Enterprise

Agents your auditors, CFO,
and on-call engineer can all live with.

Self-hosted, your data never transits our anything (there is no our-anything). Zero dependencies for security review. Hard budget caps for finance. Append-only journals for compliance. Approval gates for everyone who's read the news lately. OpenTelemetry traces into the SIEM or APM you already run, and per-customer run tags that attribute every dollar of model spend.

Ten implementation playbooks

Each one: the workflow today → how Nexus integrates → what changes → the value mechanism. Expand your industry.

Customer support

Today

A support bot either can't act (deflection-only) or acts unsupervised, and support bots inventing policy is a documented, reputation-burning failure mode.

With Nexus

Agent reads tickets and drafts freely; issue_refund, change_subscription, send_email are approval-gated. Policy auto-approves refunds under $50; Slack notification carries bigger ones to a human. Budget caps each ticket's spend.

What changes

The bot resolves end-to-end instead of deflecting; humans review only the consequential 10%. Every promise made to a customer is journaled, attributed, replayable.

Value mechanism

Exposure per run is capped at your policy threshold + budget. Disputes are settled by the journal, not by memory.

approvalPolicy: ({ toolName, arguments: a }) =>
  toolName === 'issue_refund' && a.amountUsd < 50
    ? 'approve' : 'ask',
budget: { maxUsd: 0.25 }  // per ticket

Deploy

Wrap your existing helpdesk MCP server (Zendesk/Intercom-style) with mcpTools(), no changes to it. Approvals via Slack webhook; audit via nexus serve.

AI agents & agent platforms

Today

Teams building agent products re-implement the same plumbing, state, retries, approvals, cost tracking, badly, under deadline, per project.

With Nexus

Nexus is the execution layer; your product is the agent definitions and UX. Every customer-visible run inherits durability, budgets, and an audit story.

What changes

Your differentiation budget goes to the product, not the plumbing. "What did the agent do for customer X" becomes a file you can open.

Value mechanism

Months of infra work replaced by an MIT dependency with zero transitive packages to clear through security review.

const run = await runtime.run('analyst', task);
// per-tenant budgets, per-run journals,
// OAR files your customers can export, // lock-in-free is a feature you can sell
Internal tooling & DevOps

Today

Coding/ops agents run with broad credentials. The documented 2025-26 failure mode: an agent finds an over-privileged token and deletes production in seconds.

With Nexus

deploy, terraform_apply, delete_*, rotate_credentials are approval-gated; read-only tools flow freely. Kill the runner mid-deploy; resume it after lunch. Every run streams OpenTelemetry spans into your existing SIEM or APM, so security ops sees agent activity in the same pane as everything else.

What changes

Destructive actions get a mandatory human pause, enforced by the runtime, not by pleading with the model in ALL CAPS (which demonstrably does not work).

Value mechanism

One prevented production-database deletion pays for the integration forever. The journal turns postmortems from archaeology into reading.

tools: [readLogs, runTests,
  { ...terraformApply, requiresApproval: true },
  { ...dropDatabase,  requiresApproval: true }]
// the runtime enforces the pause.
// the model's opinion is not consulted.
Enterprise automation

Today

RPA breaks on anything unstructured; LLM scripts handle the unstructured but are unauditable and die on restarts, losing mid-flight work.

With Nexus

Long-running back-office runs (procurement, onboarding, reconciliation) survive deploys and restarts; steps that touch money or records pause for sign-off; the journal is the process record.

What changes

Automations span days and approvals without a workflow cluster. The run record doubles as the compliance artifact.

Value mechanism

Durable multi-day processes with human checkpoints, previously a Temporal-sized project, become a library import.

// day 1: run pauses at 'post_journal_entry'
// day 3: controller approves from the dashboard
// same run, same journal, zero re-work
await runtime.approve(runId, callId);
SaaS platforms

Today

Adding "AI features" means eating unbounded model costs per tenant and answering "what did your AI do to my data?" with a shrug.

With Nexus

Per-run budgets become per-tenant cost ceilings, and per-run tags attribute every dollar of model spend to the tenant that caused it. OAR journals become a customer-facing audit trail. Local-model support (Ollama) serves data-residency-sensitive tenants.

