Skip to content
All articles
Law & regulation 7 min read· by Lars Zimmermann

The Accounting Bot Nobody Checks Anymore

An AI agent pulls invoices from every employee mailbox with no oversight. Why that is not progress but an incident waiting to happen. The auditor's view.

In short

An AI agent that accesses every employee mailbox without a legal basis and processes documents fully automatically, with nobody checking the output, is not progress. It is an unsupervised process and a data protection incident waiting to happen. Two failures meet here: no access basis and no human final check.

Auf Deutsch lesen: deutsche Fassung

On an AI podcast recently I heard a vendor talk about how proud he was of his accounting bot. The agent pulls invoices from the email mailboxes of every employee, files them, and forwards them to the tax advisor. The sentence that stuck with me: 'Nobody on our side even looks at it anymore, it just does its thing.' This was sold as progress. What I see are two barn doors left wide open. And as an auditor I will tell you exactly which ones.

What is really happening here (and why it is not progress)

Let us be blunt. An agent that reaches into mailboxes on its own and passes documents through, with no one assigned to review it, is not automation in the good sense. It is an unsupervised process. The difference is enormous. Automation means a person designed the workflow, controls it, and can stop it. An unsupervised process means it runs, and nobody notices when it goes wrong.

The problem here sits on two separate levels, and each one on its own would already be a finding. First, the data access to every employee mailbox. Second, the fully automated processing of tax-relevant documents with no human final check. Together they paint a picture where, as an auditor, my checklist runs short and my list of open items runs long. This is my assessment, not legal advice. But the assessment is unambiguous.

Level 1: An agent inside every mailbox is a data protection incident waiting to happen

Whoever gives an AI agent full access to every employee mailbox has not checked a legal basis, they have taken a door off its hinges. Those mailboxes hold more than accounting. They hold communication with the works council, with lawyers, with job applicants, with colleagues about colleagues. Personal data everywhere. And every processing of personal data requires a legal basis under Art. 6 GDPR. Not 'nice to have', but mandatory. No lawful ground, no processing.

On top of that comes purpose limitation. Pulling invoices is one purpose. Ploughing through an entire mailbox is another. An agent that reads everything to find the little it needs processes far more than the purpose allows. And with employee data protection it gets tighter still, because here an imbalance of power between employer and employee enters the picture that the law protects with particular care.

And now the point most often overlooked. If the private use of the company email account is permitted, or even merely tolerated, then such agent access as a matter of principle touches the confidentiality of communications. That is a different calibre from a pure data protection question. I deliberately say 'as a matter of principle', because the legal position is contested in detail and depends on the individual case. But simply automating the risk away because the bot is so convenient is precisely the mindset that produces the incident.

An agent that reads everything to find the little it needs is not a clever helper. It is access without a basis that only holds up until someone asks: who actually approved this?

Level 2: 'Nobody checks it anymore' collides with proper record-keeping duties

Now to the second level, the documents themselves. Tax-relevant records are subject to statutory principles for the proper keeping and retention of books and records in electronic form. In many jurisdictions these principles carry different names, but the core is the same. In Germany the framework is called the GoBD, and one of its core principles is traceability and verifiability. The processing chain from the incoming document to the booking entry must be traceable without gaps. A knowledgeable third party, such as a tax auditor, must be able to gain an overview within a reasonable time.

Now place the sentence 'nobody on our side even looks at it anymore' next to that. If no one checks any longer which invoice the agent found, which it missed, and which it misfiled, then exactly the final check that closes the chain is missing. Who guarantees that no invoice slips through? That none runs twice? That no phishing invoice that landed as a PDF in a mailbox is dutifully forwarded to the tax advisor? Not the bot. It does what it was told.

  • No completeness check: nobody verifies that all relevant documents were captured and that nothing inadmissible was passed on.
  • No approval instance: there is no defined person who owns the output before it leaves the organisation.
  • No process documentation: how the agent decides what counts as a document is a black box instead of a documented procedure.
  • No four-eyes principle: for a process that feeds directly into the tax return, the second control instance is missing entirely.

