Go to home page
 

Making Your Existing Systems AI-Agent-Accessible, without a Rip-and-Replace

  • Steve Jordan
  • Associate Director - Product Marketing, Integration, WSO2

Every enterprise AI project runs into the same question pretty early on: which systems does the agent actually need to reach? The list tends to come back looking familiar. The ERP on the mainframe. That AS/400 financial system that has been humming along since before the public understood what the internet was. The CRM somebody stood up in the early 2000s, last documented in 2009 by a developer who retired in 2017. Then comes the quiet part, where someone mentions that none of these have modern APIs, and the ones that do are ten years old, and nobody is entirely sure what they still support.

That is usually the moment the project stalls. The model is fine. The use case is sound. The trouble is that the data the AI needs, the real business record, sits behind architectures that cannot easily be reached.

The initial reflex is to make it a replacement project. Tear the old system out, rebuild it properly. It is a reasonable instinct, and it has a track record worth a look before you commit to it.

That track record is sobering. Large ERP upgrades can run as high as $500 million, stretch across years, and shape the operating model for the next decade (McKinsey, 2023). That is a lot to spend to make a system reachable, especially when reaching it was the only thing you actually needed.

There is a better answer, and it does not involve replacing or rewriting anything, or taking a system offline for a 3 a.m. Sunday migration window. You wrap the system instead. You place a managed, governed integration layer in front of it so AI agents can reach what they need safely and in real time, without the source system being aware that anything has changed.

The pattern is an old one. The industry already has names for it, the anti-corruption layer and the strangler fig among them, and they share a single principle: build around the old system rather than through it.

The rest of this article lays out how that works in practice, why the most heavily regulated enterprises have settled on it, and what to look for in an integration platform before you use it to wrap a system you cannot afford to see go dark.

Why legacy systems block enterprise AI (and it is not the model)

Spend enough time inside enterprise AI projects and you start to notice the same barriers coming up, and they are rarely the ones people expect. The models are more than capable. The teams using them know what they are doing. What holds the work back is getting to data trapped inside systems that were never built to share it, at least not in the way AI needs. The problem is structural, not a gap in models or skills, and treating it as anything else is exactly how promising projects grind to a halt.

The budget tells a version of the same story. Most IT spending goes toward keeping the critical systems you already have up and running, which leaves only a thin slice for anything new. So AI projects often get funded out of the leftovers instead of a budget of their own, and the work crawls as a result.

The distance between what AI is supposed to deliver and what it actually delivers usually comes down to one thing. Every critical system that stays out of reach drags down the ROI and slows the rollout. For most AI strategies the barrier was never necessity or importance. It was access.

Why these systems are hard to reach, and why replacing them is the wrong move

These systems were built in a different era, designed around stability, transactional reliability, and batch throughput, and they have delivered on all three for decades. Where they clash with AI, it is a structural mismatch, not a flaw in the systems themselves. And most of the concerns around them can be solved without disturbing the systems underneath.

Batch cycles versus real-time decisions

Most legacy systems run on fixed schedules: nightly runs, hourly jobs, cycles that made complete sense ten or twenty years ago. An AI agent making decisions on its own probably should not be working off data that is twenty-four or thirty-six hours old. Change Data Capture solves that by adding a streaming layer over the top. It watches the database for changes and publishes them the moment they happen, turning those batch cycles into real-time events with no change to the source system.

No modern API? Wrap the system as an MCP server

Agents expect a modern surface to work with: Model Context Protocol (MCP) servers, event streams, structured function calls. Most legacy systems offer a green-screen terminal, a proprietary protocol, or an older SOAP service. The data is not truly out of reach. It just needs something to present it the way agents expect, and that something is an MCP wrapper: a governed MCP server that exposes the system over the protocol agents actually speak. If a usable API already exists, you convert it. If it does not, you build one over whatever the system does expose. Either way, the system behind the wrapper keeps running as before, none the wiser.

