Arin - agentic operations for procurement
It runs the routine.
You decide the exceptions.
Arin is an exception-first agent that operates procurement for you. It works through the routine within the policy you set, then hands you only the pre-prepared decisions that actually need a person - each one ready to approve in a single move.
approve a purchase order
PO-1007 is ready to approve
- vendor
- Acme Corp (tier A1)
- amount
- $8,421.00
Within budget, within terms, and the three-way match is clean. No risk signals fired.
cites policy po-auto-approve (≤ $10k, net-30)

What Arin does
An operator for the work no one should read line by line.
Arin watches procurement, clears the routine within your policy, and prepares the few decisions that need judgment. One short line each, no jargon.
Action Queue
Prepared decisions, not alerts
Each exception arrives finished - a recommendation you accept in one move, with reasoning, confidence, alternatives and the exact write it will make.
Agent loop
An always-on loop
The agent reads procurement the moment it changes and runs on durable workflows, so a failed step just re-runs instead of a cron job hoping nothing crashes.
RiskDetection
Catches what loses money
Business-editable rules flag duplicate invoices, quiet bank-detail changes, unusual amounts and new vendors - before the payment leaves.
Reconciliation
Three-way reconciliation
Purchase order, receipt and invoice matched and closed within tolerance, so the routine clears itself and never reaches your desk.
Escalation
Hands off cleanly
Anything outside the policy you set is routed to the right person, SLA-driven - escalated, never silently dropped.
Governance
Policy and autonomy you dial in
Every autonomous action cites the rule that allowed it, and you set how far it acts for each capability - from watch-only to fully automatic.
The operating loop
Perceive, reason, decide, act or escalate, learn.
Arin runs one ordered cycle over your procurement record. Each pass clears the routine within policy, prepares the few decisions that need a person, and feeds what it learned back into the next pass.
01
Perceive
Reconciliation - reads the record as it changes
02
Reason
RiskDetection - DMN rules on the event
03
Decide
ActionPreparation - a prepared decision
04
Act or escalate
Escalation - within policy, or routed to a person
05
Learn
LearningSignal - captured for the next pass
The problem
A thousand events. Ten real decisions.
- The routine - matching POs, reconciling invoices - clears itself within policy
- The few that need judgment surface as prepared decisions
- You become the exception handler, not the throughput bottleneck
Volume inAutonomy you dial in
Trust it as far as you want. No further.
- Autonomy is a setting per capability, not a global switch
- Below the line Arin asks; above it, Arin acts and cites the policy
- High-stakes actions like payment release stay asking
You decideWhere it fits
Where Arin sits, honestly.
Arin is not RPA (no UI clicks - typed tool calls), not a standalone chatbot, not a no-approval autonomous agent (policy-first and human-gated), and not an ERP (SCM holds procurement truth; Arin drives it). The neighbours assist or automate I/O; Arin adds the decision layer and operates. Each has a real place.
Arin is pre-1.0 and pre-revenue. P2P suites and AP automation keep their real breadth and payment depth; RPA keeps its reach across legacy screens; general agents keep their flexibility. Arin trades that for a bounded, policy-first operator on one system of record - and we say the trade-offs plainly.
Under the hood
Not RPA. Not a chatbot. A bounded operator.
The story above is the plain version. For evaluators, here is how it holds together - Arin authenticates as a resource server, can only call what its token scopes allow, and every write is a typed MCP tool call with an immutable audit trail.
The trust chain
Arin cannot click a screen and cannot act outside its token scopes. It authenticates on tokens minted by a separate authorization server, and each approval becomes exactly one scoped MCP call. Here is the exact chain behind a single PO approval.
- identityICE
Sole OAuth 2.1 authorization server. Mints RS256 access tokens, publishes JWKS.
- resource serverArin
No login form. Validates ICE tokens, authorizes on ICE-issued scopes, acts as an MCP client.
- one scoped callpo.approve
Exactly one typed MCP tool call on approval. Not a UI click - a contract-typed operation.
- system of recordSCM
Owns the status guard, procurement audit and outbox event. PENDING to APPROVED.
proven end to end
operator → Arin action approval → MCP po.approve → SCM purchase order PENDING → APPROVED.
Not a slideshow. An automated family smoke test drives the full path across three services and asserts the status flip on every run.
family-e2e smoke: asserts PENDING → APPROVED
Anatomy of a prepared decision
An AgentAction arrives finished: a recommendation you accept in one move, the reasoning laid out, the evidence and alternatives, the exact policy it stands on, and a preview of the write it will make.
The scopes it is granted
The blast radius is the token, and you set it. Arin holds a fixed set of ICE-issued scopes - it owns its own domain and can read and act on SCM, nothing more. Outside this set there is no capability to misuse.
Autonomy you dial in
Autonomy is a setting per capability, not a global switch. Each capability has its own level and its own ceiling - move the ones you trust toward Auto and leave the high-stakes ones asking. Payment-adjacent capabilities cannot reach full auto in v1.
L0 Observe
Watches and logs what it would do. Touches nothing.
L1 Suggest
Prepares every action. You approve each one.
L2 Auto-confirm
Handles the routine, batches a summary for you.
L3 Auto
Acts within policy, escalates only the exceptions.
PO = receipt = invoice, matched and closed
cites: match-tolerance (2% / $50)
repeat invoices - same vendor, same amount
cites: duplicate-window (14 days)
in-budget orders inside standard terms
cites: po-auto-approve (<= $10k)
payout account edited before a run
cites: bank-change-hold (verify out of band)
Every autonomous action cites the rule that authorized it, written to the immutable audit log the instant it runs.
higher stops open as trust builds. L4 fully autonomous orchestration is not in v1.
Risk detection, on DMN rules
Risk detection runs on DMN decision tables - business-editable rules, not a black box. Each catch becomes a prepared decision before the money leaves. The rules are real code; the scenarios below are synthetic and labelled as such.
Bank-detail change
rule: new-bank-details
Acme Corp payout account edited 40 minutes before a scheduled run. Classic BEC pattern.
Hold the run - verify out of band before release
Duplicate invoice
rule: duplicate-invoice
INV-482 matches INV-419 - same vendor, same $8,421, cleared 11 days ago. No credit note.
Reject INV-482 - block from the next payment run
New-vendor amount spike
rule: unusual-amount
First invoice from a vendor added yesterday is 6x the median first-order for its category.
Escalate to AP - require a second approver
Synthetic scenarios for illustration - the DMN rules that fire them are real code.
Private - design-partner pilots
Hand the routine to the agent. Keep the judgment.
Arin is pre-1.0 and private - no public download, no self-serve sign-up. We are taking on a small number of mid-market finance teams as design partners, starting with procurement. Tell us about your stack and we will set up a look at the real approval loop.