The Agent-Run Accounts Payable Playbook: Real Prompts, Real Controls, Real Numbers

Accounts payable is the workflow most finance teams want to hand off first. The CFOs I have talked to in the last twelve months has asked some version of the same question: can the agent just do AP for me?

The answer is yes, and it has been yes for over a year. The reason most teams have not done it is that the playbook has not been written down in one place with the actual prompts. The vendor demos do not show you the controls. The blog posts cover the abstract pattern but skip the prompts. The horror stories travel faster than the success stories.

This is the playbook. Real prompts. Real failure modes. The exact controls to set so the agent cannot drain the account.

What "Agent-run AP" Actually Is

The work an AP team does, in order, is roughly this:

1. Receive an invoice from a vendor (email, Slack, portal, paper)
2. Extract the amount, date, line items, and counterparty
3. Match the invoice to a vendor record and confirm the bank details have not changed
4. Route the invoice for approval (CEO, controller, project lead, depending on rules)
5. Schedule the payment on the right rail (ACH, wire, virtual card, USDC)
6. Issue the payment when approved
7. Reconcile the payment back to the GL when it clears
8. Flag anomalies (wrong amount, new payee, suspicious bank-detail change, duplicate)

Agent-run AP means the agent does steps 1 through 7 autonomously, with human approval inserted at the points the rules require. Step 8 runs continuously. This is not a chatbot that helps a human do AP. It is a function the human supervises, the same way a CFO supervises a junior controller.

The Architecture: What the Agent Connects To

Before the playbook works, the agent has to be wired to the right systems. At minimum:

• The bank: Meow's MCP endpoint gives the agent the ability to read transactions, issue payments, and create cards
• The inbox: Gmail, Outlook, or a shared AP inbox the agent can read
• The accounting system: QuickBooks, Xero, or NetSuite
• The vendor master: a structured list of approved vendors with their bank details, contact emails, and payment terms
• An approval surface: for above-threshold approvals

This is not a custom integration project. Connecting Claude or ChatGPT through MCP, plus the existing email and accounting tools through their standard agent connectors, takes most teams under two hours.

The Actual Playbook: Prompts and Controls

What follows is the configuration we walk Meow customers through when they hand AP over to their agent. Copy it directly if you want.

Step 1 and 2: invoice ingestion and parsing

Standing instruction the agent runs continuously:

"Watch for new invoices in the AP inbox. For each invoice, extract: vendor name, vendor email, total amount, due date, line items, the bank account printed on the invoice, and any reference numbers. Output the extracted data and confirm whether the vendor matches an entry in the vendor master."

Failure mode to watch: vendors who change their bank details mid-cycle. This is the most common AP fraud vector in 2026. The agent should flag any change in vendor bank details for human verification before any payment runs. Always.

Step 3: vendor matching and bank-detail verification

Rule: if the bank account on the invoice does not match the bank account in the vendor master, the agent stops. The next step is step-up authentication, via an authenticator or passkey. We have not seen a successful AP fraud against an account that enforces this rule consistently.

Step 4: approval routing

The approval rule is the most important configuration in the system. A typical setup:

• Under $1,000: agent runs without approval, logs the payment
• $1,000 to $10,000: email approval to the controller, single tap
• $10,000 to $50,000: email approval to the CFO
• Over $50,000: dual approval (CFO and CEO), so a single compromised device cannot trigger both
• New vendor (no payment history): always requires approval regardless of amount
• Wire transfer to a new country: always requires approval
• Bank-detail change since last payment: always requires step-up authentication (an authenticator app or passkey), in addition to any approval logic

These rules are not the agent's judgment. They are configured in the Meow permission system and enforced before the agent can attempt the payment.

Step 5 and 6: payment scheduling and execution

This is configured, not prompted. The agent reads the rules at execution time.

Rail selection:

• ACH for domestic recurring vendors with three or more prior payments and no bank-detail change in the last 90 days
• Wire for new domestic vendors, or any domestic payment over $25K
• USDC for international vendors flagged as stablecoin-accepting in the vendor master
• Per-vendor rail override always wins over the default

Scheduling:

• Execute on the latest date allowed by the vendor's stated terms
• Read the Meow account balance before execution; if execution would breach the operating-account floor configured in the Meow permission system, pause and request review
• Capture the bank reference number on confirmation and post it to the invoice record

Reframing this as configuration rather than an LLM judgment call is the difference between an agent that picks the right rail 95% of the time and one that picks it 100% of the time. Anything you can make deterministic, make deterministic.

