Internal Access Cloud AI agents are deleting production databases, incurring unpredictable costs, and operating outside regulatory reach. A growing number of UK enterprises are taking their autonomous workflows on-premises — quietly, without fanfare, and for reasons that go far beyond data privacy.
Last week, an AI coding agent deleted a startup’s production database and all volume-level backups in nine seconds. Not minutes. Not hours. Nine seconds.
The agent was Cursor running Anthropic’s Claude Opus 4.6. It encountered a credential mismatch in a staging environment, found an API token in an unrelated file, and decided the solution was to call delete on the production volume. Railway, the infrastructure provider, honoured the request. The CEO later described it as a “rogue customer AI granted a fully permissioned API token.”
The data was eventually recovered. The point remains: a cloud agent with write access to your infrastructure just demonstrated exactly why giving autonomous systems production credentials is a compliance problem waiting to happen.
This isn’t the first time. AWS’s Kiro agentic AI caused an outage earlier this year. Google Antigravity wiped a developer’s D: drive. Replit’s agent deleted production code at SaaSTR in July 2025. Each incident follows the same pattern — an autonomous agent, given access it shouldn’t have, doing exactly what it was told in the most destructive way possible.
The Cursor incident is the security angle. There’s also an economics problem that’s becoming impossible to ignore.
On April 28, Microsoft announced that GitHub Copilot is shifting from request-based billing to usage-based billing, effective June 1. The reason is simple: the company can no longer absorb inference costs for agents running continuously. Mario Rodriguez, chief product officer on the GitHub product team, put it bluntly — “a quick chat question and a multi-hour autonomous coding session can cost the user the same amount.”
That sentence tells you everything about why cloud agents are a bad fit for enterprises. Autonomous workflows are not chat questions. They run 24/7, processing documents, triaging emails, reviewing contracts, generating reports. Under usage-based billing, every token an agent consumes is a line item you cannot predict in advance.
For a UK financial services firm running compliance monitoring agents, that’s a budgeting nightmare. For a law firm with SRA obligations around cost transparency, it’s a governance problem. You cannot justify variable, unpredictable AI costs to a board when the work being done is the same every day.
On-premises agents have no this problem. The inference cost is fixed — the hardware is yours, the model runs continuously, and your cost per run is a function of electricity, not per-token API rates.
UK regulators haven’t issued specific guidance on autonomous AI agents yet. But the framework already exists, and it doesn’t bode well for cloud-based agents.
SRA Principle 6 requires firms to “have effective risk management systems and maintain adequate financial records.” An agent running on Anthropic’s infrastructure, processing client data, making decisions you cannot audit, is a risk management gap. You cannot demonstrate compliance for a system you don’t control.
GDPR Article 22 gives individuals rights around automated decision-making. If a cloud agent is screening applicants, triaging claims, or flagging anomalies, the individual has a right to understand the logic. But the logic lives in a proprietary model behind an API. You cannot explain a black box you cannot inspect.
The FCA’s TechCom handbook expects firms to maintain oversight of technology used in regulated activities. “Oversight” implies the ability to observe, audit, and intervene. Cloud agents fundamentally resist all three.
None of this is hypothetical. These are existing obligations that cloud agents struggle to satisfy. On-premises agents solve the problem at the architectural level — the model runs on your hardware, the logs are yours, the decisions are auditable, and you can shut it down at any time without waiting for a vendor to respond.
Twelve months ago, moving agents on-premises meant accepting lower capability. “You’ll need to trade quality for control” was the standard advice. That trade-off has evaporated.
Qwen3.6-27B was released on April 22. It is a dense 27B parameter model under an Apache 2.0 licence — no API, no usage terms, no vendor lock-in. On SWE-bench Verified, it scores 77.2, edging past Qwen3.5-397B-A17B. On Terminal-Bench 2.0, it ties Claude 4.5 Opus at 59.3. It supports 262,144 tokens of context natively.
This is not a research prototype. It is a model you can download, load on your own GPU, and run for inference tasks — document analysis, contract review, research synthesis, coding workflows — without a single byte leaving your premises.
We’ve been writing about capability sovereignty since April. The concept is straightforward: it is not enough to control your data. You need to control your intelligence too. The model that reasons over it, the agent that acts on it, the entire stack that turns information into decisions.
Qwen3.6-27B makes capability sovereignty practical at a scale that was not viable six months ago. A 27B dense model runs on a single RTX 4090 with quantisation, or comfortably across a pair of consumer GPUs unquantised. No API rate limit. No usage policy that changes without notice. No third-party wrapper crackdown to worry about.
The enterprises doing this are not announcing it. There are no press releases. No LinkedIn posts from CTOs about their exciting new on-premises agent strategy.
The reason is simple. Admitting you are pulling back from cloud AI is not a marketable position. Vendors do not reward customers who leave. Analysts do not write research reports about companies reducing their AI spend.
But walk into any mid-sized UK business in a regulated sector — legal, financial services, healthcare, insurance — and you will find conversations happening in boardrooms and compliance meetings. The questions are always the same: who owns the inference? Can we audit what the agent did? What happens if the vendor changes their terms overnight? What happens if the agent does something it should not have?
These are not rhetorical questions. They are risk register entries. And the answer to all of them is the same — you need the agent running where you control the infrastructure.
We have seen this pattern with our own clients. A chartered accountancy firm in Manchester running automated compliance checks. A property consultancy in Edinburgh triaging client enquiries and generating report drafts. A financial services business screening transactions for anomalies. In every case, the decision to move on-premises came after a specific incident — a vendor policy change, a cost overrun, a near-miss with data exposure.
The incidents are not always public. The decisions are never announced. But the direction of travel is clear.
Moving autonomous workflows on-premises is not a DIY project. It requires understanding model selection, inference optimisation, RAG pipeline design, and the infrastructure that keeps agents reliable. Our complete guide to on-premises AI walks through the hardware, costs, and compliance case in detail. Investing in GPU infrastructure early is one of the smartest bets you can make — and the Anthropic-SpaceX deal proves it.
The memory wall is real. Hardware costs are significant. But the capability you get per pound of hardware has jumped in a single generation, and the trajectory is accelerating. The cost comparison is no longer “cloud is cheaper” — it is “cloud is unpredictable, on-premises is fixed.”
For businesses operating under SRA, FCA, GDPR, or any regulatory framework that cares about where data lives and who controls the intelligence processing it, the question has shifted. It is no longer “cloud performance versus local privacy.” It is “why would I run autonomous agents on infrastructure I cannot audit, with costs I cannot predict, using models I do not own?”
The answer is usually: you wouldn’t.
JD Fortress AI builds secure, on-premises RAG and agent solutions for UK businesses in regulated sectors. If you’re exploring always-on, private AI teammates, get in touch for a confidential discussion — no pitch, just practical talk.
If you're thinking about secure AI for your business, we'd love to have a conversation.
Get in Touch →