AWS WorkSpaces Now Lets AI Agents Operate Legacy ERP and MES Systems — But Governance Must Come First
ERP & Business Systems

AWS WorkSpaces Now Lets AI Agents Operate Legacy ERP and MES Systems — But Governance Must Come First

AWS launched WorkSpaces for AI agents in May 2026, removing the API barrier that blocked automation on legacy ERP and MES systems. Manufacturers must audit identity, permissions, and audit logging before any agent executes a live transaction.

7 min readJuly 8, 2026
Back to News
TL;DR
  • -AWS WorkSpaces now lets AI agents operate legacy ERP, MES, and desktop apps that have no modern API.
  • -Each agent gets its own isolated identity and scoped permissions — separate from human operator credentials.
  • -IT admins manage agent permissions and audit logs using the same WorkSpaces controls used for human users.
  • -Manufacturers must document approval chains, exception paths, and rollback procedures before any agent goes live.
  • -The technology barrier is gone; the governance prerequisite is now the critical path.

In May 2026, Amazon Web Services announced that WorkSpaces — its managed cloud desktop service — now enables AI agents to operate desktop applications directly, including legacy ERP systems, mainframes, and proprietary tools that have no modern API layer. AWS describes this as solving the "last-mile challenge" for enterprise AI automation: the large category of business-critical systems that agents could not previously touch because they expose no programmatic interface.

For manufacturers running Epicor, Infor, older SAP versions, or custom shop-floor applications, this is a meaningful shift. The API gap that made those systems off-limits for automation is no longer a hard stop. The governance gap, however, is still your problem to solve.

What AWS Actually Announced

According to the AWS product announcement and accompanying blog post, WorkSpaces AI agents operate by navigating desktop applications exactly as a human employee would — pointing, clicking, and entering data — without requiring any application modernization or API development.

Confirmed capabilities from AWS's own documentation:

  • Isolated agent identity: Each AI agent receives its own identity, scoped permissions, isolated session, and defined network boundaries — distinct from any human operator's credentials.
  • Centralized IT controls: Administrators manage agent permissions, logging, and auditing through the same WorkSpaces controls used for human users.
  • Observability: Enterprise observability features include session screenshots and metrics, giving IT visibility into what an agent did and when.
  • Framework-agnostic integration: Agents connect to business applications using the industry-standard Model Context Protocol (MCP) and can run cloud-hosted, on-premises, or in hybrid environments.
  • Pay-as-you-go pricing: Charges apply only while an agent is actively working; specific per-session or per-hour rates are not disclosed in the announcement.

The feature launched in Preview in May 2026. AWS's blog post indicates it subsequently became generally available, though the product announcement page retains "Preview" in its title. Confirm current GA status directly with AWS before committing to a production deployment timeline.

The only sources available for this announcement are AWS's own product page and blog post. No independent analyst validation or manufacturer pilot case study has been published.

Why This Matters for Manufacturers Running Legacy Systems

The AWS scenario used to illustrate the capability is a global manufacturer managing a product defect recall: agents update ERP systems, notify suppliers and customers, reallocate inventory, and prepare regulatory compliance packages — while humans handle judgment-dependent decisions. That scenario maps directly to workflows that mid-market manufacturers execute manually today, often under time pressure and with limited staff.

The practical implication: if your ERP or MES has been excluded from automation roadmaps because it has no API, that exclusion no longer holds. WorkSpaces agents can operate those systems today.

AWS's own blog makes the governance risk explicit. Ungoverned agents create what AWS calls "governance drag": security teams cannot audit what they cannot see, compliance teams cannot certify what they cannot trace, and agent owners cannot correct what they cannot observe. The result, AWS notes, is agents that stay stuck in pilots and never reach production — or worse, agents that reach production without adequate controls.

