Oracle puts AI agents in the ERP and opens a store

At Oracle AI World on October 15, 2025, Oracle embedded prebuilt agents inside Fusion ERP and launched an Agent Marketplace. Learn why system of record placement speeds adoption and how to prove ROI with real KPIs.

ByTalosTalos
AI Agents
Oracle puts AI agents in the ERP and opens a store

The news that matters

On October 15, 2025 in Las Vegas, Oracle took a decisive step: it embedded prebuilt, domain specific agents across Fusion Applications and introduced a partner Agent Marketplace that lets customers deploy validated agents inside the same workflows where finance, human resources, supply chain, and customer experience teams already live. Oracle framed the move as a way to speed execution, improve decisions, and keep costs in check. The meaningful bit is not the slogans. It is the placement. These agents sit where the ledgers, payables, requisitions, employee records, and fulfillment milestones already are. That is what makes this feel different from yet another chat UI bolted to the side of an enterprise suite. The announcement is captured in Oracle’s official release for the marketplace, published on October 15, 2025. You can read the details in Oracle’s marketplace announcement.

If you follow the enterprise agent arc, you have seen platforms race to become the runtime and developers push for open interfaces. We have covered operations-first runtimes and A2A patterns from other vendors, including enterprise runtime patterns and agent to agent orchestration. Oracle’s move lands the agent directly on the system of record, which changes both adoption curves and governance conversations.

Why system of record placement accelerates adoption

Putting agents at the system of record layer does three things leaders have been asking for since the first chatbot pilot.

  1. Security is native, not bolted on

In an Enterprise Resource Planning suite, permissions are expressed as roles and duty privileges. An Accounts Payable clerk can see invoices but not payroll. Supply chain planners can see supplier lead times but not compensation data. When an agent runs inside Fusion Applications, it inherits the same role based access controls. There is no need to mirror identity and permission models in a separate agent platform, then hope they stay in sync. That reduces the chance of privilege drift and limits the blast radius of a misconfigured agent. Because the agent executes where the data already resides, traffic stays inside well observed boundaries with existing audit trails.

  1. Governance is continuous, not a post hoc audit

Enterprise governance teams need lineage, segregation of duties checks, and repeatable approvals. In Fusion, every journal entry, supplier change, or workforce action already leaves a trace. Agents operating there can use those native controls: worklists, approval hierarchies, and policy engines. That means we can require dual approval for high risk actions, run segregation of duties checks before an agent posts a journal, and attach evidence automatically. The design turns governance from a periodic review into a gate that runs at the point of action.

  1. Data gravity lowers friction

The largest datasets that agents need are the ones that drive the business: general ledger, subledgers, purchase orders, receipts, workforce profiles, and supply chain execution records. Moving these out to a standalone agent platform introduces cost, latency, and new risk. Running agents where those datasets live lets you optimize for locality. It also simplifies retrieval augmented generation patterns, because context like supplier reliability, payment terms, or budget thresholds can be pulled with direct queries rather than stitched by fragile connectors.

The result is a faster path to value. Leaders do not need to invent a separate governance stack. They extend the one they already use.

Marketplaces become the distribution channel for enterprise agents

Consumer app stores solved discovery, payment, updates, and trust. Enterprise never got the same experience because every buyer had unique security and integration needs. The new Agent Marketplace borrows the right lessons while staying enterprise ready.

  • Distribution lives where work happens. Instead of searching the public internet, customers discover and install agents from within Fusion. That collapses the time between interest and a live pilot.
  • Validation replaces vague vendor claims. Marketplace agents are reviewed against a checklist that includes security practices, data handling declarations, and integration behavior. This sets a minimum bar that partners must meet before customers see the listing.
  • Updates flow through a managed lane. Version pinning, change logs, and rollback options let administrators upgrade agents on their timeline. Change control remains intact.
  • Support contracts are clear. Customers know who is on the hook when an agent misbehaves. Oracle support remains the front door for runtime issues and partner escalation, instead of a scavenger hunt through third party tickets.

This channel also changes partner incentives. In the old world a consultancy shipped a statement of work and moved on. In a marketplace world, partners compete on ongoing performance metrics like first action success rate, exception rate, and user adoption. The best agents become products with version roadmaps, not one off projects. Expect to see categories emerge quickly: finance close agents, working capital agents, indirect procurement agents, hiring and onboarding agents, and fulfillment exception agents. If you are building repeatable agent products, the patterns from turning agents into a production pipeline will apply directly to packaging, telemetry, and upgrades.

What MCP and agent to agent interoperability could unlock next

Today, most enterprise agents are task specialists tied to one suite. The next phase is interoperability across agents and systems. Two building blocks matter.

