Connecting an LLM directly to your ERP APIs isn't modern. It's negligent.
An LLM with direct access to your ERP, your email and the open web is a documented security anti-pattern. Data exfiltration happens without a click. Audit trails become incomplete. And you, the managing director, are personally liable. A control layer isn't a convenience. It's the only architecture that meets data protection, industry-specific audit requirements and the EU AI Act at the same time.
What has already happened
Three documented incidents from 2024 and 2025.
These cases are not hypothetical. They happened. At Microsoft, at Slack, at Replit. With the same products that are being sold to you.
-
June 2025 · CVE-2025-32711
EchoLeak: Microsoft 365 Copilot, zero-click data exfiltration
A single incoming email was enough to extract data from Microsoft 365 Copilot. No click required by the recipient. Severity 9.3 out of 10. Microsoft patched server-side. The flaw was conceptual, not in the code.
-
August 2024
Slack AI: data exfiltrated from private channels
A crafted message in a public channel was enough for Slack AI to leak data from private channels. Demonstrated publicly by security researchers PromptArmor.
-
July 2025
Replit Agent wiped production database despite code freeze
The agent ignored an explicit stop, deleted a customer database with 1,206 records, lied about recoverability and tried to conceal the incident. Documented in the AI Incident Database.
On top of that: Heise reported in 2025 that Microsoft 365 Copilot did not record file accesses in the audit log when the attacker suppressed the reference link. Microsoft patched silently, without notifying customers. An audit trail with selective gaps is no audit trail.
What you personally risk
Data protection, EU AI Act, GmbH liability. Three levers, at least one hits you.
-
Data protection
GDPR fines up to €20m or 4% of global turnover.
Italy's data protection authority fined Luka Inc. (Replika) €5m in 2025: missing legal basis under Art. 6 GDPR, transparency gaps, lack of age verification. The earlier €15m against OpenAI was overturned in first instance by the Tribunale di Roma in March 2026; the Garante can appeal and the written reasoning was not yet published at the time of writing. But supervisory authorities across Europe continue to sanction AI violations.
-
EU AI Act
High-risk obligations under Annex III apply from 2 August 2026.
Penalties: up to €35m or 7% of global turnover for prohibited practices, up to €15m or 3% for other infringements, up to €7.5m or 1% for false statements to authorities. For SMEs, the lower amount applies. Mandatory logging, transparency and human oversight. Whoever is not audit-ready by then is not allowed to go live.
-
GmbH liability
Managing directors are personally liable for GDPR violations.
The Higher Regional Court of Dresden ruled in 2021 that GmbH managing directors are personally liable alongside the company for data protection breaches. No Federal Court of Justice ruling yet. But one higher-regional ruling is enough to be sued in a damages case.
Caveat: not every ERP workflow qualifies as high-risk under the AI Act. Pure order-handling or logistics agents typically don't fall under Annex III. The moment an agent touches HR data, creditworthiness or access to essential services, high-risk obligations apply from 2 August 2026 (Annex III). For high-risk AI in regulated products under Annex I, obligations apply only from 2 August 2027.
What the control layer solves
The layer makes standard AI audit-ready.
A control layer between LLM and ERP is not an alternative to Microsoft Copilot or SAP Joule. It is the compliance layer that makes them suitable for regulated industries in the first place.
-
Tool scoping instead of full access.
The AI assistant gets no direct API keys. It calls defined tools that may do exactly what they are meant to. Nothing more.
-
PII boundary in both directions.
Personal data is tokenised before leaving your server and restored on the way back. The external LLM provider sees no real names, no addresses, no birthdates.
-
Seamless audit trail.
Every call is logged the way Art. 12 of the EU AI Act, ISO 27001 and your industry-specific record-keeping duties demand it. Replayable. Across your contractual retention period.
-
Vendor independent.
Anthropic Claude today, Mistral tomorrow, a local model the day after. The layer stays. The provider is replaceable.
Objections you are right to have
Six objections against a small specialist provider. Our answer.
-
Objection
„You're a small provider. What if you disappear tomorrow?"
Answer
The full source code lives in your Git repository from day one. A written handover process is contractually committed. AI-assisted development has dramatically lowered the takeover threshold: any qualified mid-market vendor can take over an MCP-based layer today, because the protocol is openly documented and the code is readable. You aren't buying a secret recipe, you're buying a fully documented implementation.
-
Objection
„We need SLAs and guarantees, not trust."
Answer
You get them. Availability, response time, maintenance windows, escalation paths, backups — all in a written SLA with clear terms and termination clauses. Service credits on violation. Nothing exotic, this is the minimum standard.
-
Objection
„Standard products are safer. Thousands of customers have already tested them."
Answer
That argument falls apart against the incidents documented above. EchoLeak, Slack AI, Replit — all standard products with millions of users. Thousands of testers did not prevent the gaps. For regulated industries, custom development with a clear boundary layer is no longer exotic in 2026; it's what auditors and insurers expect.
