Vozern · Attest: two-week pilot guide

Before day 1 · the kickoff call (45 min)

Agree success criteria. Typically: (1) AI tools & MCP servers discovered on all pilot devices, (2) at least one real unapproved finding triaged through the approval or exception workflow, (3) an evidence pack reviewed by GRC.
Pick the pilot group: one team, five developer Macs, one volunteer from that team as the engineering contact.
Choose the disclosure tier: outcomes, counts, or flagged. Most pilots run flagged (it powers the approval queue); see what each tier transmits so engineering can say yes with full information.
Name the operator: the GRC/security person who will own the dashboard and the catalogue.

Day 1 · stand up the plane & enroll (1–2 hours)

Start the control plane

Any box with Python 3.10+: a small VM, or a laptop for the pilot. No dependencies to install.

# on the org's server
python3 -m attest.server \
  --db /var/lib/attest/attest.db \
  --enroll-token pilot-team:$(openssl rand -hex 24) \
  --admin-token  $(openssl rand -hex 24)

Enroll the five devices

One command per machine (your MDM can push it later; for the pilot, developers paste it). Each device generates its own signing key.

pipx install vozern
attest --enroll https://attest.internal.example.com --token <PILOT-TOKEN>

First scan

Run it once by hand so everyone sees what it does: the local report opens on the developer's machine, and only the signed envelope reaches the plane.

attest --publish --disclosure flagged --open

Week 1 · build the catalogue

Review the discovery. The dashboard now shows every AI tool, AI extension, and MCP server on the pilot devices. Expect surprises; that is the product working.
Seed the approved catalogue: approve the tools the org already sanctions (one click per tool in the approval queue, or set the policy in bulk via POST /api/policy). Devices fetch the catalogue automatically on their next scan.
Triage what's left: each remaining unapproved item gets one of three outcomes: approve it, remove it, or accept it temporarily with an owner, justification, and expiry in exceptions.yaml.
Schedule the scans: install the LaunchAgent (template in DEPLOY.md) so scans run weekly without anyone remembering.

Week 2 · operate & decide

Watch convergence. The trends charts should show unapproved components falling and %-MET rising as the catalogue settles.
Test the alerting: point --webhook at your Slack/Teams channel; confirm the digest reports stale devices and expiring exceptions.
Pull the evidence pack: one click on the dashboard: every signed envelope, the device register, per-control posture CSV, and the policies in force. Hand it to GRC and ask the only question that matters: would our auditor accept this?
Decision call (30 min): review against the success criteria from day 0. If met: rollout plan (MDM packaging, groups per team, SSO in front of the dashboard, all in DEPLOY.md) and commercial proposal.

What you'll need from us, and what we need from you

We provide	You provide
Kickoff + weekly 30-min check-in, same-day email support throughout the pilot, the deployment runbook, and help authoring your first catalogue.	One GRC/security operator, one engineering contact, five developer Macs, and a 30-min decision call at the end.

Schedule the kickoff Security & privacy details