Skip to content
デプロイメントアーキテクチャ

The CISO's Deployment Guide to Autonomous Reliability Inside the Secure Enclave

A CISO's deployment blueprint for running Edge Runners and signed capsules inside the enclave, no inbound access, no external model calls, answering the security review.

Zof Reliability Team · エンジニアリング & プロダクト

2025年6月17日 · 読了時間 8 分 · 2025年6月17日 更新

Share
01

Why autonomy changes the threat model

A passive testing tool stores data. An autonomous reliability system observes your services, decides what to validate, and acts inside your perimeter. That shift in capability is also a shift in liability. The pressure to adopt it is real: roughly 41% of code is now AI-generated, close to 45% of AI coding tasks introduce a critical flaw or security issue, and around 80% of developers admit to bypassing policy and guardrails when controls slow them down. The defect rate per change is up, the volume of change is up, and the controls are routinely routed around. That is the operating reality behind the roughly $2.41 trillion annual cost of poor software quality.

A CISO cannot answer that with more AI reaching deeper into core systems. The right posture is the opposite: governed autonomy with a tightly bounded footprint, where every action is signed, scoped, attributable, and recorded. The design goal of an enclave deployment is to get the leverage of coordinated agent planning without putting an opaque model on the critical path inside your most sensitive segment.

02

Principle: split the planes so the model never touches the data

The architectural move that makes this defensible is separating *thinking* from *doing*. Zof's secure-enclave deployment splits the control layer into three planes with deliberately different trust requirements.

  • Intelligence Plane. Planning and generation: requirements analysis, System Graph modeling, risk prioritization, test generation, and capsule assembly. Runs in Zof Cloud, your private cloud, or on-prem, per your policy. It does *not* execute against protected applications and never receives raw payloads.
  • Control Plane. Governance: human approval, role-based controls, cryptographic signing, capsule versioning and promotion, scheduling, and evidence routing. Your signatures decide what is allowed to run.
  • Execution Plane. Validation itself, entirely inside your infrastructure: local browser, API, and desktop checks, local artifacts, and redaction. No external model calls at runtime.

The security property that falls out of this is the one your review cares about most: the plane that needs the most powerful models touches the least sensitive data, and the plane that touches production-adjacent systems runs no models and makes no outbound calls. The model is never on the data path inside the enclave.

03

The eight questions a security review will ask

Map each control to the question it answers. If a vendor cannot answer these in one diagram, treat the boundaries as undefined.

  • Where does test data live? Inside your segment. Execution and evidence stay local by default.
  • Who can reach the execution environment? No one, inbound. The enclave gateway opens no listening port for an external orchestrator. The boundary stays one-directional.
  • What leaves the network? Only what you explicitly permit, scrubbed on the runner side before it crosses the boundary. Egress is default-deny.
  • What identity does the runner use? Short-lived credentials pulled from your PAM and secret vaults at execution time. No long-lived vendor-held keys; secrets never appear in prompts, capsule payloads, or external logs.
  • What can the control plane actually do inside the perimeter? Only emit signed capsules. It cannot push work the enclave has not agreed to accept, and it cannot reach internal systems directly.
  • What is the blast radius if a capsule is malicious or compromised? Bounded by the manifest: scoped commands, allowed endpoints, timeouts, and data-classification labels. Anything outside the manifest does not execute.
  • How do we prove what ran? Every action traces to a signed, scoped, versioned capsule rather than an opaque model decision.
  • Can a fix push itself to production? No. Agents propose; humans authorize.
04

Signed capsules: supply-chain integrity for agent work

The artifact that crosses from planning to execution is a signed test capsule, an immutable, versioned, approved package, not an ad hoc script synthesized at runtime. This is a supply-chain control, and it is the part most "AI does the testing" stories quietly skip. If the thing that ran was generated on the fly and is gone afterward, there is no stable artifact to review, no signature to verify, and no way to prove that what executed in production-adjacent infrastructure was the thing a human approved.

A capsule inverts that. The work is assembled and reviewed *before* it can run, signed, promoted through versioning, and only then admitted. The enclave gateway verifies the signature, enforces policy, stages the package, logs every action, and triggers execution, without opening inbound access. The manifest is the scope. The signature is the attestation. The version is the chain of custody. A runner that receives anything unsigned or out of policy rejects it; that rejection is itself a control you should demand to see demonstrated.