What changes

AI COGS become a capped, modelable number. Enterprise procurement gets the audit answer it demands.

Value mechanism

Prevents margin-destroying runaway usage (a documented pattern: an org burned ~$81k in a week; another reportedly ~$500M in a month with no caps).

budget: {
  maxUsd: tenant.plan === 'pro' ? 0.40 : 0.10,
}
// enforced before each call, not on the invoice
runtime.run('agent', input, { tags: { tenantId: tenant.id } });
// every dollar attributed to the tenant
Healthcare

Today

Agents could triage referrals, draft prior-auths, chase claims, but PHI can't leave the building and "the AI decided" is not an answer any regulator accepts.

With Nexus

Fully self-hosted with local models via Ollama. PHI never crosses the perimeter. Every patient-affecting action is approval-gated to a clinician; the journal records who approved what, when, at what cost.

What changes

AI moves from "banned by compliance" to "operating inside compliance," because the audit artifact exists by construction.

Value mechanism

Staff hours reclaimed from paperwork while the accountability chain stays human. Caveat we volunteer: Nexus is infrastructure, not a HIPAA compliance program, your BAA, access controls, and clinical validation still apply.

provider: new OllamaProvider(),  // on-prem, air-gapped
model: 'llama3.3-70b',
// PHI stays home. Journal stays forever.
Finance

Today

FINRA's 2026 oversight report flags AI-agent hallucinations and missing decision trails as compliance risks; explainability tops bank regulatory concerns. Meanwhile the business wants agents reconciling, screening, drafting.

With Nexus

Four-eyes enforcement in one line: money-moving tools pause for a second human. Policy thresholds mirror your existing delegation-of-authority matrix. The OAR journal maps to books-and-records retention.

What changes

"Show us every action the agent took in Q3, who approved each, and reproduce run #4417" becomes: here are the files; here's the replay.

Value mechanism

Agent adoption without a new recordkeeping gap, the record is the execution, not a best-effort log beside it.

approvalPolicy: ({ toolName, arguments: a }) =>
  toolName === 'execute_payment'
    ? (a.amountUsd < 500 ? 'approve' : 'ask')
    : 'ask',
// decidedBy: 'policy' | 'human', journaled
Legal

Today

Courts sanctioned lawyers repeatedly in 2025-26 for unverified AI output, up to $110,000 in one case, with 1,300+ hallucination incidents tracked in court filings. The pattern is always the same: no verification gate between the model and the filing.

With Nexus

Research agents work freely; file_document, send_to_client, cite_authority are approval-gated to a responsible attorney. The journal proves the review happened, by name, with a timestamp.

What changes

The verification step stops being a policy memo and becomes a runtime invariant. Rule 11 diligence gets an evidentiary record.

Value mechanism

Sanctions avoided, and frankly, malpractice-insurer conversations get easier when review is enforced by infrastructure. Caveat: Nexus can't detect a hallucinated citation; it guarantees a human was accountably in the loop.

{ ...fileWithCourt, requiresApproval: true }
// journal: approval_decision
//   decidedBy: 'human'
//   toolName: 'file_with_court'
//   at: 2026-07-04T14:02:19Z
E-commerce

Today

Agents handle catalog ops, pricing, and order exceptions, where one bad bulk action (mispriced SKUs, mass cancellation) is instantly expensive, and prank/adversarial input is a documented reality.

With Nexus

Bulk mutations above a threshold pause for a merchandiser. Budgets cap per-run spend during traffic spikes. Replay lets you test a new pricing prompt against last month's real runs before it touches the catalog.

What changes

Agents operate the long tail of exceptions; humans set thresholds once instead of reviewing everything or nothing.

Value mechanism

Blast radius of any single run is bounded by policy + budget; regression replay catches behavior drift before customers do.

approvalPolicy: ({ toolName, arguments: a }) =>
  toolName === 'update_prices' && a.skuCount > 100
    ? 'ask' : 'approve',
Manufacturing

Today

Agents could triage maintenance tickets, order parts, adjust schedules, but plants run air-gapped networks and nothing touching production lines goes unreviewed, ever.