Where the Exposure Shows Up

For a manufacturer running a legacy ERP or MES, the exposure is concrete. Consider what an agent operating your ERP can touch:

  • Sales orders and purchase orders: An agent writing an incorrect order quantity or wrong ship-to address creates a fulfillment error that may not surface until the dock.
  • Inventory records: An incorrect inventory adjustment propagates into production planning, purchasing, and customer-facing availability.
  • Compliance documentation: For manufacturers subject to ITAR, RoHS/REACH, or SOX, an agent-generated compliance record that cannot be traced to a specific session, timestamp, and permission scope is a liability in an audit.
  • Work orders and BOM data: Errors in production-facing records can affect quality, scheduling, and cost — and may not be caught until a downstream process fails.

The risk is not that agents will necessarily make these errors. The risk is that without identity isolation, immutable logging, and documented exception paths, you will not be able to prove what happened, who authorized it, or how to reverse it.

What to Audit Now

Before any AI agent pilot on a legacy ERP or MES system, work through each of the following and document your findings — not for AWS, but for your own compliance and incident-response records.

  • Map every workflow a candidate agent would execute. For each transaction type — sales order entry, inventory adjustment, purchase order creation, compliance record update — document the current approval chain, exception path, and human-oversight requirement. If you cannot describe the exception path today, an agent cannot handle it safely.
  • Audit your identity and access control model. Confirm that agents will receive their own isolated credentials, separate from human operator accounts, with permissions scoped only to the workflows they are authorized to execute. An agent that inherits a human operator's broad ERP access is an uncontrolled risk.
  • Verify audit logging configuration in WorkSpaces. Confirm that logs are immutable, include session screenshots and metrics, and are retained for the duration required by your applicable compliance frameworks — SOX, ITAR, RoHS/REACH, or industry-specific requirements. Retention periods vary; do not assume WorkSpaces defaults match your obligations.
  • Confirm disaster recovery and rollback procedures for agent-executed transactions. What happens when an agent writes an incorrect sales order, inventory adjustment, or compliance record? If your ERP has no transaction-level rollback capability, that gap must be addressed before agents operate in production.
  • Review compliance obligations specific to your operation. ITAR applies to defense-adjacent manufacturers. RoHS/REACH documentation requirements apply to electrical components and electronics. SOX applies to public companies and many PE-backed entities. Verify that WorkSpaces governance features satisfy those specific requirements — not just general IT security standards.
  • Confirm IAM integration. WorkSpaces states it connects to existing enterprise identity systems, but the announcement does not specify Active Directory, Okta, or other mid-market IAM providers by name. Verify that agent identities will appear in your existing access review and offboarding processes — not as a separate, unmanaged credential set.
  • Define the human-in-the-loop boundary before deployment. Identify which workflows are safe to automate fully and which require a human approval step. Document that boundary explicitly. An agent that escalates to a human for judgment-dependent decisions carries a different risk profile than one that executes end-to-end without review.

What to Watch

AWS launched WorkSpaces for agents alongside several related services at AWS Summit New York in May 2026, including Amazon Bedrock AgentCore for orchestration, AWS Continuum for agentic security, and AWS Context for enterprise data connectivity. These services are designed to work together, and the governance controls in WorkSpaces are most effective when paired with an orchestration layer that enforces policy at the agent level.

Watch for AWS partner ecosystem announcements that name specific ERP platforms — Epicor, Infor, older SAP versions — as tested and validated configurations. The current announcement is framework-agnostic, which means integration architecture for your specific system is not yet documented in public reference materials.

Also watch for responses from RPA platforms. UiPath and Automation Anywhere have offered UI-based automation on legacy desktop applications for years. The WorkSpaces approach adds cloud-managed identity isolation and governed observability to that capability — a meaningful governance improvement — but manufacturers already running RPA on legacy systems should evaluate whether their existing platform's governance controls are sufficient before adding a new infrastructure layer.

Bottom Line

The API barrier that kept AI agents off legacy ERP and MES systems is gone. The governance barrier is not. Manufacturers who move to pilot agents on production systems without first establishing isolated agent credentials, scoped permissions, immutable audit logs, and documented rollback procedures will create compliance exposure they cannot easily unwind. Do the audit before the pilot, not after the first agent-written transaction goes wrong.

Sources and supporting resources
Next
Agentic AI for Supply Chain Exception Handling: What Manufacturers Need Ready First