  • An open way for agents and applications to share tools and context. Anthropic introduced the Model Context Protocol, a specification that standardizes how clients access tools, resources, and prompts using JSON Remote Procedure Calls. MCP is already supported by multiple software development kits and is often described as a universal port for agent connections. If enterprise suites adopt MCP style interfaces, an agent in finance could call a tool exposed by a human resources or supply chain agent without brittle custom code. For the technical grounding, see Anthropic’s Model Context Protocol documentation.

  • Agent to agent collaboration patterns. Agent to agent, or A2A, means agents can sequence tasks between them with clear ownership and safeguards. Picture a payables agent that flags a supplier as risky. Instead of emailing a human and waiting, it opens a case with the supplier compliance agent, attaches evidence, proposes mitigation, and asks for a decision. That second agent may reach into procurement data, loop in a human owner for judgment, and pass its decision back. Each step stays within role boundaries, is logged, and is reversible.

For Oracle customers, the opportunity is to push for MCP compatible tool interfaces in the Agent Studio, and to define internal rules for how agents may delegate to each other. The payoff is fewer human handoffs and less swivel chair integration.

Pragmatic playbooks by function

The fastest wins will come from specific, narrow workflows. Here are three playbooks that are built for Fusion customers but generalizable to any enterprise suite.

Finance: close faster, protect working capital

Start where the business feels the pain every month.

  • Candidate workflows

    • Payables intake and matching: have an agent ingest invoices from email and portals, extract fields, match to purchase orders and receipts, apply tax rules, and route exceptions.
    • Intercompany and accrual review: let an agent flag variances and draft adjustment journals with explanations and supporting transactions.
    • Cash application and dispute triage: have an agent match remittances to open invoices and propose dispute categories.

  • Operating model

    • Human in the loop on money movement. Require approvals for any payment instruction, supplier bank change, or off cycle payment.
    • Segregation of duties enforcement at runtime. If the same person or agent would both create and approve a journal, block and escalate.

  • Metrics to prove value

    • Close cycle days reduced by X percent.
    • Straight through processing rate for invoices and remittances.
    • Exception rate by supplier and by spend category.
    • Working capital impact: change in early payment discounts captured and late payment penalties avoided.

  • Rollout pattern

    • Phase 1: run the agent in shadow mode that drafts entries and recommendations but does not post.
    • Phase 2: allow posting below a dollar threshold with dual approval above it.
    • Phase 3: broaden supplier coverage and raise thresholds as quality stabilizes.

Human resources: hiring and skills at speed without losing trust

HR data is sensitive. Design the system with that in mind.

  • Candidate workflows

    • Requisition to structured interview plan: an agent turns a job description into a structured interview kit aligned to competencies, with bias checks and documentation.
    • Offer package assembly: the agent pulls compensation bands, equity rules, and location tax constraints to draft offers and explain tradeoffs.
    • Skills graph upkeep: the agent normalizes titles, extracts skills from internal projects, and suggests learning paths.

  • Operating model

    • Always human approval for candidate communications. The agent drafts and summarizes, humans send.
    • Privacy by default. Agents only access fields necessary for the task. Sensitive fields like medical or immigration data are masked unless explicitly needed.

  • Metrics to prove value

    • Time to schedule and time to offer.
    • Candidate experience scores and drop off rate.
    • Offer acceptance rate by role and geography.
    • Skills profile completeness without manual surveys.

  • Rollout pattern

    • Pilot with a single business unit and a fixed set of requisitions. Expand only after monitoring hallucination rate and accuracy on policy application.

Supply chain: predict, prevent, and resolve exceptions

Supply chains generate continuous noise. Agents can turn noise into prioritized action.

  • Candidate workflows

    • Purchase order risk triage: the agent scores orders for lateness and quality risk, proposes expedites, and drafts supplier messages with relevant contract clauses.
    • Inventory balancing: the agent spots likely stockouts and overstock, suggests transfers, and simulates service level impact.
    • Returns and nonconformance handling: the agent classifies returns, assigns root cause codes, and routes corrective actions.

  • Operating model

    • Guardrails around autonomous messaging. The agent may draft emails and portal updates but cannot commit to penalties or discounts without human review.
    • Structured playbooks. For each exception type, define allowed actions, data sources, and escalation paths.

  • Metrics to prove value

    • Reduction in late order lines.
    • Expedite spend as a percentage of revenue.
    • Service level attainment and fill rate.
    • Mean time to resolution for top exception types.

  • Rollout pattern

    • Start with a narrow lane such as one product family and a small supplier cohort. Use weekly retros to prune bad prompts and improve tools.

