Compliant AI agents for regulated Business Central

The conversation about AI in Business Central has moved on. It is no longer about a Copilot that suggests — it is about agents that act: drafting and posting documents, initiating payments, applying configuration, running tests, and reconciling data, directly against your ERP.

In a regulated environment that changes the stakes. An agent that alters a validated system is making a change to a validated system — with all the governance that implies. The question is not whether to use agents. It is under what controls.

From Copilot to agents that act

Agents reach Business Central through the same surfaces your integrations do — the APIs, AL extensions, and, since Microsoft's AL Model Context Protocol server reached general availability in 2026, a direct agentic interface into BC development and data.

That capability is real and useful. The risk is not the agent — it is autonomy without controls. The design question for regulated operators is how much an agent is allowed to do on its own, and what has to happen before a consequential action takes effect.

Governance patterns for agentic operations

These are the design patterns we build into agentic systems that touch consequential processes — described here as governance patterns, not as anyone's internal architecture:

  • Approval gates — no consequential action (payment initiation, posting, master-data or configuration change) executes without an explicit human approval step. High-impact actions use a two-step confirmation.
  • Human-in-the-loop by default — the agent proposes or drafts; a person decides, and the decision is recorded. Agents do not act autonomously on consequential steps; advisory and read-only agents produce recommendations, never changes.
  • Dry-run and simulation — an agent shows the effect of an action before anything is committed, so the operator reviews the outcome, not just the intent.
  • Audit trails (ALCOA+) — every agent action is attributable: who or what acted, when, and the old and new value, tamper-evident, exactly as Annex 11 §9 requires of any GxP-relevant record.
  • Watchdog monitoring — independent monitors that detect anomalous agent behaviour and can halt it, so the agent is never the only thing watching the agent.
  • Change control for agent-driven changes — an agent that alters configuration or AL logic triggers the same impact assessment and re-validation as a human change (Annex 11 §10), including the GAMP 5 category implications of touching custom code.

Why Annex 22 changes the conversation

The regulatory frame is catching up fast. The new EU GMP Annex 22 brings AI and machine learning under the GMP umbrella, and the Annex 11 draft revision strengthens audit-trail, data-integrity and change-control expectations — with AI in batch-release decisions explicitly in scope.

The implication is simple: an agentic change to a validated system must preserve the validated state. That is not a reason to avoid agents — it is the reason to run them under governance. For a regulated operator, that governance is the difference between an AI story and an AI system an auditor will accept.

This is grounded in the same GAMP 5-mapped method we implement by — see how we implement, or start with an Architecture & Compliance Assessment.