User Guide Whitepaper
Operator Binary Cloud Operator Operator Terminal
Demos Changelog Pricing
About Careers
Security Governance Constitution
Terms Privacy
DropOps Logo

Governance

Governance by Design

Governance determines where authority lives and enforces that decision consistently.

DropOps is built on a single foundational principle:

Execution authority and permission authority must never be coupled.

Everything in DropOps flows from that belief.

The Core Model

DropOps introduces a clear separation of responsibilities:

Humans

  • Define intent
  • Approve or deny authority
  • Own outcomes and accountability

AI

  • Reasons about problems
  • Diagnoses system state
  • Proposes actions
  • Executes only within explicitly granted boundaries

Operators (Execution Layer)

  • Enforce hard limits
  • Execute approved actions
  • Hold no implicit trust
  • Can be stopped or revoked at any time

This separation is structural.
It is enforced by the system itself, independent of best practices, policy documents, or model compliance.

Hard Limits (Non-Negotiable)

There are things DropOps will not do - by design.

The AI cannot:

  • block Escalate privileges on its own
  • block Grant itself new permissions
  • block Broaden its access silently
  • block Bypass the approval workflow
  • block Act outside the execution context of a connected Operator
  • block Persist authority beyond what a human explicitly allows

If a boundary exists, the system is designed to be incapable of crossing it.

Real limits hold under pressure and convenience alike.

Human-in-the-Loop, Without Theater

DropOps preserves human authority at runtime.

  • Actions that change system state require explicit approval
  • Read-only or low-risk actions may proceed without friction
  • Approvals are contextual, inspectable, and attributable

Governance is enforced during execution.

Approval Is a Control Surface

Meaningful approvals deliver safety. DropOps treats approval fatigue as a real operational risk.

By design:

  • Some permissions persist when appropriate
  • Repeated approvals consolidate when sensible
  • Teams decide where friction belongs

DropOps provides the mechanisms for governance.

Teams decide how strictly to apply them.
This allows governance to evolve based on real usage.

Cloud Permissions (Zero Standing Privileges)

Cloud Operators start with zero standing permissions.

When an action requires cloud access:

  • The AI determines the minimum permissions required
  • A request is presented to a human for approval
  • Execution occurs only after approval

Permissions are explicit, scoped, and inspectable.

Nothing is silently broadened. Nothing is assumed.

Humans can revoke access at any time - the AI actually detaches the IAM policy from the role.

shield_lock

Permission Boundary (Hard Ceiling)

block

Blocks

ALL IAM write operations

block

Blocks

AdministratorAccess, infrastructure deletion

lock

Enforces

Hard security ceiling - cannot be bypassed

cloud

Operator Role (Executes Actions)

check_circle
Self-discovery only sts:GetCallerIdentity, iam:GetRole
block
CANNOT modify IAM Blocked by permission boundary
add_circle
+ Intent policies (granted via Escalation Role)
security

Escalation Role (Grants Permissions)

check_circle
Attach Intent-* policies To Operator Role only
block
NO resource access Cannot access ec2, s3, rds, etc.

No Standing Trust

Standing trust is a liability.

DropOps minimizes:

  • Persistent authority
  • Long-lived credentials
  • Implicit access relationships

Operators are:

  • Lightweight
  • Ephemeral
  • Outbound-only
  • Killable instantly

Trust is contextual and intentional - never assumed indefinitely.

Visibility and Accountability

DropOps prioritizes clarity over convenience.

Auditability is a fundamental property of the system.

Local-First Audit Architecture (LFAA)

The Operator is the System of Record for all session history, execution logs, and file mutations. The cloud acts as a stateless relay - no sensitive operational data persists in cloud storage.

  • Audit Vault - SQLite database on operator storing sessions, events, file mutations
  • Ledger Mirror - Git-backed version control for all modified files
  • Your Data, Your Systems - Complete audit trail maintained locally, queryable by AI on demand

Failure Modes (Designed for Reality)

Failure is inevitable. Silent failure is unacceptable.

When things go wrong:

  • The blast radius is constrained by design
  • Authority can be revoked immediately
  • Operators can be terminated instantly
  • Humans remain in control

DropOps favors legible failure over hidden automation.

Explicit Non-Goals

DropOps has explicit boundaries:

  • Autonomous infrastructure
  • Self-healing magic
  • A replacement for engineers
  • A system that bypasses organizational policy
  • A tool for avoiding responsibility

Any use of DropOps that contradicts these principles is considered misuse.

Responsibility and Ownership

AI does not carry blame.

DropOps exists to clarify responsibility. Humans remain accountable for decisions, actions, and outcomes.

The system is designed to make responsibility clearer.

The safest systems make human oversight scale without breaking.

DropOps exists to make good judgment scale.

Contact

security@dropops.ai support@dropops.ai