Metrics that matter and how to instrument them

Leaders will ask two questions: are people using the agents, and are we getting a return that justifies the risk and effort. Instrument both.

  • Daily active users by role (DAU). Define a daily active user as a user who initiates or approves at least one agent action in a day. Track it by persona: AP analyst, buyer, planner, recruiter. DAU tells you whether the agent is becoming part of the routine.

  • Weekly action rate per user. Count the number of completed agent actions per active user per week. This normalizes for seats and shows depth of use.

  • First action success rate. Percentage of agent initiations that complete without human rewrites or retries. Use this to target prompt and tool improvements.

  • Exception rate by category. Classify why an action failed: missing data, policy block, low confidence. Exception patterns reveal broken processes rather than bad models.

  • Cycle time deltas. For each workflow, measure before and after time to completion. A simple stopwatch metric is more persuasive than model benchmarks.

  • ROI per agent run. A practical formula is: ROI per run equals value realized minus cost per run, divided by cost per run. Value realized may be time saved times fully loaded hourly rate, plus avoided penalties, plus captured discounts, plus revenue lift. Cost per run includes model inference charges, platform overhead, and partner license share. Example: if an invoice processing run saves 8 minutes for a 60 dollar per hour analyst, that is 8 divided by 60 times 60 equals 8 dollars saved, and if the run costs 15 cents, then ROI per run is (8 minus 0.15) divided by 0.15, which is roughly 52 times. Track this over cohorts and remove outliers.

  • Risk and compliance guardrails. Track percentage of agent actions with dual approvals where required, number of policy violations blocked at runtime, and zero trust events. Publish these alongside productivity metrics to keep risk leaders aligned.

Instrumenting these requires observability built into the agent runtime. Log every tool call, the data scopes accessed, the prompts used, model versions, confidence scores, decisions, approvals, and outputs. Redact sensitive fields in logs and store prompts in a separate vault with limited access. Give operations teams a dashboard with per agent run telemetry and a red button to pause an agent across tenants if needed.

Integration guardrails for rollout at scale

You can move fast without breaking the bank or the audit. Adopt these guardrails from day one.

  • Principle of least privilege. Define data scopes and allowed actions per agent. Use the suite’s role model to enforce it.

  • Segregation of duties embedded. Before an agent posts a journal, changes a supplier bank account, or issues a refund, run a segregation of duties check in real time.

  • Human in the loop thresholds. For each action type, set dollar limits and risk scores that require approval. Above the threshold, collect structured rationale and evidence with the request.

  • Prompt governance. Treat prompts like code. Store in version control, peer review changes, test against regression suites, and link to change tickets.

  • Tool whitelisting. Agents can only call approved tools with declared schemas and input validation. Block dynamic shell access in production.

  • Data residency and retention. Tie agent storage and caching to your residency requirements and purge schedules. Mask personal data by default and unmask only when policy allows.

  • Ring fenced pilots. Run pilots in a production like sandbox with anonymized or consented data. Promote an agent only after meeting quality and risk gates.

  • Vendor lifecycle controls. For marketplace agents, require a security questionnaire, review of their validation badge, evidence of pen tests, and a data processing addendum. Recheck on every major version.

  • Budget guardrails. Cap spend per agent per day. If an agent hits the budget ceiling, pause and notify.

  • Kill switch and blast radius. Every agent must have a runtime kill switch that stops new actions while allowing in flight tasks to finish or roll back. Design for narrow blast radius by scoping actions and requiring approvals for bulk operations.

These controls mirror what the most mature agent runtimes already recommend and implement. If you are building your own observability and controls, study how operations focused stacks handle rollback and isolation, as we explored in enterprise runtime patterns.

What to watch next

  • Pricing models. Some vendors will charge per user, others per run, and others by outcome. Expect experiments like charging a percentage of collected early payment discounts or a fee per prevented stockout. Run total cost of ownership comparisons that include model calls and human review time.

  • Interoperability standards. Pressure will build for suites to expose agent tools through open protocols. If Oracle opens tool interfaces that align with model context standards, cross suite automation will get easier and safer.

  • Partner quality tiers. Marketplaces will likely surface badges for security posture, performance over time, and customer satisfaction. Pick partners that publish real metrics, not just references.

  • Regulator posture. Financial services, healthcare, and public sector buyers should expect emerging guidance on automated decisioning, retention of prompts as business records, and auditing of agent actions. Prepare by keeping your logs and approvals in order now.

