Will ERP Become the Trust Layer for Autonomous Commerce?

In 2025, Mastercard launched Agent Pay¹, Google followed with AP2 — an open agent-payments protocol developed with payments and technology companies² — and Visa introduced its Trusted Agent Protocol within weeks³. The strategic move is bigger than payments. Google has since moved AP2 into the FIDO Alliance so it can remain platform-agnostic and community-led⁴. Mastercard's move is equally aligned with its franchise model: its network sets rules, standards and interoperability requirements for payment participants⁵. In agentic commerce, that extends to Verifiable Intent — a standards-based trust layer, co-developed with Google, that creates a tamper-resistant record of what a user authorized when an AI agent acts on their behalf⁶. This does not conflict with the ERP thesis. In consumer commerce, the problem is portable intent: proving what a human asked an agent to do and making that mandate legible across wallets, merchants, issuers and networks. In B2B commerce, the harder problem is corporate authority: whether an agent can bind a legal entity, budget, supplier relationship, tax treatment and approval chain.

These protocols work because consumer commerce is the simpler topology: one human principal delegating bounded authority to one or more agents through signed mandates checked against user intent⁷. There are still fraud, dispute and bot-detection problems, but no corporate delegation chain upstream.

The IMF's April 2026 note names the tension: payment infrastructure is deterministic; agentic systems are probabilistic⁸. Consumer protocols handle that separation for the simpler case. B2B commerce is harder — and structurally closer to what agentic commerce is becoming than to card-not-present commerce.

The commercial guardrails already exist — and they bind back to ERP

In a governed enterprise, a two-million-dollar purchase order is not one person's decision. It is a delegation-of-authority framework instantiated as an approval matrix, constrained by segregation of duties, bound to legal entity, business unit, tax position and budget, and auditable against financial reporting, tax and internal-control requirements.

The accountable principal is the legal entity, but it cannot authenticate. It acts only through codified, traceable delegation. That chain does not live in a card network or agent runtime. In many enterprises, it binds back to ERP: the books, controls, tax posture, budget structure and audit trail.

A consumer mandate can prove a human authorized an agent. It cannot prove that a corporate user had authority to commit an enterprise, budget and supplier relationship. That is ERP's claim to the trust layer.

ERP's commercial-control model becomes an advantage

ERP's standard critique is that it is rigid, permission-heavy and hard to use. In the agent era, that starts looking less like a flaw and more like a feature.

ERP controls were built around constrained action inside systems of financial consequence: role-based access, data privileges, approval limits, segregation of duties, audit trails and exception controls⁹. McKinsey frames AI agents as "digital insiders" operating inside systems with varying levels of privilege and authority¹⁰. An agent should not merely know what a user asked it to do; it should know what the user is allowed to do, for which entity, under which budget, against which supplier, within what approval threshold and with what audit trail.

That is the entitlement question ERP has answered for decades. In autonomous commerce, ERP can convert business intent into an approved commercial mandate. Payment networks should not need to recreate corporate authority; they should recognize the ERP-originated mandate, verify integrity, apply tokenization and payment-risk controls, and help the payment succeed.

The trust layer is where ERP makes corporate authority executable — and legible downstream.

Maverick spend becomes an autonomous-systems risk

Maverick spend happens outside approved channels: off-contract buying, unapproved suppliers, skipped approval workflows, wrong legal entity, missed budget checks or payments that bypass governed controls. ERP already has mechanisms to legitimize ad hoc spend underpinned by enterprise rules. The agentic challenge is not to eliminate exceptions; it is to make sure exceptions remain governed at machine speed.

Autonomous agents change the risk profile. McKinsey reports that 80% of organizations have encountered risky behaviors from AI agents, including improper data exposure and access to systems without authorization¹⁰. When an autonomous system double-bills suppliers, violates budget constraints, selects an unapproved vendor or bypasses approval rules, the damage can compound quickly.

The required architecture is a deterministic gate around a probabilistic actor: check amount, supplier, budget, entity and tax treatment, and execute only if every control passes. Maverick spend was tolerable leakage when a human was the backstop. In autonomous commerce, it becomes an autonomous-systems hazard.

How ERP is placed against the alternatives

Orchestration-layer players — Zip, Tonkean, Omnea, ORO Labs, Spendflo and others — are contesting the request-to-approval layer. S2P platforms — Ariba, Coupa, Ivalua, Zycus and others — already hold workflow authority and are making it more agentic. Their case is that the business needs a faster layer above ERP: one that spans systems, coordinates approvals and moves quickly.

That is a real counter. But the payment mandate is not just a workflow artifact. It has to prove that the transaction is valid for the enterprise: entity, supplier, budget, tax treatment, approval chain, segregation of duties, accounting controls and audit trail.

This sharpens ERP's role. Orchestration can coordinate the process, but coordination is not the same as financial authority. Even when these platforms extend deeper into procurement, they still have to reconcile back to the system that holds financial truth.

So the question is not whether ERP owns every interaction. It is whether ERP validates commercial intent before money moves. Orchestration and S2P platforms can still coordinate requests, approvals and exceptions — but the financially binding mandate should originate from, or be attested by, ERP.

The balance point

Gartner predicts that by 2030, 50% of AI-agent deployment failures will be due to insufficient runtime governance enforcement and multisystem interoperability¹¹. That strengthens ERP because financial truth, access control and governance already live near the regulated core. It also strengthens the neutral-standard case because interoperability gaps are what ERP-agnostic orchestration layers aim to solve.

ERP holds strong cards: codified commercial rules, financial truth, mature access controls, segregation of duties, auditability and the regulated core already built. Whether ERP becomes the trust layer depends on whether ERP vendors make agents native to governed execution quickly enough.

If they do, ERP becomes where business intent turns into authorized commercial execution. That does not displace Mastercard, Visa or the broader payment ecosystem. It reuses their acceptance infrastructure: tokenization, issuer and acquirer controls, network authorization, merchant acceptance, fraud controls and dispute handling. The difference is that the corporate mandate originates from, or is attested by, ERP before it moves downstream.

If ERP vendors do not make that control model agent-ready, orchestration layers may become the control plane above ERP, leaving ERP as the system of record beneath someone else's agentic payment layer. ERP is the natural candidate for the B2B trust layer, but it has to make its control model legible to agents and payment networks before another layer makes it invisible.