Board Briefing · Q2 2026

Cloud ERP and AI-in-COTS: where the parallels hold, where they break, and what boards should do about it.

Ten structural parallels between the 2015–2024 cloud ERP wave and the 2023–2026 introduction of AI into packaged software. Each with implication, risk and a 30-day board action.

Álvaro de Nicolás Senior Partner, Revamp Advisors CEO, DNA Ventures May 2026
Executive synthesis

The cloud ERP wave (2015–2024) and the AI-in-COTS wave (2023–2026) share three deep structural parallels: both deliver transformation only when the operating model is redesigned around the technology; both contain a Year-3 cost trap that diverges sharply from the original business case; and both create vendor dependency that compounds and becomes progressively harder to escape.

The three places the analogy breaks down matter more. Failure mode is different: cloud ERP fails slowly through process rigidity; AI-in-COTS fails fast through hallucination and governance gaps that can produce audit-material errors in days. Lock-in is categorically new: workflow muscle memory is replaced by cognitive lock-in — the vendor's semantic index becomes your institutional memory, and that memory cannot be exported. Competitive threat is asymmetric: no one built a credible ERP from scratch during the cloud wave; the post-LLM disruptor building custom workflows on foundation-model APIs is a live threat today.

The single strongest implication for boards: do not sign multi-year AI-embedded-ERP commitments until you have ring-fenced your organisational data graph in infrastructure you control. Cognitive lock-in is the sharpest strategic risk in enterprise technology today — and it is not yet priced into renewal decisions.

01
The productivity promise vs. the operating-model prerequisite
Strong
Implication

Both waves deliver the technology faster than the organisation can absorb it. Operating-model redesign is the binding constraint.

Risk

74% of companies cannot show measurable AI ROI; fewer than 10% have fully scaled AI in any single business function.

Board action — 30 days

Readiness audit across the top three AI-embedded apps. Score data quality, process governance and training. Gate licence expansion on readiness, not vendor timelines.

Expanded analysis
Cloud ERP required months of process redesign before go-live. AI-in-COTS can be switched on with a licence toggle, which means the gap between deployment and readiness is wider — users start generating AI-assisted outputs before governance, training or quality controls exist. Evidence: Forrester TEI 2025 (108 hours/year gain projected, 116% ROI); Stanford AI Index 2026 (88% adoption, <10% full-scale); Gartner Aug 2025 (40% of agentic AI projects cancelled by end-2027); Panorama 2024 (75% need reskilling, 35% receive training).
02
The Year-3 cost trap
Strong
Implication

Structurally identical economics: low initial deployment cost, aggressive Year-3 escalation, switching cost that makes renegotiation one-sided.

Risk

78% of IT leaders report unexpected AI charges; 85% misestimate AI costs by >10%. Cloud ERP escalation is predictable; AI escalation is stochastic and decentralised.

Board action — 30 days

Model Year-3 and Year-5 TCO across embedded AI. Negotiate three clauses into every contract: consumption ceiling with overage cap, CPI-linked escalation limit (2%), and model-substitution rights.

Expanded analysis
SAP RISE FUE licensing masks consumption inflation; mandatory BTP extension costs €1.2–1.8M for mid-sized estates. When three negotiation clauses are absent (CPI cap, BTP credits, FUE ceiling), the Year-3 trap erases 30–60% of projected RISE savings. AI consumption scales with adoption, and adoption is not centrally controlled — a single department finding a use case can spike the bill.
03
Vendor lock-in: from workflow to cognitive
Partial
Implication

Fourth-generation lock-in: the vendor's semantic index, agent configurations and accumulated context become the institutional memory of the finance function.

Risk

Cognitive lock-in is invisible and non-negotiable. Switching cost is no longer data migration — it is intelligence loss, which is non-exportable.

Board action — 30 days

Mandate a multi-model policy: no single LLM provider may exceed 60% of enterprise AI workloads. Ring-fence the data graph in a layer you control (Databricks, Snowflake, self-hosted vector store).

Expanded analysis
Joule, Workday AI, Oracle Fusion agents and Salesforce Agentforce are all designed to accumulate context inside the vendor stack. Every interaction widens the gap between the incumbent's understanding of your function and any alternative provider's. Workflow lock-in was escapable with effort; cognitive lock-in compounds autonomously — the AI learns more about your organisation every day without anyone deciding to deepen the dependency. Reference: Gartner Q4 2024 — only 39% of ECC customers migrated to S/4HANA despite a 2027 deadline.
04
The standardisation–differentiation tension
Strong
Implication

Standardise where you are average, differentiate where you compete. The trade-off is identical — but ERP customisation is deterministic, AI customisation is probabilistic.

Risk

"Clean core" restrictions under RISE limit the workaround. AI confidence intervals around customised behaviour are wider — and harder to test.