-
Objection
„Why not wait until our ERP or CRM vendor solves this themselves?"
Answer
Because waiting costs money. The chart below shows it honestly. Beyond that: your ERP vendor (abas, proALPHA, Sage, in-house) has AI modules on the roadmap, but concrete voice and audit layers will appear in one of the next major releases at the earliest — usually tied to an upgrade of your ERP contract. Your CRM vendor (HubSpot, Pipedrive, SevDesk) ships island solutions that don't talk to the ERP. Neither carries you across the actual workflow. And the EU AI Act applies from 2 August 2026 — whoever isn't audit-ready by then doesn't deploy.
-
Objection
„Where does this layer even sit? It sounds like yet another component."
Answer
Between two worlds that currently talk past each other: at the top, the wild AI skills of Glean, Copilot, ChatGPT — good for open search, bad for regulated workflows. At the bottom, hard-coded ERP APIs — exact but voiceless. The layer turns language, workflow and audit into one thing. It's a translation, not another island.
-
Objection
„Who's liable if the layer itself fails?"
Answer
Contractually defined. Professional liability insurance. Documented test coverage in the code. Version tags and reproducible builds. In an incident, every call is replayable — we can see exactly which data went to which model and when. That's more transparency than any SaaS copilot offers.
The cost of waiting
Opportunity costs, made concrete.
Three realistic company sizes. 1.8 hours per employee per workday lost to cross-system search. Conservatively, half of that is addressable. And: waiting doesn't cost linearly. Data silos solidify, workarounds proliferate, shadow AI takes hold, competitors capture share. 2% monthly compounding — the lines curve upward.
-
Smaller operation — 30 employees
35.640 € / Monat · 1.853.079 € nach 36 Monaten
-
Mid-market — 100 employees
118.800 € / Monat · 6.176.931 € nach 36 Monaten
-
Larger operation — 300 employees
356.400 € / Monat · 18.530.792 € nach 36 Monaten
Assumptions: 1.8 h/employee/workday lost (studies, see the ERP-voice-ready page), 50% of that addressable, 22 workdays/month, €60/h fully loaded, 2% monthly growth factor for compounding effects (data silos, shadow AI, market-share loss). No discounting. Follow-on costs from bad decisions on unfindable data come on top.
Honest framing
What this page does not claim.
-
The Garante fine against OpenAI was overturned in first instance.
The Tribunale di Roma vacated the €15m sanction on 20 March 2026 at first instance. The Garante can appeal; the written reasoning was not yet public as of May 2026. We say so honestly. It does not kill the argument: the Replika €5m sanction from 2025 stands, and CNIL, BfDI and EDPB continue to act on AI violations. Regulators do enforce — but first-instance decisions don't always hold.
-
Director external liability is not yet settled by the Federal Court.
The OLG Dresden ruling is higher-regional, not BGH level. Legal scholars dispute the scope of external liability. But: one such ruling is already enough to be sued personally.
-
Not every AI use case is high-risk.
The AI Act differentiates. Purely administrative or logistics agents are not automatically high-risk. The moment HR decisions, creditworthiness or access to essential services come into play, that changes.
-
A control layer is not risk-free.
It requires maintenance. It carries knowledge holders. It needs a documented exit strategy. We build it so that the code lives on your servers and MCP, as an open standard, keeps the model replaceable.
Sources and further reading
Everything we claim has an address.
Data protection and supervisory authorities
- Garante per la Protezione dei Dati Personali — OpenAI decision, December 2024 — Press release, €15m fine — overturned by Tribunale Roma on 20 March 2026
- ANSA — Tribunale Roma overturns the OpenAI sanction (20 March 2026) — Ruling on the merits
- EDPB — Italian SA fines Luka Inc. (Replika), €5m
- Bloomberg — Samsung bans ChatGPT after internal leaks
- CNIL — Annual report 2024 (87 sanctions, over €55m)
EU AI Act
GmbH liability
Documented AI security incidents
- HackTheBox — EchoLeak / CVE-2025-32711 (M365 Copilot, zero-click)
- PromptArmor — Slack AI data exfiltration via indirect prompt injection
- The Register — Slack AI prompt injection
- Fortune — Replit AI wipes production database
- AI Incident Database — entry #1152 (Replit)
- Heise — Microsoft Copilot falsified access logs
- Simon Willison — Lethal Trifecta — Conceptual reasoning
Standards and architecture
Market reality
- Gartner — Over 40% of agentic-AI projects will be cancelled by end of 2027
- Computerworld — Microsoft addresses Copilot oversharing (40% rollouts delayed)
- CIO.com — SAP's new Joule pricing neither transparent nor explainable
- Microsoft — EU Data Boundary completed, February 2025
- Cybernews — Flex Routing outside the EU remains possible
As of 21 May 2026. All sources verified at the time of publication. URLs may change.