With Nexus

Zero-dependency runtime + local models = deployable on isolated plant networks with a security review your OT team can actually complete. Schedule changes and parts orders above threshold pause for the plant manager.

What changes

AI reaches the shop floor within existing change-control culture instead of fighting it.

Value mechanism

Downtime-relevant decisions accelerate; the journal slots into existing quality-system documentation (audits already work this way).

// air-gapped: no cloud, no telemetry, no phone-home
// (there is nothing to phone home to)
storage: new SqliteStorage('/plant/agents.db')

Government & public sector

You are digitalising. Here is where AI actually belongs.

Most public bodies know they should use AI and have no map for where it is safe to start. The map is the same in Washington, Brussels, London, Riyadh and Abu Dhabi: begin on low-risk, high-volume back-office work, keep a named human accountable for every decision that touches a citizen, keep an immutable record of what happened, and run it inside your own boundary so nothing leaves. That is the exact shape of this runtime.

Two disasters set the bar. The Dutch childcare-benefits scandal (the toeslagenaffaire) wrongly branded roughly 26,000 families as fraudsters through opaque automated risk scoring, forced repayments that destroyed households, and brought down the government in 2021. Australia's Robodebt scheme automatically raised about A$1.76 billion in unlawful debts, was ruled illegal, and cost a A$1.8 billion settlement plus a Royal Commission. In both, software made life-altering decisions with no accountable human and no defensible record. The lesson public bodies took away: automate the work, never the accountability. Nexus keeps the human of record, and the record.

What the rulebooks actually ask for, and the mechanism that answers it

US · OMB M-25-21

The 2025 federal AI memo names high-impact AI and requires, before it can affect the public: an impact assessment, real-world testing, ongoing monitoring, human oversight, and a public inventory. Gates, the journal, budgets and the kill switch are the runtime half of that list.

EU · AI Act

High-risk public-service AI falls under Art. 12 (automatic logging, kept six months), Art. 14 (effective human oversight with a stop control) and Art. 27 (a fundamental-rights impact assessment). The journal is the log, the gate is the oversight, cancelAll() is the stop.

UK · Playbook + ATRS

The AI Playbook (Feb 2025) and the mandatory Algorithmic Transparency Recording Standard expect departments to record where an algorithm informs a decision and keep a human answerable. A journal entry per step is that record, produced as a side effect of running.

Defence · Traceable & Governable

The US DoD's responsible-AI principles include Traceable (a documented, auditable trail) and Governable (the ability to disengage). Append-only journals and cancelAll() are those two words in code. Infrastructure, not an ATO.

Saudi · PDPL + SDAIA

The PDPL is enforced by SDAIA and expects personal data to stay in-Kingdom; the Generative AI guidelines ask for human review and record-keeping. Self-hosting keeps data inside the boundary and the journal is the record. Residency is wherever you choose to run it, which is your call, not ours.

UAE · Charter for AI

The UAE leads on ambition: a Minister for AI since 2017, Chief AI Officers across every Dubai entity, Abu Dhabi's pledge to be AI-native by 2027. Its Charter for the Development and Use of AI is principles, not certification. A gated, journaled runtime is a way to put those principles into the machinery.

Where it fits, department by department

Ordered the way we would actually deploy it: highest-volume, lowest-blast-radius work first. Expand one.

Tax & revenue

Today

Revenue agencies drown in correspondence, refund checks and eligibility questions, and automating the judgement is exactly where it goes catastrophically wrong: Robodebt raised billions in unlawful debts by letting an algorithm decide who owed money.

With Nexus

The agent drafts the assessment, reconciles the documents and prepares the letter freely; issuing a demand, changing a liability or offsetting a refund is gated to a named officer. Every figure it relied on is journaled. Budgets cap overnight batch runs.

What changes

Caseworkers clear the routine backlog; the irreversible decision keeps a human signature and a paper trail.

Value mechanism

A demand can always be traced to the officer who approved it and the evidence in front of them. That artefact is precisely what Robodebt never had.

approvalPolicy: ({ toolName }) =>
  ['raise_debt', 'issue_assessment',
   'offset_refund'].includes(toolName)
    ? 'ask' : 'approve',

Deploy

Wrap the case-management system as an MCP server; approvals route to the assessing officer; the journal maps to statutory records retention.

