enterprise
Enterprise

Agents your auditors can live with.

Self-hosted, zero dependencies to review, hard budget caps, append-only journals, human approval gates, OpenTelemetry traces into your existing SIEM, and per-customer cost tags. Tap your industry.

Customer support

Today

Bots either can't act or act unsupervised, and bots inventing policy is a documented, reputation-burning failure.

With Nexus

Refunds under $50 auto-approve by policy; bigger ones ping a human in Slack. Budget caps each ticket. Every promise journaled.

Value

End-to-end resolution with per-run exposure capped at your threshold. Disputes settled by the journal.
Internal tooling & DevOps

Today

The 2025-26 pattern: an agent finds an over-privileged token and deletes production in seconds.

With Nexus

terraform_apply, delete_* pause for approval, enforced by the runtime, not by ALL-CAPS pleading (which demonstrably fails). Every run streams OpenTelemetry spans into your existing SIEM or APM.

Value

One prevented deletion pays for the rollout forever.
Finance

Today

Regulators flag missing agent decision-trails; the business wants agents anyway.

With Nexus

Four-eyes on payment tools in one line; thresholds mirror your delegation-of-authority matrix; journals map to books-and-records.

Value

"Reproduce run #4417 and show who approved it" = a file and a replay.
Healthcare

With Nexus

Local models on-prem (Ollama). PHI never leaves. Patient-affecting actions gated to a clinician, by name, journaled.

Honest caveat

Infrastructure, not a HIPAA program, your BAAs and clinical validation still apply.
Legal

Today

2025-26: repeated court sanctions (up to $110k) for unverified AI output.

With Nexus

Filings gated to a responsible attorney; the journal proves review happened, by name, with a timestamp.

Honest caveat

We can't detect hallucinations, we guarantee an accountable human was in the loop.
SaaS · E-commerce · Manufacturing · Automation · Agent platforms

The same primitive

Per-tenant budget ceilings and per-customer cost tags (SaaS) · bulk-mutation gates and pre-launch replay (e-commerce) · air-gapped deployment inside change-control (manufacturing) · multi-day durable processes with sign-offs (automation) · the execution layer under your agent product (platforms). Full playbooks with code on the desktop page.

Government & public sector

You are digitalising and unsure where AI belongs. The map is the same in Washington, Brussels, London and the Gulf: start on low-risk back-office work, keep a named human on every citizen-facing decision, keep an immutable record, and self-host so nothing leaves.

The rulebooks already ask for exactly this. US OMB M-25-21 wants human oversight, monitoring and a public inventory; the EU AI Act wants logging (Art. 12), oversight (Art. 14) and a rights assessment (Art. 27); the UK's ATRS wants a record per decision; Saudi's PDPL wants data in-Kingdom. Gates, the journal, budgets and the kill switch are the runtime half of every one of those lists.

Two disasters set the bar. The Dutch toeslagenaffaire wrongly branded roughly 26,000 families as fraudsters and toppled a government in 2021; Australia's Robodebt raised about A$1.76bn in unlawful debts and was ruled illegal. Both automated the decision with no accountable human and no record. Automate the work, never the accountability.
Tax & revenue

With Nexus

The agent drafts assessments and reconciles documents; issuing a demand or changing a liability gates to a named officer, journaled. The artefact Robodebt never had: a demand traced to the officer who approved it.
Benefits & eligibility

With Nexus

Score and triage freely; suspending a payment or denying a claim pauses for a caseworker, by name, with the reasoning attached. The explainable, attributable adverse action the toeslagenaffaire could not produce.
Nuclear & regulated infrastructure

With Nexus

Triage licensing submissions, draft inspector findings, flag gaps; filing a determination gates to the licensed reviewer. Air-gapped, local models. It stays in the paperwork, never the plant. A hard line, not a setting.
Classified & air-gapped

With Nexus

Zero dependencies and local models install inside the enclave with a security review your team can finish. No phone-home, because there is nothing to phone home to. Caveat: inheriting a boundary is not an authorisation; the ATO is still yours.
Gulf: UAE & Saudi Arabia

With Nexus

Run a sovereign Arabic model (ALLaM-class) on in-country hardware; every step stays inside the boundary and is journaled, matching Saudi PDPL residency. Citizen service, licensing and correspondence get a gated, recorded path. Caveat: not a sovereign cloud, not a certification, and Arabic accuracy is the model's job, not the runtime's.
What it is not, for government. Not FedRAMP-authorised, not an ATO, not a sovereign cloud, not a model. It stays out of every safety-critical control loop by design. It owns the one thing the toeslagenaffaire and Robodebt lacked: a named human on every irreversible action, and an immutable record of what happened and why.