Effective human oversight is not a brake, it is the standard

Here comes the point where governance and plain common sense say the same thing. ISO/IEC 42001, the standard for AI management systems, requires you to control your AI systems across their lifecycle, assess risks, and assign responsibilities. And the EU AI Act frames the principle of effective human oversight for high-risk systems in Art. 14: a system must be built so that people can genuinely monitor it during operation and intervene.

An important point of context: an accounting bot is not automatically a high-risk system under the AI Act. I cite Art. 14 here as a principle, not as a directly binding obligation for every invoice agent. But the principle behind it is universal and makes sense from basic duty of care alone. Whoever declares 'nobody checks it anymore' to be a feature has abolished exactly the principle that every serious AI governance framework puts at its centre.

Human final control does not mean someone retypes every invoice by hand. That would be absurd. It means there is a defined person, with the competence and the authority, who owns the process, spots anomalies, and can stop the bot. I run an AI-supported ERP with seventeen agents myself and have pushed processes from twelve minutes down to twenty-six seconds. It can be done. But every one of those agents has defined limits, logged steps, and a human who carries the responsibility. That is precisely the difference between 'fast' and 'unsupervised'.

The auditor's view: what I would note here as a finding

If I encountered this accounting bot in an audit, it would not be a footnote in the report. It would be several solid findings, and some of them in the category where you do not wait until next year.

  • Access without a documented legal basis: processing of personal data from every mailbox with no verified lawful ground and no purpose limitation.
  • Breached principle on employee data and confidentiality of communications: no concept for permitted or tolerated private use, no exclusion of private communication.
  • Abolished human oversight: no responsible owner, no ability to intervene, no approval before dispatch to third parties.
  • Record-keeping gap: no demonstrable traceability of the processing chain, no process documentation, no completeness assurance.
  • Missing risk assessment: the process was introduced without systematically identifying and treating the risks beforehand.

The bitter part: none of these problems is expensive or complicated to solve. A clean legal basis, scoped access instead of full access, a defined approval step, a short process documentation. That is a week of work, not a fundamental decision against AI. The mistake is not the bot. The mistake is the pride in the abolished control.

Automate what you can automate. I am the last person to advise against it. But do not abolish the human final check and call it progress. A process that no one controls anymore does not run itself. It is an incident that simply has not happened yet.

Share: LinkedIn E-Mail

Frequently asked questions

Is an AI agent allowed to access the email mailboxes of all employees?+

Only with a documented legal basis and tight purpose limitation under Art. 6 GDPR, plus employee data protection. If private use is permitted or tolerated, the access as a matter of principle also touches the confidentiality of communications. Full access without checking is an incident waiting to happen. This is my assessment, not legal advice.

Is fully automated invoice processing without a final check compliant with record-keeping rules?+

Critical. Statutory record-keeping principles require traceability and verifiability across the entire processing chain. If human control disappears, completeness assurance, approval, and process documentation are all missing. A knowledgeable third party must be able to follow the workflow, and that is impossible with an unsupervised black box.

What does effective human oversight mean in concrete terms for AI processes?+

You need a defined person with the competence and authority to own the process, recognise anomalies, approve results, and stop the agent. The principle sits in ISO/IEC 42001 and in Art. 14 of the EU AI Act. It does not mean doing everything by hand, it means never abolishing the final check.

Is such an accounting bot automatically a high-risk system under the EU AI Act?+

No, not automatically. I cite Art. 14 on human oversight here as a principle, not as a binding obligation for every invoice agent. But the principle of controllable, monitorable AI makes sense from general duty of care and good governance alone, regardless of the risk classification.

How do you fix these problems without giving up automation?+

You do not have to abolish AI. What you need is a clean legal basis, scoped access instead of full access, a defined approval step before dispatch to third parties, and a short process documentation. That is manageable effort and turns an unsupervised process back into controlled automation.

Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor & Senior Lead Implementer · ISO/IEC 27001 Lead Auditor & Lead Implementer (PECB)

Last updated: 16 July 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.

Sources & further reading

Questions about your own case?

In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act, honestly and without a sales pitch.

Continue reading