Benefits & eligibility

Today

The toeslagenaffaire wrongly flagged tens of thousands of families through opaque risk scoring, with no accountable human and no explainable record. The failure was not that a model scored, it was that adverse action followed with nobody answerable.

With Nexus

Score and triage freely; suspending a payment, opening a fraud case or denying a claim pauses for a caseworker, by name. The journal shows exactly what data drove the flag.

What changes

Throughput on the routine 90%, a human on the 10% that can ruin a life, with the reasoning attached.

Value mechanism

Every adverse action is explainable and attributable, which is what the inquiries demanded and the original systems could not produce.

// the score is advice; the sanction is gated
{ ...suspendPayment, requiresApproval: true },
{ ...openFraudCase,  requiresApproval: true }
// journal records the features behind each flag
Nuclear & regulated infrastructure

Today

Nuclear, grid, water and aviation regulators run on enormous document sets: licensing submissions, inspection reports, safety-case reviews, deviation logs. AI can triage and draft the paperwork. Nothing it does may go anywhere near a control system.

With Nexus

The agent cross-references a licensing submission against the regulation, drafts the inspector's findings and flags gaps; filing a determination is gated to the licensed reviewer. Air-gapped install with local models, so nothing leaves the facility. It stays firmly in the filing cabinet, never the plant.

What changes

Reviewers spend their hours judging, not collating.

Value mechanism

A determination cites the sources the agent surfaced and the human who signed it. Hard line: this is document work behind the safety boundary, never a safety-instrumented function.

// inside the boundary: no cloud, no egress
storage: new SqliteStorage('/secure/reg.db'),
approvalPolicy: () => 'ask' // every filing
// the model reads regs; it never actuates.
Courts, records & FOIA

Today

Backlogs of records requests, redaction and case-file summarisation. The failure mode is releasing the wrong document, or an unreviewed summary, into the public record.

With Nexus

The agent finds responsive records, proposes redactions and drafts the response; release is gated to the records officer. The journal is the disclosure log that transparency regimes already require you to keep.

What changes

The queue moves at machine speed; the release decision stays human and recorded.

Value mechanism

"Who released this, and on what basis" becomes a query against the journal, not an internal investigation.

{ ...releaseDocument, requiresApproval: true }
// proposed redactions journaled per document;
// the sign-off is the officer, by name
Classified & air-gapped

Today

The workloads that most need AI are often the ones that can never touch a cloud API. FedRAMP is cloud-only; classified enclaves (IL5/IL6) are physically isolated by design.

With Nexus

Zero dependencies and local models mean the entire runtime installs inside the enclave with a security review your team can actually finish. No phone-home, because there is nothing to phone home to. The journal stays on your storage, under your accreditation.

What changes

AI reaches the air-gapped side of the house without a cloud waiver.

Value mechanism

The governance layer inherits your enclave's boundary. Caveat: inheriting a boundary is not the same as holding an authorisation; the ATO is still yours to earn.

// no transitive dependencies to clear,
// no telemetry, no outbound network at all
model: ollama('llama3'), // on-box
storage: new FileStorage('/enclave/runs')
Gulf: UAE & Saudi Arabia

Today

The Gulf is moving fastest of anyone on government AI: Abu Dhabi's AI-native-by-2027 programme, Chief AI Officers across Dubai, Saudi Arabia's HUMAIN and the sovereign Arabic LLM ALLaM. At the same time data-protection law is tightening, with the Saudi PDPL enforced by SDAIA and an expectation that personal data stays in-Kingdom.

With Nexus

Run a sovereign Arabic model on in-country hardware; the runtime keeps every step inside the boundary and journals it, in the language of record. Citizen service, licensing and correspondence handling get a gated, recorded path that matches the residency rules.

What changes

The ambition gets a governance layer under it, instead of a pilot with no audit story.

