A Phronexa agent reasons toward a goal, chooses from 100+ governed tools, and acts in your live systems as the real person, never a shared account. Bounded, reversible, and human-approved where it counts.
- Reasons and acts
- 100+ governed tools
- Acts as the real user
- Human-in-the-loop
It reasons, acts, and observes, in a bounded loop.
Not a single tool call. An agent runs a reason, act, observe loop toward the goal, and every turn is capped, budgeted, and governed.
Take the goal
Starts from a plain-language goal, its scoped knowledge, and the exact tools it's granted.
Reason
Plans the next step, and asks a person rather than invent a name, date, or id it doesn't have.
Choose a tool
Picks one governed tool to move forward, or delegates the part to a specialist sub-agent.
Act, governed
Runs the tool through one governed executor, with identity, confirmation, and approval enforced.
Observe
Reads the result and corrects, blocking a tool that keeps failing so it never loops in place.
Finalize
Delivers the result, or a best-effort answer if the budget runs out, but never nothing.
A manager agent, delegating to specialists.
One agent rarely does it all. A manager breaks the work down and hands each part to a scoped specialist sub-agent, up to three levels deep, with cycles refused and the whole team unwinding together if anything fails.
- A manager delegates to bound specialist sub-agents, up to three deep
- Every sub-agent runs under the same identity, never a privilege gain
- Each is limited to its own knowledge and its own granted tools
- One shared budget, so delegation can never run away

100+ governed tools, each approved before an agent can use it.
Tools are how an agent acts. Every one is a governed capability that declares its side-effect, its confirmation, its identity requirement, and how to undo it, and only an approved capability can ever be granted to an agent.
- 100+ built-in tools: databases, files, CRM, messaging, web, Microsoft 365
- Each declares read, write, or irreversible, plus confirmation and rollback
- Import tools from an MCP server, an OpenAPI spec, or a manifest
- One governed executor runs every call, so nothing bypasses the rules

It acts as the real person, never a shared account.
When an agent reaches a live system, a mailbox, an MCP server, a CRM, it goes as the actual user who asked, on-behalf-of. It exchanges their identity for a downstream token, requests consent when an account isn't linked, and steps up for sensitive actions. Everyone only ever moves what they're cleared to.
On-behalf-of tokens carry the real user's identity downstream (RFC 8693)
Connected accounts, with consent requested when they aren't linked
Delegation, not impersonation, and never a shared service identity
Step-up for sensitive actions; automated runs can't act as a person
Autonomy with the guardrails built into the run.
Every agent inherits the same guarantees, so letting one act on real, consequential work stays safe.
Human-in-the-loop
- Sensitive steps pause for a person to approve
- Maker-checker: the approver is never the requester
- Signed, single-use approval links and an inbox
- Timeouts and cancellation are first-class
Reversible, no double-actions
- Nothing runs twice, even on retry
- Failed multi-step work rolls back in order
- Each committed action registers its own undo
- The manager and its sub-agents unwind together
Bounded reasoning
- A hard cap on how many steps it can take
- A budget on tokens, time, and calls
- A failing tool is blocked, not retried forever
- Always finishes with a result, never a dead end
Recorded and attributable
- Every step recorded with masked inputs and outputs
- Attributable to a verified person and the exact agent version
- A tamper-evident, hash-chained audit trail
- Even a denied action leaves a trace
Certified before it goes live.
An agent is graded against a suite of goals before it can publish. It must produce a sound, governed plan for the goals it should handle, and decline the ones it shouldn't. A plan that quietly does the wrong thing is exactly the failure the harness is built to catch.
- Cases for real goals, multi-step work, out-of-scope, and adversarial
- A green run certifies the agent for its current configuration
- A quiet wrong plan is flagged as a silent failure, not a pass
- Re-graded whenever the agent or its tools change
The same governed agent, on every channel.
Deploy an agent to the web widget, to Microsoft Teams with native single sign-on, and to WhatsApp Business. Same knowledge, same tools, same governance, with the real user's identity carried into every run.
- Web widget, Microsoft Teams, and WhatsApp Business
- Native Teams SSO, so it acts on-behalf-of the signed-in user
- Grounded, cited answers and governed actions, in the channel
- Voice questions in and spoken answers out

Run on demand, or on an event.
A run can start from a person or from the world: a schedule, an incoming webhook, a new file, a database change, a shared mailbox, an intake form, or a Teams message.
Governed tools, on real channels.




Sovereign, Arabic-first AI, ready to prove its value on-premises, in weeks.
Start with one high-value use case and measure it on real data.