Getting it in

You do not rewrite anything. Nexus wraps the agent you already run. Do it by hand, or let an AI audit your repo and propose the gates. Both end with a human approving.

By hand

Install @nexusaiframework/runtime, wrap your tools and flag the irreversible ones requiresApproval: true, register the agent with a budget, pick storage (that file is your journal), run nexus serve. The API is small on purpose.

Or let an AI audit it

Point Claude Code or Cursor at your repo with the prompt below. It classifies every capability by blast radius and proposes gates, a budget and journal wiring as a diff. It changes nothing until you approve. Recommended even if you finish by hand.

# paste into your coding agent
Audit this repo to adopt @nexusaiframework/runtime.
Do NOT change behaviour yet.
1. Find every LLM or agent tool / API call.
2. Classify by blast radius: irreversible
   (delete, deploy, pay, email, change a
   customer or citizen record) vs read-only.
3. Propose as a diff: an approvalPolicy for
   the irreversible calls, a budget per run,
   and storage so every step is journaled.
4. Stop. Show the diff, wait for approval.

Before and after: a real deletion

April 2026: a PocketOS agent found an over-privileged token and erased the database and its backups in nine seconds. The same agent, after an AI-audited adoption:

Before

Broad token, runs unsupervised. tools: [readLogs, deploy, dropDatabase]. One over-privileged call, no pause, no record, no way back.

After

Same tools, wrapped once, logic unchanged. deploy and dropDatabase gated with requiresApproval: true and a $2 cap. The delete now pauses, journaled, with a Slack ping out, going nowhere until a named human says yes. Blast radius: bounded.

The audit flagged the two irreversible calls, proposed the gates and cap as a diff, a human read and approved it, it applied. The agent's reasoning never changed. The only new thing is a boundary it cannot cross alone, and a journal that would have shown the attempt. That is the whole difference between a nine-second catastrophe and a paused run waiting for a signature.

The operability kit

The runtime-level controls a security review checks for. The perimeter stays yours.

One-command kill switch

runtime.cancelAll() stops every non-terminal run; disableAgent() refuses new ones. The stop button the EU AI Act and FINRA require.

Approvals never rot silently

watchStaleApprovals() pages someone when a pause blows its SLA. nexus runs --stale 30m from the CLI.

Redact before your SIEM

A redactStep hook scrubs PII from the audit journal; the live record keeps real content so the run can still resume.

The honest split. Nexus is the governance core: journal, gates, budgets, kill switch, token-gated dashboard. You bring the perimeter: SSO, SIEM retention, scoped credentials, egress control.

Case studies, the last 12 months

Public incidents, cited. Honest caveats included, because credibility is the product.

Replit deleted a production DB Jul 2025

Through an 11×-ALL-CAPS code freeze. Prompts are suggestions; approval gates are runtime invariants, the deletion would sit paused, journaled, deniable. Caveat: raw credentials outside any runtime are ungovernable by anyone. Source

PocketOS: DB + backups gone in 9s Apr 2026

Agent found an over-privileged token and issued one destructive call. Gated infra tools turn that into a pause + a Slack ping, and the journal records the attempt. Caveat: credential scoping is still your platform team's job. Source

$81k in a week · ~$500M in a month 2025-26

Runaway agent spend is now a genre. Nexus budgets are pre-flight: checked before each call, halting at the cap. Of the open runtimes we tested (July 2026), it's the only one that ships this natively. Run tags attribute every dollar to the customer that caused it. Caveat: org-wide governance also needs provider-level limits. Source

A support bot invented a policy Apr 2025

Cursor's bot told users a fake policy; customers cancelled. Outbound-comms gates + journals mean you learn from your dashboard, not Reddit. Caveat: we ensure accountable sign-off, not hallucination detection. Source

The MCP attack year 2025-26

Injections and poisoned tools exfiltrated data through agent toolchains; Microsoft now formally warns about it. Durable MCP gates the tool call, where the damage happens, and journals the evidence. Caveat: injection is unsolved industry-wide; we bound blast radius. Source

Bring us one workflow → Pitch deck (swipe-friendly)