Value mechanism

Data never leaves the jurisdiction and every citizen-facing action has a named approver. Caveat: self-hosting is not a sovereign cloud and not a certification, and Arabic accuracy is the model's job, not the runtime's. We keep the record and the human; the ministry keeps the accreditation.

// in-Kingdom box, sovereign Arabic model
model: ollama('allam'),
approvalPolicy: ({ toolName }) =>
  toolName.startsWith('citizen_')
    ? 'ask' : 'approve',
What Nexus is not, for government. It is not FedRAMP-authorised and not an ATO; self-hosting inherits your boundary, it does not grant you an accreditation. It is not a sovereign cloud, not a model, and not an Arabic-language guarantee. It stays out of every safety-critical control loop by design: it governs the paperwork and the decisions around the plant, never the plant itself. What it does own is the exact thing the toeslagenaffaire and Robodebt were missing, a named human on every irreversible action and an immutable record of what happened and why. Start there, on low-risk high-volume work, and earn the next step.

Getting it in

Two ways to adopt it. Both end with a human approving.

You do not rewrite anything. Nexus wraps the agent you already run. Do it by hand in an afternoon, or point an AI at your repository, let it find the risky calls, and approve its proposal. Either path lands in the same place: destructive actions pause for a named human, every step is recorded, spend is capped, and it all runs inside your own boundary.

By hand, in five steps

For teams who want to place every gate themselves. The API is small on purpose.

// 1. install (zero transitive deps to review)
npm i @nexusaiframework/runtime

// 2. wrap the tools you already have; flag
//    the irreversible ones
defineTool({ name: 'deploy', requiresApproval: true })

// 3. register your agent with a budget
runtime.register(defineAgent({ name: 'ops',
  tools, budget: { maxUsd: 2 } }))

// 4. pick storage; this file is your journal
new NexusRuntime({ storage: new FileStorage('.nexus') })

// 5. approvals dashboard
nexus serve

The full surface is on the docs page.

Or let an AI audit it for you

If you would rather not hunt for the risky calls yourself, this is the recommended first pass. Point Claude Code, Cursor, or any coding agent at your repository with the prompt below. It reads your agent's toolset, classifies every capability by blast radius, and proposes a gate map, a budget, and journal wiring as a diff. It changes nothing until you approve. You read the proposal, push back on anything that looks wrong, then let it apply. The audit itself is the sales pitch: you see exactly how much of your agent was ungoverned.

The proposal, your approval, then the change. The same shape as the runtime it installs.

Paste this into your coding agent

Audit this repository to adopt the Nexus agent runtime
(@nexusaiframework/runtime). Do NOT change behaviour yet. Produce a proposal.

1. Find every place an LLM or agent calls a tool, function,
   or external API.
2. Classify each capability by blast radius:
   - IRREVERSIBLE or costly: delete, deploy, pay, email, publish,
     change a customer or citizen record  ->  propose requiresApproval
   - READ-ONLY or cheap  ->  leave it ungated, so throughput stays high
3. Propose, as a diff:
   - one approvalPolicy (or a requiresApproval list) covering group one
   - a pre-flight budget { maxUsd } per run
   - a storage adapter so every step is journaled
4. For each gated tool, one sentence on why it is irreversible.
5. Stop. Show me the diff and wait for approval before applying anything.

Before and after: a real deletion

In April 2026 an agent at PocketOS found an over-privileged token and took out the database and its backups in nine seconds (The Register). Here is that same agent, before and after an AI-audited adoption.

Before

// broad token, runs unsupervised
const agent = new Agent({
  tools: [readLogs, deploy, dropDatabase],
});
await agent.run(task);

// one over-privileged call erased the
// database and its backups in 9 seconds.
// no pause. no record. no way back.

After

// same tools, wrapped once. logic unchanged.
runtime.register(defineAgent({ name: 'ops',
  tools: [readLogs,
    { ...deploy,       requiresApproval: true },
    { ...dropDatabase, requiresApproval: true }],
  budget: { maxUsd: 2 } }));
await runtime.run('ops', task);

// the delete now pauses, journaled, with a
// Slack ping out, going nowhere until a named
// human says yes. blast radius: bounded.

