Joel is right — The Procurement AI Agent That No One is Talking About is Governance, it’s the agent that is needed the most, and, moreover, it’s one of the few agents, especially among the AI Agents (that include the felon roster), that can actually be implemented predictably and reliably, if you define their role properly.

In Joel’s post, he asks:

What happens AFTER you go live?

• Users start tweaking workflows without documentation
• Agents get duplicated as teams grow
• Logic gets lost when staff turnover happens
• Nobody remembers why decisions were made

And then tells you the answer:

It’s the same mess we created with ERP and S2P systems!

And then he goes on to say

????’? ???? ?? ????:

• Automated workflow documentation
• Change tracking with rationale capture
• Duplicate detection and consolidation
• Impact analysis before modifications
• Knowledge retention across team changes

And he’s very close here, except what we really, really need (and really, really want) is

• Impact assessment before initial implementation (as well as modifications),
• Workflow documentation up-front and not just on changes, and
• Documentation of every decision made, whether or not it changes the workflow, as well as who made it, and who approved.

In other words, knowledge capture and retention is ongoing, change tracking is also decision tracking, and analysis is continual.

However, when it comes to duplicate detection and consolidation, good luck with that!

While it would be nice to automatically detect (and quash) duplicate agents — if they are acting on API pulls through third party systems, how do you know they exist? When users in multiple departments go rogue, and do their own thing (especially if they are unaware there’s already an agent-based app for that), how do you know? You don’t!

So, instead, what you should really be focused on, especially from a GRC viewpoint, is

access tracking and access control

only authorized, validated requests get through to systems and agents because while you can’t track every agent on your system, approved or felonious, you can ensure access control to data if you replace the (open) APIs with no access control or access tracking with an agent that intercepts all requests and does that

risk assessment

continuously monitor data sources, internal and external, for KRIs and alert the right person when a potential risk situation is detected

compliance enforcement

ensure that any company, industry, or government protocols are followed in access control, data collection, decision making, and reporting

Considering that all of this can be accomplished via well-defined workflows, you could build very reliable agents and solve the un-cool problem that everyone needs a solution too. And I think that would be cool. Don’t you want to be someone who’s cool?