Chapters: 
Get Smart

TDD will start with the Business Rules. The "product" that demos without a Guide Book, will not be trusted. 

The actual test values are TBD but the test can accept the values on a Rule Sheet. 

business problem
client risk
regulatory/compliance need
operational pain
acceptable action boundaries
audit/reporting requirements
human approval model

The DEV can answer: 

    what the product does : protect and auto patch
    what actions are allowed or prohibited : we do not have any info from the client 
    what evidence supports findings
    what guardrails are implemented: Business rules - the clients will later clarify what are their business rules 
    what remains manual or approval-gated
    what compliance/security assurance gaps exist: Industry compliance 
    what can be safely demonstrated without deploying into a client network: On Corp Azure deployed, tested

But the Business Rules should be defined above the tool, not underneath it.

Our new project seed is:

Take the useful idea: evidence-based, policy-governed security automation.
Build it using the Get Smart pattern: normalize input, classify status, flag uncertainty, produce traceable output, keep source-of-truth corrections outside the runtime.

The Get Smart-shaped security framework

The Get Smart framework already has the bones: 

raw input
→ normalized record
→ deterministic rules first
→ status classification
→ review_required when uncertain
→ human-readable output
→ traceable summary
→ source-of-truth correction loop

For security/compliance: 

telemetry / package inventory / config status
→ normalized security event or asset record
→ policy/baseline evaluation
→ compliant / non_compliant / stale / unknown / review_required
→ finding + evidence + recommendation
→ approval-gated action
→ audit trail

That is the product idea. 

Product principle

No action without evidence. No automation without policy. No confidence without traceability.

That can become a standalone project, regardless of what happens to AACM does.

New project concept

Working description:

A governed security/compliance decision framework that ingests approved system evidence, evaluates it against policy, produces traceable findings, recommends remediation, and gates action through human or policy approval.

Not invasive by default. Not “AI does everything.” Not “SSH into client systems.” Not Kubernetes cosplay.

Business benefits to gather

Start here: 

Reduce time to identify outdated packages.
Improve consistency of compliance checks.
Create traceable evidence for findings.
Reduce manual review burden.
Separate recommendation from action.
Prevent unauthorized remediation.
Escalate uncertain results for human review.
Support audit/reporting.
Avoid touching live/personal/client data during testing.

Those are real benefits. They do not depend on the DEV.

AACM Early business rules

You can define these rules without access to source: 

BR-001: System must show evidence for every finding.
BR-002: System must classify unknown or incomplete data as review_required.
BR-003: System must separate finding, recommendation, approval, and action.
BR-004: Remediation must be approval-gated unless policy explicitly allows it.
BR-005: Destructive actions are prohibited.
BR-006: Demo mode must use synthetic or sandbox data only.
BR-007: The system must log findings, decisions, approvals, and action results.
BR-008: Deterministic checks must be used where possible before AI reasoning.
BR-009: AI output must not be treated as authoritative without evidence.
BR-010: Policy source must be visible for compliance decisions.

That is your thing.

The Get Smart Stamp

Is defined by Policy that considers:  

| Machine type                       | Why agents are risky                               |
| ---------------------------------- | -------------------------------------------------- |
| Legacy servers                     | old OS, fragile dependencies, unknown side effects |
| Medical/industrial systems         | certified configuration, vendor restrictions       |
| OT/ICS machines                    | uptime and safety concerns                         |
| Air-gapped/semi-isolated systems   | restricted connectivity                            |
| Vendor appliances                  | support contracts may forbid changes               |
| High-performance systems           | agents may affect timing/performance               |
| Regulated systems                  | extra software changes audit scope                 |
| Short-lived cloud systems          | installing agents may be wasteful                  |
| Client-owned demo/sandbox machines | ownership and permission unclear                   |
| Build runners                      | agent conflicts can contaminate builds             |

Some machines can run AACM agents. Others must be protected. 

Most agent-based products start with:

“Install us everywhere.”

Your model starts with:

“Prove who needs it.”

That will absolutely relieve a segment of the industry, especially people responsible for older, fragile, regulated, vendor-managed, or high-uptime systems.

And yes: YeOldeBoxes do not want agents.

  • enterprise (map example included) 
  • IT DMZ
  • OT DMZ
  • supervisory
  • local HMI
  • local station
  • remote station
  • AMI / field / edge / utility devices
  • firewalls / choke points
  • jump hosts
  • patch/update nodes
  • historian / app servers / DC / WS
  • devices that may be fragile or hard to scan

 

Example Distribution Environment Reference Architecture