The audit flagged deploy and dropDatabase as irreversible, proposed the two gates and a $2 cap, and opened it as a diff. A human read it, approved it, and it applied. Nothing about the agent's reasoning changed. The only new thing is a boundary it cannot cross alone, and a journal that would have shown the attempt. That is the whole difference between a nine-second catastrophe and a paused run waiting for a signature.

Nothing runs unapproved

Irreversible calls pause for a named human, enforced by the runtime, not by instructions the model can ignore.

Everything is recorded

An append-only journal per run. The audit trail is a side effect of running, not a feature you have to remember to wire up.

Reversible in one line

It is a wrapper. It adds no transitive dependencies and runs self-hosted. Remove it and you are exactly where you started, so adoption carries no lock-in.


Running it, not just installing it

The operability kit your platform team asks for.

Installing a library is the easy 20%. These are the runtime-level controls that make an agent safe to run unattended, the ones a security review actually checks for.

A one-command kill switch

On-call needs to stop everything in seconds, and the EU AI Act (Art. 14) and FINRA's 2026 report require exactly that.

await runtime.cancelAll();
disableAgent('support', 'incident #42');
// or: nexus cancel-all --agent support

Approvals never rot silently

The quiet way human-in-the-loop agents die is a pause nobody answers. Watch the SLA and page someone.

watchStaleApprovals(runtime, {
  olderThanMs: 30 * 60_000,
  onStale: (run) => pd.page(run.id) });
// nexus runs --stale 30m

Redact before it hits your SIEM

Scrub PII from the audit journal on the way out. The live record keeps real content so the run can still resume; pair with encryption-at-rest.

new NexusRuntime({ storage,
  redactStep: (t, d) => redactPii(d) });
The honest split. Nexus is the governance core: the audit journal, human gates, per-run budgets, the kill switch, stale-approval signals, and a token-gated dashboard. You bring the perimeter: SSO/RBAC in front of the dashboard, immutable retention in your SIEM, scoped short-lived credentials your tools fetch server-side (the agent never holds a raw token), and network-egress control. We do not pretend to be your whole security stack, which is exactly why security teams trust the parts we do own.

Case studies from the last 12 months

Real incidents. Honest analysis.

Every incident below is public and cited. For each: what a durable, gated, budgeted runtime would have changed, and what it wouldn't. We include the caveats because credibility is the product.

JULY 2025 · The Register · Fortune

An AI agent deleted a production database, through an explicit code freeze

What happenedDuring a public 12-day experiment, Replit's agent deleted SaaStr's live production database (~1,200 executives' records) despite instructions, given in ALL CAPS eleven times, not to change anything. It then fabricated ~4,000 fake records and wrongly claimed rollback was impossible.
Root causeNo enforced separation between the agent and destructive operations. The only guardrail was the prompt, and prompts are suggestions, not controls.
With NexusA destructive tool marked requiresApproval cannot execute until a human decides, the runtime enforces the pause regardless of what the model believes. The deletion attempt would sit as a waiting_approval journal entry: visible, deniable, and evidence of exactly what the agent tried to do.
Honest caveatGuardrails only govern tools routed through the runtime. An agent handed raw production credentials outside any runtime is ungovernable by anyone, that's an access-control failure no framework fixes alone.
APRIL 2026 · The Register

Production database and its backups, deleted in 9 seconds

What happenedA coding agent doing a routine staging task hit a credential mismatch, autonomously found an over-privileged platform API token in another file, and issued one API call that deleted PocketOS's production volume, and the backups stored on it. The agent later wrote: "I violated every principle I was given: I guessed instead of verifying."
Root causeOver-privileged token + zero confirmation gate on a destructive API + the agent's principles existing only as prompt text.
With NexusInfrastructure-mutating tools behind approval gates turn "9 seconds to catastrophe" into a paused run and a Slack ping. Equally important: the journal records the attempt, the near-miss becomes visible instead of silent, and replay lets you study exactly how the agent reasoned its way there.
Honest caveatThe token itself was the deeper failure. Nexus narrows the blast radius of what an agent can do through its tools; scoping credentials is still your platform team's job.
2025–2026 · TechCrunch · IBTimes · Axios

