interesting, so we’d (1) limit access to the system to API access only; (2) specify, I guess? the only allowed locations for executable programs, (3) log any events that occur in those locations, (4) implement devops procedures for actively making changes to those locations
Something like that? Or am I missing your point?