Fragmented identities and inconsistent data

The CRM knows your customer as account ID 47291. The ERP has them down as billing reference EUR-00847. The mainframe uses a third identifier nobody has documented in recent memory. Unless a transformation and mapping layer sorts all of that out before the data reaches the AI, the agent is stuck untangling a knot it was never meant to touch, and you can see it in the output: mismatched records, wrong inferences, decisions that do not line up with what the business actually needs.

Security posture incompatibility

Legacy systems were designed back when “inside the firewall” counted as a security model on its own. AI workloads need more than that: zero-trust architecture, agent identity management that treats each agent as its own principal with defined permissions, fine-grained access controls, and a full audit trail of every read. None of that comes built into a thirty-year-old mainframe. All of it can be enforced at the integration boundary instead, with the legacy system neither modified nor even aware it is happening.

Notice that none of these barriers require the legacy system to change. Each one asks for a layer in front of it, nothing more. And that can be the difference between a twelve-week integration project and an expensive modernization gamble.

Five ways to connect legacy systems to AI agents

Different systems call for different approaches, and the right one comes down to what a given system exposes today. A capable integration platform should handle the full range.

1. Modern access, no rewrite required

Plenty of older systems already speak some kind of language, even if it is an aging SOAP service or a protocol all their own. You do not have to retire them to modernize them. Wrap one in an integration layer and it picks up a clean, governed front door: REST calls come in and get translated into whatever the system expects, and its responses get translated back on the way out. Versioning, access control, rate limiting, and observability all live in the wrapper, not in the code behind it.

2. Change Data Capture

When the valuable data lives in a database rather than a service layer, Change Data Capture watches for changes at the database level and publishes them as real-time event streams. Agents subscribe to those streams instead of polling batch exports. The source database is not modified and the operational system is not affected, but the agents reading from it have stopped working off last night's snapshot and started working off what is true right now.

3. File-driven integrations

Some industries are not moving off batch file exchange any time soon, and honestly they should not have to. Finance, healthcare, logistics, and supply chain all run on FTP and SFTP transfers and flat-file exchanges that carry billions of dollars of operational workflow. A mature integration platform manages the whole lifecycle of those exchanges as governed pipelines that agents can query and trigger against. The format quirks, the scheduling, the error handling and retries all sit in the integration layer, not in the AI.

4. Event-driven integrations

For systems that truly cannot be modified and have no service layer to speak of, an event broker sits between the legacy system and the AI workloads and decouples the two. The legacy system keeps to its own schedule, oblivious to the agents now reading from it. The broker picks up what it produces, completed transactions, batch outputs, and hands them to AI consumers as an event stream, with no coupling between the two.

5. Connector-based access

For the big installed base of SAP, Oracle, Salesforce, IBM MQ, Workday, and ServiceNow, a library of pre-built, maintained connectors takes the integration coding off the table entirely. Each one stays current with API changes and gets tested across production deployments, so every additional system you connect drops from months of work to days. An agent that can reach SAP in real time through a production-grade connector is playing a very different game from one that cannot.

What changes when you wrap a legacy system, and what does not

Here is the part that matters most, and it is also the most technically precise: the integration layer never touches the legacy system. It connects from the outside, through the same interfaces any other authorized application already uses. No source code gets modified, no data structures get altered, and nothing needs to be taken offline.

The sensitive system of record stays right where it is, on-premises and under the same compliance controls it has always run under. The integration layer exposes a governed MCP server or API, and the AI application queries it in real time. Important data never leaves the environment it belongs in, and the original system's vendor is not part of the architecture conversation at all. Nothing about how that system operates changes. What changes is what the AI can now do with it.

Everything operationally important stays in place: the legacy system, the employees, customers, and vendors who rely on it, the processes built around it, and the compliance posture that keeps it safe. Integration extends the systems you already rely on rather than ripping them out.

The migration dimension: moving the integration layer itself

If you are already running integrations on an older or proprietary platform, there is a second conversation sitting underneath this one: whether the integration layer itself is due for a refresh as part of the work. The stronger platforms can import and translate existing integration projects, carrying flow logic, data mappings, and connector configurations across rather than making a team rebuild all of it by hand.

