Printed from Production AI Institute public record

https://www.productionai.institute/insights/cursor-enterprise-organizations-psf-assessment-2026

Production AI Institute · Public recordRecord
Production AI Institute
Briefing
Briefing

Today's public AI briefing: what changed, what went wrong, and what the evidence says.

Open Briefing →
Today's AI briefingThe daily record of what changed and broke.Public record explorerSearch every incident, entity, and source.
Check
Check

Inspect tools, incidents, and data-use disclosures against the public record.

Open Check →
Check an AI toolWhat a tool actually does with your data.Run exposure checkTest your own stack against the record.Data-use indexDisclosures across the major AI tools.Incident registryDocumented production AI failures.
The Lab
The Lab

Independent research instruments: model and agent scorecards, moral-reasoning evals, and ecosystem assessments.

Open The Lab →
The LabHow frontier models and agents actually perform.AI Morality CompassTest models on hard moral cases.Agent readinessIs the agent ecosystem production-ready?Ecosystem assessmentsIndependent reviews of the AI stack.Model & agent evalsOpen evaluations and their results.Research libraryEvidence-led analysis and briefings.
Learn
Learn

The open standard, the tools built on it, and the research that interprets the record.

Open Learn →
The FrameworkThe open production safety framework, explained.AI Adoption GuideFive stages from gated access to safe autonomy.Production AI Deployment GuideBuild a governed production system on Microsoft or AWS.Five-Year Automation RoadmapSequence enterprise capability, controls, and value.WorkflowOS · open sourceBuild governed AI workflows.Workflow libraryReady-made governed workflows.InsightsResearch articles on the record.
Act
Act

Turn uncertainty into public evidence: ask, disclose, build evidence, or correct.

Open Act →
Ask for disclosureRequest a public data-use answer.Submit a correctionFlag something wrong or missing on the record.Save a watchTell PAI what to keep current for you.
Method
Method

How the public record is made, governed, corrected, cited, and kept independent.

Open Method →
How records are madeSourcing, review, and correction.
Check an AI tool
Record
Record
Check an AI tool
Production AI public record - EditorialMethod →
Insights / PSF AssessmentCursor Enterprise · June 3, 2026

Cursor Enterprise Organizations in Production: A PSF Domain Assessment

Cursor shipped Organizations, Teams, and Groups for Enterprise customers on June 3, 2026. The release adds org-level IdP, usage rollups, and per-team agent governance; permissive-merge rules mean admins must design team boundaries deliberately.

Production AI Institute · 10 min read · Updated June 2026
Independence disclosure: The Production AI Institute has no commercial relationship with Cursor. This assessment is based on the June 3, 2026 changelog entry for Enterprise Organizations GA, public documentation cited below, and our prior Cursor SDK, 3.5 Automations, and 3.6 Auto-review assessments. Cursor was not consulted in preparing this evaluation.

On June 3, 2026, Cursor announced that Enterprise Organizations are generally available. Enterprise customers can manage multiple Cursor teams from one organization: a top-level container for company identity, administration, membership, and a rollup of spend and token usage. Each team remains the operating unit for a department or subsidiary, with its own security, governance, spend, and feature settings. Groups are lightweight user collections that can set model access, spend limits, and agent permissions without creating a full team. Users may belong to more than one team with different roles; when policies conflict across teams or groups, Cursor applies the most permissive setting.

This release sits alongside our Cursor 3.6 Auto-review assessment (runtime tool-call governance), 3.5 Automations assessment (scheduled cloud agents), and the April 2026 Cursor SDK assessment. Organizations answer how enterprises partition agent capability; Auto-review answers how individual tool calls execute inside a session.

Release scope assessed

CapabilityStatusDate
Organizations (org-wide admin, spend rollup)GA, all Enterprise customers2026-06-03
Teams under organizations (per-team security, governance, spend)GA; existing team preserved as default2026-06-03
Groups (model access, spend limits, agent permissions)GA2026-06-03
Org-level IdP, usage analytics, user moves (dashboard, API, CSV)GA2026-06-03

PSF domain scorecard

Ratings reflect Enterprise Organizations as documented in the June 3, 2026 changelog. Domain definitions: Production Safety Framework.

