Two phases, separated by design. The AI reasons and recommends — and it can be tricked. Then the kernel, with zero AI, extracts every factual claim from the request and resolves each against the real record. A lie gets ✗ CONTRADICTED, and the AI's verdict is overridden. No other AI payment system can show this, because they stop at "did the agent ask nicely?"
Nemotron reads the customer's message and proposes APPROVE or DENY based on what they claimed. It can be prompt-injected, flattered, or lied to. That's fine — it isn't the last line of defense.
The enforcement engine extracts every factual claim and resolves each against the real order database. A false claim gets ✗ CONTRADICTED. The AI's verdict is then overridden if the facts don't hold.
The moment to watch is when the AI says approve and the kernel says deny. That gap — the AI being fooled and the kernel not caring — is what Custodian is. Because the verification is deterministic, it needs no model, no key, and no trust in the agent.
The same two-phase pattern applies wherever a request makes factual assertions that a ledger can confirm or contradict.
"The package never arrived." The ledger says it was delivered and signed for.
PO amounts, vendor terms, and approval thresholds checked against the record.
Unapproved providers, cost anomalies, and NVIDIA NIM job claims verified.
Payment window, indemnification, auto-renewal — every clause checked against the template.
Say the package never arrived, or the amount was different, or legal verbally agreed. The kernel knows the truth — and it doesn't care how convincingly the agent asks.