Post #008 – AI In Microsoft ERP
When AI is doing work in your financial system, the governance questions don’t go away — they get more important. Here’s what to ask before you’re asked.
Why Finance Teams Have a Unique Governance Obligation
Finance has always operated in a governed environment. SOX controls, audit trails, segregation of duties, approval hierarchies — these aren’t bureaucratic overhead; they’re the infrastructure that makes financial data trustworthy. When AI enters this environment, it doesn’t get to bypass those requirements. It has to work within them — and the governance question is whether you’ve thought carefully about how it does.
The good news is that Microsoft has been thoughtful about this in the D365 context. Copilot and agents in D365 operate within your existing security and permission model. They can’t access data that the logged-in user doesn’t have access to. They don’t post transactions without human approval. The platform-level controls are real.
The governance gap isn’t primarily at the platform level — it’s at the process level. Organizations need to decide how AI use is documented, reviewed, and audited. That’s organizational work, not just a technology question.
Ten Questions Your Team Should Be Asking
What Microsoft Provides — And What You Still Own
Microsoft has built significant governance infrastructure into the platform. The Copilot Control System gives IT and security teams tools to manage data access, log interactions, enforce policies, and monitor for risky behavior. Microsoft Purview covers data governance and compliance for AI interactions across Microsoft 365. Responsible AI principles are documented and publicly available.
🔐 Microsoft Provides
Permission-based data access for Copilot, audit trail for transactions, data residency controls, interaction logging (M365), responsible AI policy, no training on customer data.
🏛️ Your Organization Owns
AI usage policy, employee training, external auditor communication, review and approval controls for AI outputs, exception tracking, data classification decisions, vendor agreement review.
⚙️ Implementation Team Responsibility
Agent scope configuration, exception escalation workflow design, human-in-the-loop control points, agent testing and validation, error rate monitoring setup.
📋 Shared Responsibility
Security model design (permissions drive what Copilot can access), data quality (AI reflects data hygiene), change management and user training on AI limitations.
Practical starting point: If you don’t know where to begin on AI governance, start with a simple inventory: which AI features are active in your D365 environment today, and which processes do they touch? That’s the foundation for a controls assessment. Microsoft’s Copilot & agent capabilities page (in BC) gives you the full list for your environment.
📚 Go Deeper — Governance Resources
- Data, Privacy, and Security for Microsoft 365 Copilot — Microsoft’s official data handling documentation
- Copilot Control System — enterprise governance tools for Copilot deployments
- Microsoft Purview for AI Governance — data security and compliance for AI usage
- Responsible AI Principles — Copilot Studio — Microsoft’s responsible AI framework
The Governance Posture That Works
The organizations I’ve seen handle AI governance well share a few characteristics: they treat AI tools like any other controlled process in their financial environment, requiring documentation, review, and accountability. They engage their auditors early rather than surprising them. They have a clear policy on employee AI tool use. And they build AI oversight into their existing controls framework rather than creating a parallel governance structure for AI specifically.
The goal isn’t to govern AI into irrelevance. It’s to make sure that when AI is doing work in your financial systems, that work is as accountable, traceable, and trustworthy as any other part of your close process.
Next up: Post 9 takes on a question I hear constantly from the consulting side — what does all of this mean for ERP professionals and consultants?
BB
Bobbi Bricker
ERP Capability Lead & D365 Functional Architect at Centric Consulting. Former controller. Practical by nature, curious by default. Writing about D365 F&O, Business Central, and now AI in ERP — because someone has to translate the tech into something finance teams can actually use.
Thank you for reading!
If you are interested in learning more, below are some of my latest posts:
- AI and ERP Security: What Copilot Means for Your D365 Security Roles and Internal Controls
- The Natural Language ERP: Stop Running Reports, Start Asking Questions
- AI Adoption in ERP: Why Change Management Is Your Most Critical AI Investment
- Agent 365: Microsoft’s Control Tower for All Your ERP Agents
- AI in D365 Supply Chain: From Demand Planning to Warehouse Intelligence
Leave a Reply