjoint permissions, enforced by policy, not prompt instructions.
What will insurance carriers ask about agentic finance workflows?
Autonomy thresholds, human-in-the-loop inventory, kill switches, out-of-band authentication for high-risk AI actions, and per-agent identity and logs. Documentation doesn't guarantee coverage or a lower premium — nothing does — but arriving at renewal without it converts a negotiation into a letter you can only accept.
What is "segregation of agents"?
The agent-native form of segregation of duties: the proposing agent and approving agent are different identities with disjoint permissions, enforced by Entra workload identity policy, not prompts. Prompt-level instructions are not financial controls — an ICML 2026 study found roughly 60% attack success via CoT Forgery against prompt-only guardrails.
Where do we start?
Clean the table first: run graph analysis across the vendor master, dedupe the entities, and deactivate dormant vendors — the agent inherits whatever you leave. Then translate your existing financial controls into agent-native form. Do not write new controls; rewrite the actors in the old ones.
Ready to act on this?
Start with the practice most relevant to your estate, or reach out directly for a senior-architect conversation.
📧 contact@epcgroup.net · 📞 (888) 381-9725
Multiple models. One truth.