Board action — 30 days

Map all AI-embedded workflows by criticality. For high-stakes processes (financial close, audit, regulatory reporting), mandate human-in-the-loop and deterministic rules engines alongside AI assistance.

Expanded analysis
Cloud ERPs ship industry-templated processes that fit 70–80% of what a finance team does. The remaining 20–30% is where friction lives — and where the differentiating workflows had to be built around the suite. AI vendors ship models optimised for generic use cases; fine-tuning on proprietary data is possible but expensive, and running domain-specific models alongside vendor AI creates integration complexity.
05
Change-management debt is permanent, not project-bounded
Strong
Implication

Both waves create a talent asymmetry where early adopters pull away and laggards lose the ability to catch up. The skill gap is the binding constraint on value capture.

Risk

ERP change management had a defined endpoint. AI capabilities evolve continuously — model updates, new agent capabilities, shifting interfaces. Reskilling never finishes.

Board action — 30 days

Allocate ≥20% of AI programme budget to training and role redesign. Create an "AI fluency" competency framework for finance with quarterly skill assessments.

Expanded analysis
Panorama 2024: 75% of employees need reskilling; only 35% receive adequate training. In one carve-out, the post-migration finance team was smaller in the back office but stronger in pricing strategy — fundamentally different skills. AI compounds this: the FP&A analyst with strong data and AI literacy is several times more productive than peers, and the gap widens monthly.
06
Data quality is the binding constraint
Strong
Implication

Both waves are data-governance projects wearing a technology coat. Both are systematically underinvesting in the prerequisite.

Risk

ERP data quality problems are discoverable. AI data quality problems are probabilistic and may surface only as subtle output degradation that passes human review.

Board action — 30 days

Before expanding AI deployment, run a data-quality audit on every source feeding AI models. Establish a data stewardship function with explicit accountability for AI input quality.

Expanded analysis
Stanford AI Index 2026 confirms the primary barrier is not the model but the data infrastructure. AI amplifies data quality problems: a misconfigured allocation rule in ERP propagates silently for a quarter; a hallucinating model on dirty data produces plausible-sounding errors that are harder to detect. Reference precedent: harmonising three regional ERP instances with different revenue-recognition methods was a prerequisite to any reporting benefit.
07
The two-speed problem: judgement latency replaces data latency
Partial
Implication

Fast system, slow governance. The magnitude is larger with AI because the speed differential is orders of magnitude greater.

Risk

An AI agent generates a forecast in seconds; validating it against audit standards takes days. Without a golden-source policy, internal arguments about "the truth" follow.

Board action — 30 days

Define a golden-source policy for AI-assisted outputs: which require human sign-off before external reporting, which can flow through with automated validation. Publish to all budget holders.

Expanded analysis
ERP's two-speed problem was about data latency — operational accounting near-real-time while group consolidation lagged. AI's two-speed problem is about judgement latency — the system moves faster than human oversight can verify. Non-finance managers see a real-time AI number; corporate finance reports a reconciled audited number that is different. Governance has to specify which number is authoritative for which decision.
08
Sovereignty and jurisdictional risk
Strong
Implication

Both waves push enterprise data and logic into US-headquartered vendor infrastructure, creating identical jurisdictional exposure. AI expands the surface area substantially.

Risk

The EU AI Act (Aug 2025) imposes obligations on high-risk AI systems that most COTS vendors have not yet operationalised. Cross-border inference flows are largely unmapped.

Board action — 30 days

Require every AI vendor to provide a data-processing map: where inference occurs, where training data resides, which model weights are shared across tenants. Flag cross-border inference for legal review under EU AI Act.

Expanded analysis
ERP sovereignty was about data at rest. AI sovereignty includes data in motion (inference calls), data in training (model weights), and emergent behaviour (agent decisions). Data residency, sovereign cloud and US CLOUD Act exposure moved from theoretical footnotes to live board-level discussions for European businesses in 2025–2026. RISE's DRP model does not cover client custom integrations.
09
The pricing transition: from subscription to consumption
Strong
Implication

Both are vendor-initiated pricing transitions that transfer risk to customers under the guise of "flexibility". Subscription was predictable; consumption is genuinely unpredictable.

Risk

85% of organisations misestimate AI costs by >10%; nearly a quarter are off by 50%+. IDC: by 2028, 70% of software vendors will refactor pricing around consumption or outcome metrics.

Board action — 30 days

For every AI product on consumption pricing, implement a spend cap with alerts at 80% utilisation. Negotiate a contractual overage ceiling (e.g. 120% of estimate) with clawback rights if model accuracy degrades.