05

The Edge Runner: where to concentrate isolation

The Edge Runner is the only component with reach into sensitive systems, which makes it the right place to concentrate your hardening. It executes the approved capsule locally, authenticates through your PAM, captures evidence, applies redaction, and produces reports inside the protected network. You decide where runners live, what they may touch, and how artifacts leave, governed by runner allowlists and identity so every execution is attributable.

Treat the runner like any other privileged workload: least-privilege network policy, dedicated identity, segmentation that matches your zero-trust model, and short-lived credentials. The design lets you fold it into controls your auditors have already approved rather than carving an exception. Sensitive runtime data never has to leave the segment to be validated against.

06

Evidence is a control decision, not a vendor default

Regulated deployments usually break down at evidence, because the default assumption is full log exfiltration to a central service. Zof inverts that default: you choose how evidence leaves the execution plane, if it leaves at all.

  • Local-only for the highest sensitivity, evidence never leaves the segment.
  • Sanitized egress with field masking, so summaries flow without raw payloads.
  • Metadata-only routing for reliability dashboards, correlation IDs, not raw export.
  • Per-environment retention aligned to your compliance program, with no mandatory full-log exfiltration.

The runner produces a complete, redactable evidence bundle locally. What you publish outward is a policy decision your team enforces and records, not something a vendor enables by convenience.

07

Governance is the engineering: agents propose, humans authorize

The temptation with autonomy is to let the system close the loop on its own, including the fix. For regulated software that is reckless, and unnecessary. Zof's model is explicit: agents propose, humans authorize. Remediation is the hardest, most consequential part of the loop, so it is the most governed. Human approval and role-based governance gate capsule promotion and any governed remediation before production impact. Separation of duties applies to production changes, emergency paths still require named approvers, and rollback is verified before a change is closed.

Prioritization keeps that human queue defensible. Because the System Graph makes validation change-aware, the fleet focuses on what is genuinely reachable and exploitable, reachability-based prioritization can mean 70 to 90% less exploitable exposure, which keeps approvers focused on what matters instead of drowning in noise. A serious enterprise does not want more AI acting on its core systems; it wants control over what acts, when, and on whose signature.

08

What to do Monday morning

A conservative path that respects the boundary:

  • Map one regulated workflow in the System Graph so validation is scoped to what actually changed.
  • Pilot in local-only evidence mode. Prove value with zero egress before deciding what, if anything, leaves the segment.
  • Wire approvals to existing change control. Reuse your ITSM and separation-of-duties chains; do not invent a parallel process.
  • Demand the demonstrations, not the claims. Watch a runner reject an unsigned capsule, confirm default-deny egress is logged, and verify PAM integration with short-lived credentials.
  • Start with validation, not remediation. Let the loop prove out under human authorization before granting any governed fixing.

For the wider context on shipping AI-generated code safely in regulated environments, the security debt crisis is a useful companion read.

09

The bottom line

関連ガイド

続きを読む

01Zof Console

姿勢、操作、次に注意が必要なことを 1 つの面で確認できます。

エンジニアリング、QA、SREの各チームが毎日開く認証済みのホーム。品質の姿勢、進行中の実行、モジュールごとのカバレッジ、そして次に注目すべきことが分かります。

運用上の KPI

実行数、カバレッジ、リスク

出荷先のあらゆる環境に対応します。

ワークスパイン

仕様・テスト・スケジュール

仕様から計画された回帰まで。

ガードレール

RBAC・SSO・監査

指定された人間に起因するすべての行為。

LIVE/console
Zof AI ホーム コマンド センターには、94% パスでの 12 件の実行、3 つの未解決の重大な問題、84% のカバレッジ、4 つのモジュール トレーサビリティ バー、仕様パイプライン、今後のスケジュール、アクティブ実行サイドバー付きの推奨される次のアクションが表示されます。
ホーム ビュー · チェックアウト サービス · ステージング · 製品からライブでキャプチャ。
  • 01 · RUNS · 24H

    94% pass

    12 runs across staging

  • 02 · COVERAGE

    84%

    Across four modules

  • 03 · ACTIVE RUNS

    3 running

    Live on this branch

  • 04 · NEXT ACTIONS

    Recommended

    Triage gaps, new spec

The CISO's Deployment Guide to Autonomous Reliability Inside the Secur