DomainRating
D1Input GovernancePartial
D2Output ValidationGap
D3Data ProtectionPartial
D4ObservabilityStrong
D5Deployment SafetyStrong
D6Human OversightPartial
D7SecurityPartial
D8Vendor ResilienceGap
D1

Input Governance

Partial

Groups can scope model access and agent permissions per cohort, but permissive-merge rules mean the least restrictive team or group policy wins when users span boundaries.

The June 3, 2026 changelog positions Groups as lightweight collections that set separate model access, spend limits, and agent permissions without standing up a full team. That is a useful input gate for contractors, interns, or regulated data handlers. Cursor also states that when a user belongs to more than one team or group, the most permissive setting wins. That merge rule can silently widen tool and model access relative to the team an admin thought was authoritative. Input governance for production agents still requires repo scoping, MCP allowlists, and prompt-injection controls documented in our Cursor 3.6 Auto-review assessment; Organizations govern who may run agents, not what untrusted content enters context.

Practitioner action: Document effective permissions per user after merge, not per team label. Restrict high-risk MCP connectors to single-team memberships. Pair org policies with repo-level content tagging before enabling production automations.
D2

Output Validation

Gap

Organizations, Teams, and Groups are administrative containers; they do not validate agent outputs, PR diffs, or customer-facing text before side effects complete.

Enterprise Organizations GA improves how admins partition spend, features, and agent permissions. It does not introduce schema validation, policy tests, or human sign-off on generated artifacts. Teams running Cursor Automations with multi-repo attachments still need OutputContracts and CI gates independent of org structure. Compare with our Cursor SDK and 3.5 Automations assessments: output quality remains deployment-layer work even when governance improves at the tenant boundary.

Practitioner action: Require PR and canvas review before merge regardless of team membership. Add linters and contract tests in CI that org settings cannot bypass. Map each team to allowed consequence classes for agent-delivered changes.
D3

Data Protection

Partial

Per-team security and governance settings support data-boundary intent; permissive merge and multi-team membership can blur boundaries unless admins design isolation deliberately.

Cursor documents that each team under an organization may carry its own security, governance, spend, and feature settings, which is the right primitive for separating production from experimentation. Users may belong to multiple teams with different roles, and groups can span teams. Without explicit membership hygiene, a engineer on both a production team and a sandbox team inherits the union of permissions. Org-level IdP management centralizes identity, but data residency and MCP data flows still depend on which repos and connectors each team enables. Regulated deployers should treat Organizations as a policy map, not as automatic data isolation.

Practitioner action: Prohibit dual membership across regulated and non-regulated teams unless merge outcomes are audited weekly. Vault secrets outside repos. Restrict Fetch and MCP per team before expanding org rollout.
D4

Observability

Strong

Organization-level usage analytics with drill-down to each team give platform teams a rollup view of token spend and activity that prior single-team dashboards lacked.

The June 3, 2026 release adds organization-level usage analytics with drill downs to each team, plus a rollup of spend and token usage across the entire Cursor setup. That directly supports PSF Domain 4 for chargeback, anomaly detection, and proving which business unit drove agent load during an incident. The changelog does not describe export to SIEM or OpenTelemetry, so enterprises should still correlate Cursor usage signals with infrastructure logs on systems agents touch. This is a meaningful upgrade over managing disconnected team instances without a parent rollup.

Practitioner action: Export weekly org analytics to your cost and security dashboards. Alert on team-level spikes after org policy changes. Retain usage metadata for your compliance window.
D5

Deployment Safety

Strong

Versioned GA release, preserved default team for existing customers, inherited settings for new users, and admin moves between teams support staged enterprise rollout of agent features.

Cursor states Enterprise Organizations are generally available to all Enterprise customers on June 3, 2026. Existing customers keep their current team as the default home for login, routing, and creating new teams, which reduces migration shock. New users joining a team inherit settings and permissions automatically, lowering configuration drift. Admins can move users between teams through the dashboard, API, or CSV. Combined with per-team feature flags and our prior assessments of Auto-review (3.6) and Automations (3.5), platform teams can pilot agent capabilities on a non-production team before promoting patterns org-wide.

Practitioner action: Pin client versions during org migration. Pilot Organizations on one business unit for two sprints. Disable auto-merge on agent PRs until team boundaries are validated.
D6

Human Oversight

Partial

Administrative segmentation clarifies who may run agents under which policy, but runtime human approval for high-consequence tool calls still depends on Auto-review and practitioner runbooks.