Expanded analysis
Salesforce Agentforce ships three models: Flex Credits at $0.10/action, per-user at $125+/month, and outcome-aligned contracts. The transition transfers compute-cost volatility from vendor to customer. Without governance, a successful AI use case is indistinguishable from a runaway bill until the invoice arrives.
10
The structural threat from post-LLM disruptors
Weak — and dangerous
Implication

The ERP precedent suggests incumbents are safe. The AI reality is that workflow and intelligence layers above the system of record are now contestable by entrants that did not exist two years ago.

Risk

Post-LLM, a well-resourced team builds a domain-specific workflow replacement in months using foundation-model APIs. The barrier to entry has collapsed for the surrounding stack.

Board action — 30 days

Audit the surrounding stack (point solutions, niche planning tools, AP automation, expense workflows). For each: is this a system of record with a defensible data moat, or a workflow tool a well-prompted agent could replace? Pilot replacements for the weakest links.

Expanded analysis
Rory O'Driscoll's three-player framework: the pre-AI incumbent (SAP, classical Oracle), the AI-native teenager (built AI in from 2018), and the post-LLM disruptor (custom workflows on foundation-model APIs). Amjad Masad argues systems of record survive; point-solution and vertical SaaS face replacement by custom apps built atop APIs. The niche-tools ecosystem is in the kill zone.

Counter-narrative: where the ERP analogy actively misleads

Three places to discard the analogy entirely.

1. Speed of harm

The ERP analogy implies that problems surface slowly and can be fixed during stabilisation. A misconfigured ERP allocation rule propagates silently across a group for a quarter. An AI hallucination in a financial close package can produce a plausible-sounding but fictitious number that passes human review because it "looks right". The 2024 finding that LLMs hallucinate in up to 41% of finance-related queries is not a rounding error — it is a structural risk with no ERP precedent. The correct mental model is operational risk with non-deterministic systems, closer to model risk management in banking than to IT project management.

2. The compounding nature of cognitive lock-in

The ERP analogy implies that lock-in stabilises once migration is complete. Cognitive lock-in does not stabilise — it compounds. Every meeting summarised by the vendor's AI, every document indexed, every agent action executed widens the incumbent's knowledge advantage. The switching cost grows daily without any deliberate decision to deepen the dependency. The correct mental model is not "contract lock-in" but knowledge compound interest: the longer you wait, the more expensive it becomes to leave, and the rate accelerates rather than decelerates.

3. The barrier-to-entry collapse

The ERP analogy implies incumbent vendors have structural moats. For systems of record, they do. For workflow and intelligence layers, the moat has been breached. The post-LLM disruptor can build a domain-specific workflow in months, not years, using foundation-model APIs. ERP vendors betting on AI agents working flawlessly inside their suite by mid-2026 are betting against the consensus of the people building the stack. The correct mental model is platform-versus-API competition. History — from IBM mainframes to Salesforce's rise to the current LLM wave — does not favour the bundled incumbent once the API layer matures.

What to do in the next 30 days

Ten board-level decisions, one per parallel. No ambiguity.

#ActionOwnerWindow
01Readiness audit on top three AI-embedded applications. Gate licence expansion on score.CIO / COOWk 1–2
02Year-3 / Year-5 AI TCO model. Lock consumption cap, CPI ceiling, model-substitution rights into every contract.CFO / ProcurementWk 2–4
03Multi-model policy (60% cap). Ring-fence the organisational data graph in a layer you control.CIO / CDOWk 1–4
04Map AI workflows by criticality. Mandatory HITL + deterministic rules on close, audit, regulatory reporting.CFO / RiskWk 2–3
05Allocate ≥20% of AI budget to training and role redesign. Publish AI fluency framework for finance.CHRO / CFOWk 1–4
06Data-quality audit on every source feeding AI models. Stand up a data stewardship function.CDOWk 2–4
07Publish a golden-source policy for AI-assisted outputs. Define HITL gates for external reporting.CFO / AuditWk 2
08Request data-processing maps from every AI vendor. Legal review of all cross-border inference flows.GC / DPOWk 1–3
09Spend caps with 80% alerts on all consumption-priced AI. Negotiate 120% overage ceiling + accuracy clawback.CFO / ProcurementImmediate
10Audit the surrounding stack vs. post-LLM disruptors. Pilot replacements where no data moat exists.CIO / StrategyWk 3–4
Why act now

The cost of waiting is asymmetric. Subscription savings missed on RISE renegotiation are recoverable in the next cycle. Cognitive lock-in is not — every quarter without a ring-fenced data graph deepens the dependency at a compounding rate. The boards that move in 2026 set the terms; the boards that wait until 2027 renew under the terms others set for them.

Primary sources

Appendix: supporting sources
ÁLVARO DE NICOLÁS
Board-Level Advisory · AI Governance & Enterprise Value Creation
Álvaro de Nicolás — Senior Partner, Revamp Advisors · CEO, DNA Ventures
alvaro@dnaventures.ai · alvarodenicolas.com
19,0 jump · A expand all · P print
← Back to interactive resources