The bottom line

Oracle has put agents where they belong: inside the system that holds the books, the people data, and the supply chain truth. That choice moves the conversation from novelty chat to measurable productivity because security, governance, and data access ride along. The new Agent Marketplace provides a channel for partners to deliver repeatable, supported agents that can be installed in hours, not quarters. The next unlock will come from open interoperability and clean agent to agent patterns, which will let specialized agents coordinate without dumping work on humans. If you lead finance, human resources, or supply chain, set up small pilots tied to one painful workflow, implement the guardrails above, track DAU and ROI per run, and expand only when the metrics and the auditors smile. That is how ERP native agents move from conference keynote to operating habit.

To go deeper on A2A patterns, see how other platforms enable multi agent orchestration in agent to agent orchestration, and for packaging and lifecycle, study turning agents into a production pipeline. Those lessons travel well to Oracle’s new world.

Appendix: quick checklist for your first 90 days

  • Pick one workflow with measurable pain and clean data.
  • Define clear guardrails: roles, dollar limits, SoD rules.
  • Instrument the runtime from day one. Log tools, prompts, decisions, and approvals.
  • Pilot in shadow mode for two weeks. Compare agent proposals to human outcomes.
  • Promote to limited autonomy with thresholds and dual approvals.
  • Review weekly: first action success rate, exception categories, cycle time, ROI per run.
  • Publish risk metrics alongside productivity metrics to keep governance aligned.

Used well, the marketplace model and system of record placement can get you real results in weeks, not quarters, without trading away control. The agencies of change are not the models alone. They are well governed agents that live where work already happens.

Other articles you might like

AP2 Arrives: Google’s open rails for agent-led checkout

AP2 Arrives: Google’s open rails for agent-led checkout

Google’s Agent Payments Protocol debuts as open, interoperable rails for agent checkout. Learn how AP2 layers with A2A and MCP, why signed mandates matter, and a stepwise plan to ship pilots before peak season.

AI Agents
·Read more
GitHub Agent HQ: Mission Control for the Coding Agent Era

GitHub Agent HQ: Mission Control for the Coding Agent Era

GitHub reframes the repository as mission control for coding agents. With Agent HQ, AGENTS.md, a native MCP tool registry, and third party agent support, teams can orchestrate, govern, and measure software work at scale.

AI Agents
·Read more
Agentforce 360 Makes Enterprise Agents Finally Real

Agentforce 360 Makes Enterprise Agents Finally Real

Salesforce just moved enterprise agents from slideware to production with Agentforce 360. See how marketplace components, outcome pricing, resilient operations, and native entry points add up, plus a 90-day plan you can run.

AI Agents
·Read more
AWS AgentCore turns agent ops into an enterprise runtime

AWS AgentCore turns agent ops into an enterprise runtime

AWS Bedrock AgentCore elevates agent operations into a real platform with a secure runtime, memory, identity, gateway, and observability. Learn how to move from notebook demos to production fleets and what to do first.

AI Agents
·Read more
Agent Bricks Turns AI Agents Into a Production Pipeline

Agent Bricks Turns AI Agents Into a Production Pipeline

Databricks is turning fragile demos into dependable agents. Agent Bricks assembles, evaluates, and packages task focused agents on governed data so teams can choose clear tradeoffs across accuracy, latency, and cost with audit trails in place.

AI Agents
·Read more
Visa’s Trusted Agent Protocol Lights Up AI Checkout

Visa’s Trusted Agent Protocol Lights Up AI Checkout

Visa’s new Trusted Agent Protocol adds a cryptographically signed handshake that lets merchants recognize and transact with bona fide AI shopping agents. Backed by major processors, it sets up end to end checkout in 2026.

AI Agents
·Read more
Vertex AI Agent Engine unlocks code execution and A2A

Vertex AI Agent Engine unlocks code execution and A2A

Google's Vertex AI Agent Engine just added secure code execution, Agent to Agent messaging, Memory Bank, streaming, and broader runtime pricing. Here is why cloud agent runtimes are arriving and how to ship with them.

AI Agents
·Read more
Snowflake Cortex Agents Go GA: Warehouses Become Runtimes

Snowflake Cortex Agents Go GA: Warehouses Become Runtimes

On November 4, 2025, Snowflake made Cortex Agents generally available, shifting the data warehouse from answers to actions. Here is what that unlocks, why it matters, and how to ship real use cases in weeks.

AI Agents
·Read more
Browser-native agents surge as Amazon sues Perplexity

Browser-native agents surge as Amazon sues Perplexity

Amazon’s lawsuit against Perplexity marks a tipping point for browser-native agents. The fight shifts from chat boxes to carts and checkout, forcing new norms for identity, consent, pacing, and standards on the open web.

AI Agents
·Read more