Enterprise resource
Secure Deployment Checklist
Checklist for secure enclave, on-prem, and private cloud deployment patterns.
Checklist
- No inbound access to protected networks required
- Signed test capsules with versioning
- Enclave gateway verifies signatures and policy
- Local edge runner deployment documented
- Runtime execution without external model calls
- Local-only evidence mode available
- Sanitized egress optional and approved
- PAM-compatible credential brokering
- Audit trail for capsule promotion and runs
- Human approval on remediation paths
- Air-gapped import procedure documented
- Private cloud region and isolation confirmed
- On-prem control plane option evaluated
- Redaction policies for screenshots and fields
- Runner allowlists and binary signing
- SSO/RBAC for control plane users
- Incident response for compromised runner
- Data flow diagram reviewed by security
- Conservative pilot scope defined
- Regulated workflow representative scenario documented
- Egress denial default verified
- Upgrade cadence aligned with change windows
