AI Assurance

OpsCurb may use AI assistance in product development and in customer-facing product features. That does not change the review standard expected for security-sensitive code.

On this page

• What AI may be used for
• What AI is not treated as
• Review standard for security-sensitive changes
• Current controls in the product and delivery process
• AI feature boundary
• Questions buyers usually mean when they ask about AI-built code
• Related documents

What AI may be used for

• drafting explanations, copy, or refactors
• speeding up repetitive implementation work
• customer-facing recommendation and guidance features when enabled in the product

What AI is not treated as

• a substitute for architecture review
• a substitute for IAM-policy design
• a substitute for security review
• a substitute for release validation

Review standard for security-sensitive changes

Changes that affect any of the areas below should receive human review and targeted verification before release:

• IAM policies, trust relationships, or capability gating
• secret handling, encryption, or authentication flows
• infrastructure and deployment configuration
• scan correctness for AWS findings
• production-impacting migrations or background jobs

Current controls in the product and delivery process

• one shared access manifest drives the onboarding UI, backend capability mapping, generated IAM policy files, and the published permissions matrix
• observed AWS API actions are captured during scans and Deep Inspect runs so IAM changes can be compared against real runtime behavior
• frontend changes are typechecked before release
• generated IAM artifacts can be verified against the manifest with automated tests
• IAM policy changes are recorded in a public changelog
• security and trust documentation is published alongside the product rather than hidden behind a sales process

AI feature boundary

• AI-generated guidance is advisory
• OpsCurb does not apply infrastructure changes automatically on a customer's behalf
• customers remain responsible for reviewing and approving any remediation steps before they are run in AWS

Questions buyers usually mean when they ask about AI-built code

They are usually asking whether the product was built casually or whether there is real engineering scrutiny around:

• account access
• least privilege
• review discipline
• release safety
• long-term maintainability

The correct standard is not "no AI ever." The correct standard is that generated output is reviewed, tested, and treated as draft material rather than trusted by default.

Related documents

• Permissions Matrix
• IAM Policy Changelog
• Security Policy
• Data Handling