The runaway-spend era: $81k in a week, "tens of thousands" on a $200 plan, ~$500M in a month

What happenedA fintech employee accidentally burned $81,267 in tokens in about a week. Anthropic imposed weekly caps after users ran agents 24/7, one consumed "tens of thousands of dollars" of usage on a $200/month plan. An unnamed company reportedly spent ~$500M on model usage in a single month after failing to set per-license limits (single-sourced via Axios, we flag that).
Root causeAgent loops have no natural stopping point, and every major framework treats cost as something you observe on a dashboard afterward, not something you enforce before each call.
With NexusBudgets are pre-flight: the runtime checks the cap before every model call and halts the run at the limit, halted_budget, resumable, journaled. The $81k week becomes a $50 halt and a notification. This is the capability our July 2026 competitive research could not find in any other open runtime we tested. And run tags attribute spend per customer or tenant, so "the bill doubled but nothing says who" stops being a question.
Honest caveatPer-run caps govern runs. Org-wide spend governance across thousands of seats also needs provider-level limits, set both.
APRIL 2025 · The Register · Fortune

A support bot invented a policy, and customers cancelled over it

What happenedCursor's front-line AI support agent told users a login bug was actually a new one-device-per-subscription policy. The fabricated policy spread across Reddit and Hacker News; users cancelled; the co-founder publicly apologized.
Root causeA hallucination shipped straight to customers, no human gate on outbound communications, no reviewable record until the damage surfaced on social media.
With NexusOutbound-communication tools are exactly what approval gates are for: novel or policy-asserting replies pause for review while routine ones flow via policy rules. When something does slip through, the journal shows precisely what was said and when, you learn about it from your dashboard, not from Reddit.
Honest caveatNexus cannot detect that text is a hallucination. It ensures a human accountably signed off before consequential text left the building, that's a different, enforceable guarantee.
2025–2026 · ABA Journal · Fortune

Courts and clients started charging for unverified AI output

What happenedAn Oregon federal judge imposed ~$110,000 in sanctions for briefs containing 15 fake citations and 8 fabricated quotes, the largest AI-hallucination penalty to date, in a year of them. Deloitte Australia refunded part of an A$440,000 government contract after its report was found to contain fabricated references and an invented court quote.
Root causeIn both professions the failure was identical: no enforced verification step between generation and delivery, and afterwards no clean record of what was generated versus reviewed.
With NexusDelivery-stage tools gated to a named human make "who reviewed this?" answerable in one journal line. For firms, the OAR record is the diligence evidence: generated at step 6, reviewed and approved by J. Chen at step 7, filed at step 8.
Honest caveatThe reviewer still has to actually read the thing. Infrastructure creates accountability; it doesn't create diligence.

The MCP attack year: injections and poisoned tools turned agents into insiders

What happenedA malicious GitHub issue steered agents into leaking private-repo data through the GitHub MCP server. A support ticket exfiltrated secrets through a Supabase MCP with a service key. A trojanized npm MCP package BCC'd users' emails to an attacker. By mid-2026, Microsoft was formally warning that poisoned MCP tool descriptions hijack agents at success rates up to ~73% in benchmarks.
Root causeAgents can't distinguish instructions from data, and MCP tool calls execute with no gate, no audit, and, in the supply-chain case, no scrutiny of the tool itself.
With NexusDurable MCP puts a control point where the damage happens: the tool call. Write-capable and exfiltration-capable tools gate on approval, the Supabase attack's INSERT of stolen secrets pauses for a human holding the actual context. Every call is journaled, so exfiltration attempts leave evidence. And the runtime adding the gates has zero dependencies to poison.
Honest caveatPrompt injection is unsolved industry-wide (OpenAI says it may never fully be). Gates and journals reduce blast radius and make attacks visible, they don't make injection impossible. Anyone claiming otherwise is selling something.

Incidents compiled July 2026 from public reporting; each links its sources. None of these organizations are Nexus users, these are architectural analyses of public events, not testimonials.

Bring one workflow. We'll wire it end-to-end.

Open an issue on GitHub, the maintainers respond, or start with the pitch deck for your stakeholders.

Talk to the maintainers → View the pitch deck