ERP in the Agentic Era: How to Prepare
AI agents that autonomously operate ERP systems are real in 2026. This is what your ERP architecture needs to support agents that make decisions on their own.
Colonial Pipeline. JBS Foods. Ransomware attacks in 2021 are targeting supply chains. Here's why your ERP is the weak link and how to stop ignoring it.
Abhi Asok
Founder & CEO, Arvension Technologies
The ransomware attack on Colonial Pipeline in May shut down fuel distribution to the entire East Coast for a week. Six weeks later, JBS Foods was hit. Meatpacking halted nationwide. Both of these attacks targeted supply chains. Both of them worked because the companies' operational technology and enterprise systems were either inadequately secured or integrated in ways that gave attackers paths from IT systems to operational control.
I'm bringing this up because every company I talk to has a version of the same gap: their ERP is critical to operations, but they're not actually securing it as if it's critical to operations.
Here's how this typically plays out. A company gets compromised through a phishing email, a contractor's credentials, or vulnerable VPN access. The attacker gets into the network. They move laterally, looking for where the money is, where the operations are. Usually they find the ERP. An SAP system, an Oracle system, a NetSuite instance. They establish persistence, usually through a backdoored account or a compromised service account.
Now they have access to core operational data. They can see what's in inventory. They can modify purchase orders. They can block shipments. They can change accounting entries. They can shut down production by modifying work orders. The actual ransom demand is often not the scary part. The scary part is that your operations are now subject to an attacker's control.
Most companies treat ERP security like they treat general network security. "We have a firewall. We have two-factor authentication for VPN. We do annual penetration testing. We're fine." That's not fine. That's baseline. It's necessary but insufficient.
The specific ERP vulnerabilities that get ignored:
One, default credentials. SAP ships with default database credentials for certain administrative functions. Every major ERP has default accounts. Most companies don't change them because the documentation is scattered and changing them is tedious. Attackers count on this.
Two, excessive privileges. The service accounts that run ERP jobs have massive privileges because it's easier to grant "everything" than to actually figure out what specific permissions are needed. That means if one service account gets compromised, an attacker has nearly complete control of the system.
Three, lack of monitoring. Most ERP systems generate extensive logs. Almost nobody actually reads them. You don't know if somebody logged in at 3 AM with a service account. You don't know if someone ran a custom query that extracted your entire customer database. You don't know if purchase orders are being created from unexpected locations. You're flying blind.
Four, integration points. Modern ERPs integrate with other systems—accounting, CRM, e-commerce platforms. Those integrations use API keys or database credentials stored in configuration files. Attackers find these and you've now compromised multiple systems from a single breach.
A few months ago, I worked with a company on a security audit. They were using SAP. I asked to see their ERP access logs for the past month. They looked confused. They didn't have a centralized log repository. They were keeping logs on the server in a custom directory. Nobody was reviewing them. I asked to see the list of active database users. They had 47 accounts, including at least eight that hadn't been used in over a year but were still active with full privileges.
That's not unusual. That's pretty standard.
I asked about backup security. They were backing up their ERP database to external storage. The backups weren't encrypted. They were in a shared folder that anyone with network access could read. We were basically handing attackers a complete snapshot of the company's operational and financial data.
The difficult part about ERP security is that it touches everything. You can't just throw authentication at it and call it secure. You need to:
One, inventory what you have. What ERP systems are running? What version? What custom code or integrations are connected? Most companies can't answer these questions with confidence.
Two, harden the basics. Change default credentials. Apply patches on a regular schedule. Implement least-privilege access where service accounts have only the permissions they actually need, not administrative access.
Three, monitor actively. Set up logging for sensitive operations. Unusual access patterns. After-hours access from unexpected locations. Data exports. You want to know if something weird is happening. You probably won't catch it in real time but you'll catch it before it becomes a disaster.
Four, segment your network. Your ERP doesn't need to be reachable from every part of your company's network. Create a segment where only authorized systems can access it. Make lateral movement from a compromised machine harder.
Five, manage integrations. Every API key and database credential used for integration should be managed like a secret. Rotated regularly. Monitored. If a system is compromised, you know what other systems are at risk.
This is not novel security advice. It's basic security hygiene. But it's being ignored at enterprise scale because ERP security feels abstract compared to "we got hacked." Until it's not abstract anymore.
The ransomware attacks we're seeing in 2021 are sophisticated and well-funded. They're not script kiddies. They're organized groups who understand supply chains and understand that hitting the ERP is the most efficient way to bring a company to its knees. The Colonial Pipeline attackers didn't try to shut down pumps directly. They hit the billing and accounting system. The company shut themselves down rather than operate without knowing what was paid for.
If you think your company is too small to be targeted, you're probably wrong. The targeting is increasingly automated. Attackers scan for vulnerable systems, they exploit them, they move on. Size doesn't matter as much as "do you have an ERP with weak security?"
The window to fix this isn't huge. If you haven't done a real security audit of your ERP and integrated systems in the past year, you should schedule one now. Not next quarter. Now. And when the auditor points out gaps, actually fix them instead of documenting them for future consideration.
Because future consideration is how you end up on the news as another supply chain attack statistic.
AI agents that autonomously operate ERP systems are real in 2026. This is what your ERP architecture needs to support agents that make decisions on their own.
Most companies automate the wrong processes first. Here's what I've learned about prioritizing automation, which patterns work, and the mistakes everyone makes.
Clients always ask: should we build or buy ERP? My framework for this critical decision—the key questions I ask and what answers truly reveal.