Step 7: reconciliation

Standing instruction:

"When a payment clears in the bank, match it to the invoice that triggered it, mark the invoice as paid in the accounting system, and post the GL entry to the correct expense account based on the invoice line items. If the cleared amount does not match the invoice amount, flag for review."

For Meow customers using QuickBooks, this is one MCP call. Auto-categorization accuracy depends on chart-of-accounts complexity, but teams with a reasonably stable vendor base typically see it settle in the low 90s by the second month, once the agent has learned which expense accounts the team uses for which line items.

Step 8: anomaly detection (always running)

The agent watches for:

• Duplicate vendor payments within 30 days
• New payees who do not appear in the vendor master
• Unusual amount jumps for known vendors (>30% above their 6-month average)
• Bank-detail changes mid-cycle
• Wires to high-risk geographies that have not been pre-approved
• Card spend bursts that exceed daily averages

Any flag pauses the relevant action and routes a human review.

Month One Through Month Six: What to Expect

The agent does not run at full throughput on day one. Setting the right expectations across the first six months is the difference between a successful rollout and a finance team that gives up in week three.

Week one. Connect the systems. Configure the rules. Populate the vendor master. Run the agent in shadow mode: every action is prepared by the agent, every action is confirmed by a human. The team is watching how the agent behaves more than what it produces. Time savings are minimal. Confidence is the deliverable.

Month one. Shadow mode comes off. The configured rules go live: sub-$1K payments to known recurring vendors run without human touch, the approval tiers start firing for the rest. Auto-categorization accuracy climbs as the agent learns the chart of accounts. The first real fraud or duplicate flag usually surfaces in month one and pays for the entire setup in one catch.

Month two. Auto-categorization stabilizes near steady state. The team has started redeploying the AP analyst's hours to vendor-relationship work and exception handling. Volume runs the same. Hands-on time has dropped sharply.

Month three. The first month where the team genuinely forgets the agent is running. New invoices come in, get parsed, get paid, get reconciled. The CFO checks the audit log on Mondays out of habit, not because anything has gone wrong. Anomaly detection is now catching things the manual process never caught: vendors slowly creeping their invoices up by a few percent a quarter, duplicate charges from SaaS tools after a renewal, mid-cycle bank-detail changes.

Month six. Steady state. The bulk of AP volume is fully automated. The CFO presents the agent-driven AP metrics in the next board update. The board asks why the team has not adopted the same pattern for accounts receivable, treasury, and procurement. Which is usually how the second wave of agent rollout starts.

The teams that follow this curve all report the same thing in the month-six retro: the worry was wasted, the throughput is real, the audit log is better than the manual one.

Common Questions

What if the agent makes a payment mistake? The same answer as if a human controller makes a mistake: the audit log captures the agent identity, the prompt, the data the agent acted on, and the outcome. Mistakes are recoverable through the same dispute and clawback process that exists for any human-initiated payment. In practice, the agent makes fewer category errors than human controllers because the rules are explicit.

What is the biggest fraud risk? Vendor bank-detail changes. Always require step-up authentication (not just an email confirmation) before paying to a new bank account. The agent enforces the rule. The human enforces the call.

Can the agent really handle international payments? Yes. Meow supports ACH, domestic wires, international wires, and USDC through its licensed partners. The agent picks the rail based on the vendor's stated preference and the configured rules.

How long does setup take? Most teams can complete the connection and rule configuration in under two hours. The first month is a learning period where the agent's auto-categorization and vendor matching get tuned. By month two, the system is running at the metrics described above.

Does the agent need access to my bank to approve payments? The agent has scoped, revocable access through the Meow permission model. You can revoke an agent's access in one click. The agent never holds raw banking credentials. The full architecture is covered in the permissions model post.

Will this replace my AP team? No. It collapses the work, not the team. The teams running this in production redeploy their AP people onto vendor relationship management, fraud review, and exception handling, where humans still beat agents. The pattern: hire fewer people for rote work, expect more from each one.

The Thing That Surprises Every CFO

Six months in, the question CFO ask is no longer "is this safe." It is "how did we ever do this manually." The CFOs who were skeptical at month one become the ones writing the case study by month six.

That is the playbook. Run it.

If your finance team has an open AP analyst req and a backlog that grows on Mondays, run the playbook against your existing bank or against ours. The Meow MCP endpoint is live for Claude, ChatGPT, Cursor, and Gemini at meow.com/mcp. Apply for an account at meow.com.