For a mature integration estate, on any platform, that reframes the whole question. It stops being “do we have to rebuild our integrations just to support AI?” and turns into “can we move what we have already built onto a platform where AI-agent access is built in rather than bolted on?”

What to look for in an integration platform for legacy AI access

Platforms in this space can look nearly identical on a feature grid and then behave completely differently once they are in production. Six things tend to separate the ones that make legacy systems genuinely reachable from the ones that only claim to.

Connectors, plus a fast route to the ones you do not have

For most teams the real constraint is not architecture, it is how long that first connection to each system takes. A maintained library covering the systems most enterprises already run, the SAP, Oracle, Salesforce, IBM MQ, Workday, and ServiceNow tier, handles the common cases. For everything else, the platforms worth shortlisting can now generate a connector straight from an API specification rather than demanding a custom build for every new system. The honest test is a simple one: how long does it take to go from a brand-new system to a working, governed connection?

A way to reconcile data that is inconsistent

Legacy systems have a consistency problem every bit as much as a connectivity one. The same customer, product, or transaction shows up under different identifiers in different places. What matters is that those differences get resolved at the integration boundary, before anything reaches the AI, so agents work from one trusted view and no system is ever asked to change its internal model. That reconciliation is increasingly AI-assisted these days, which helps, but it is the principle that counts here, not the label on it.

Live streams out of systems that only think in batches

Waiting on the nightly batch run is the difference between an agent that approximates and an agent that acts. Change Data Capture watches the source database for changes as they happen and publishes them as streams the agents subscribe to, with the database untouched and the operational system unaffected. A platform that cannot turn batch into a live feed without modifying the source has not solved the problem.

A migration path for the integrations you already run

Most enterprises are not starting from a blank page. They have an integration estate built up over years, and the platforms that respect that can import and translate existing projects, flow logic, data mappings, and connector configurations included. The path forward becomes a migration rather than a rebuild, and all the work already done becomes the foundation for what comes next.

Security enforced at the boundary

A thirty-year-old system cannot implement zero-trust on its own, and you should not expect it to. The integration layer carries that load: every agent is a named principal, and every access is authenticated, checked against policy, rate-limited, and logged. The legacy system just sees an authorized application, exactly as it always has. Everyone else sees a fully auditable interaction.

Deployment that follows the data

In regulated industries, sovereignty rules often mean the data simply cannot move to public cloud, so the platform has to run where the data already lives: on-premises, sovereign cloud, private cloud, or hybrid, without a licensing cliff steering the decision for you. And where the stakes are highest, the ability to self-host and inspect exactly how data is handled can be what tips a risk committee from a no to a yes.

How WSO2 Integration Platform makes this practical

Everything to this point is deliberately platform-neutral, because the pattern matters more than the badge on it. But a list of criteria only takes you so far on paper. What counts is whether a platform does these things once real traffic and a risk committee are involved, and that is the ground WSO2 Integration Platform was built for.

Start with connectors, since that is where most teams feel the delay first. WSO2 maintains a library of more than 600 pre-built connectors covering the systems most enterprises already run, the SAP, Oracle, Salesforce, IBM MQ, Workday, and ServiceNow tier among them. Each one is built and kept current with its underlying API by WSO2 and tested across production deployments, so adding another system is usually a matter of days rather than months. For anything the library does not already cover, the platform generates a connector straight from an OpenAPI specification, which stops the long tail of niche and in-house systems from turning into a custom-build queue.

The same platform handles the full range of access patterns described earlier, so you are not assembling a different tool for each one. Systems that already expose an interface get wrapped as governed APIs, or exposed directly as MCP servers that agents discover and invoke. Databases that only think in batches get a Change Data Capture stream laid over the top. File and EDI exchanges run as managed, governed pipelines. Systems with no service layer at all sit behind a message broker, and WSO2 connects to the major third-party brokers, passing what the system produces to agents as a governed event stream with nothing altered on the source side. Transformation and mapping happen at the boundary too, so agents reason over one reconciled view instead of untangling three identifiers for the same customer.