Organizations improve accountability: admins see org-wide membership, can enforce IdP at the organization layer, and can scope agent permissions through groups. That is oversight of access, not oversight of execution. Shell, MCP, and Fetch decisions during long agent sessions still flow through run modes documented in our Cursor 3.6 assessment unless teams configure classifiers and allowlists. Multi-team users with permissive merge may bypass the stricter oversight profile admins assigned to a production team label.

Practitioner action: Map teams to consequence classes. Keep production teams single-membership where possible. Require human approval for deploy and customer comms tools regardless of org tier.
D7

Security

Partial

Org-level IdP and per-team security settings strengthen enterprise identity posture; permissive merge and group sprawl are the primary new attack paths to model in threat reviews.

Organization-level IdP management consolidates authentication for multi-team enterprises, which reduces orphaned accounts across separate Cursor tenants. Per-team security settings let security teams align agent features with trust zones. The changelog explicit most permissive wins rule is a dual-edged control: it improves developer velocity for users on overlapping teams but aids privilege expansion if an attacker compromises a low-trust team membership. Groups that grant broader model or agent permissions without a full team boundary need the same supply-chain review as MCP connectors in our CAIS-aligned guidance.

Practitioner action: Threat-model permissive merge in red-team exercises. Deny by default on production teams. Review group membership monthly and remove stale cross-team access.
D8

Vendor Resilience

Gap

Organizations, Teams, and Groups are Cursor-specific tenancy primitives without portable policy export to alternate agent platforms.

PSF Domain 8 asks what happens when vendor defaults change or teams must exit. Cursor org structure does not translate to Microsoft Foundry, OpenAI Codex on Bedrock, or self-hosted harnesses. A changelog shift to merge rules, inherited defaults, or analytics retention could alter enterprise risk without a practitioner-owned rollback artifact. Teams mixing Cursor with Azure-hosted models should document fallback runbooks that do not assume org-level analytics or group permissions exist elsewhere.

Practitioner action: Export team policy definitions to version control as human-readable runbooks. Maintain a secondary agent platform with quarterly parity drills. Re-assess after each Enterprise changelog.

Certification and stack context

Teams rolling out Organizations should align tenancy design with AIDA (AI Deployment Associate) deployment checklists before granting production-repo access on multiple teams. Org-level usage analytics support CLOE (Certified LLM Operations Engineer) cost and incident practices. Permissive-merge and group permission reviews map to CAIS (Certified AI Safety Specialist) tool-access guidance. Compare platform alternatives in our agent framework comparisonwhen R&D and engineering agents share an enterprise stack.

Sources

  • Cursor Changelog: Enterprise Organizations (June 3, 2026)
  • Production AI Institute: Cursor 3.6 Auto-review PSF Assessment
  • Production AI Institute: Cursor 3.5 Automations PSF Assessment
  • Production AI Institute: Production Safety Framework
  • Production AI Institute: PSF Domain 5 Deployment Safety
  • Production AI Institute: Agent framework comparison

Scores are structured assessments against PSF v1.1, not empirical lab results. Revisit when Cursor publishes structured policy export, SIEM integration for org analytics, or changes to permissive-merge behaviour.

Use this assessment against your own deployment. The readiness check scores a live system against the same PSF controls.

Run a readiness check on your deployment →
Public record

This record is maintained by PAI and free to cite. If something is wrong or missing, tell us. Corrections and source suggestions keep the record honest.

Follow policy changes ->Save a watch ->Submit a correction
Records are free to cite. citation guidance.
PAI
Production AI Institute

The public record and operating memory for production AI: what changed, what broke, and what the evidence says.

WorkflowOS · open source (MIT)
Navigate
Briefing
OverviewToday's AI briefingPublic record explorer
Check
Check an AI toolRun exposure checkData-use indexIncident registry
The Lab
The LabAI Morality CompassAgent readinessEcosystem assessmentsModel & agent evalsResearch library
Learn
The FrameworkAI Adoption GuideProduction AI Deployment GuideFive-Year Automation RoadmapWorkflowOS · open sourceWorkflow libraryInsights
Act
Ask for disclosureSubmit a correctionSave a watch
Method & trust
How records are madeCorrectionsHow to citeContact
© 2026 Production AI Institute · CC BY 4.0
AboutPrivacyTermsSecurityGovernanceIndependence