Governance is enforced where it belongs, at the integration boundary rather than inside a system that was never designed to carry it. Every agent is a named principal, every call is authenticated, checked against policy, rate-limited, and logged, and the legacy system sees only an authorized application it already knows how to answer. The audit trail behind that is detailed enough to satisfy whoever signs off the risk.

If you are already running integrations on an older or proprietary platform, WSO2's migration tooling imports and translates what you have built, flow logic, data mappings, and connector configurations included. That turns the switch into an upgrade rather than a teardown, and the work already done becomes the starting point instead of a write-off.

And because the platform is open source at the core and runs wherever the data has to live, on-premises, sovereign cloud, private cloud, or hybrid, deployment follows the data rather than the other way round. Where the rules say data cannot move to the public cloud, that is not a workaround, it is how the platform is meant to run, and the open codebase lets a security team verify exactly what happens to the data rather than take it on trust.

Where to start with legacy AI integration

Teams starting this work almost always ask the same question first: which system do we tackle first? It is rarely the biggest or the most complicated one. It is whichever system is blocking your highest-value AI use case right now.

1. Weeks 1 to 2: Map the three to five systems your highest-priority use cases depend on. For each one, note what it exposes today, whether that is APIs, a database, files, or events, and where the gap actually is. This is a matter of days, not a discovery project.

2. Weeks 3 to 6: Stand up an integration platform alongside that first system and expose its first endpoints as governed APIs or event streams. Observability goes in before any agent touches live data, not bolted on afterward.

3. Weeks 6 to 12: Run that first use case against the live integration. The jump in output quality, from reasoning over a pilot snapshot to working with current, governed data, usually shows up within the first few production queries.

4. Weeks 12 onward: Keep extending coverage. Every system you expose multiplies the value of every agent you have built or will build. There is no finish line here; the value of the integration layer compounds with each new system you add.

The enterprises building real AI capability right now are not the ones with the tidiest architecture or the flashiest models. They are the ones that solved the data access problem, connecting what their AI needs to the systems where the data actually lives.

The systems you already have do not have to be an obstacle. The integration layer is what turns them into something every part of your AI strategy can finally reach.

Frequently asked questions

Can AI agents access legacy systems without a rip-and-replace?

Yes. You place a governed integration layer in front of the legacy system and let AI agents reach it through that layer, rather than replacing or rewriting the system. The approach follows well-known patterns, the anti-corruption layer and the strangler fig, that build around an old system instead of through it. The source system keeps running unchanged.

What is an MCP server, and how does it help connect legacy systems?

An MCP (Model Context Protocol) server exposes a system over the protocol AI agents natively understand. For a legacy system with no modern API, you build a governed MCP server in front of it so agents can discover and invoke it, while the underlying system keeps speaking whatever protocol it always has. If a usable API already exists, you convert it; if not, you build one over whatever the system does expose.

How does Change Data Capture make batch systems real-time for AI?

Change Data Capture (CDC) watches the source database for changes and publishes them as event streams the moment they occur. Agents subscribe to those streams instead of polling nightly batch exports, so they act on current data. The source database is never modified and the operational system is unaffected.

Is it safe to connect a mainframe or AS/400 to AI agents?

Yes, when security is enforced at the integration boundary rather than inside the legacy system. Each agent becomes a named principal, and every access is authenticated, checked against policy, rate-limited, and logged, producing a full audit trail. The mainframe or AS/400 only ever sees an authorized application it already knows how to answer.

How long does it take to make a legacy system AI-accessible?

For most teams the first governed connection takes weeks, not months, and nothing close to the years an ERP replacement would run. A typical path maps three to five priority systems in the first two weeks, exposes the first governed endpoints by weeks three to six, and has the first use case running on live, governed data by weeks six to twelve.

Take the next step

Request a complimentary WSO2 Legacy Integration Assessment: a structured review of your system estate and a prioritized roadmap for AI accessibility, led by WSO2's integration architects.

Contact WSO2 →