• Machine A (Online): The standard work computer used by the CEO or Lead Architect to access the Azure portal.
• Machine B (Air-Gapped): A dedicated, offline computer. Ideally, a machine booted from a temporary live operating system (e.g., Tails OS or Ubuntu on a USB) with all networking hardware physically disabled.
• The Cryptosign Keyless Kit: 5 Pre-Engraved Cryptosign shares, 5 serialized tamper-evident security bags, and the Cryptosign Secure SD Card (containing the audited offline SSS extraction engine).
• Destruction Materials: A cross-cut shredder or fire-safe incineration bowl.

1. Isolate the Environment: Boot Machine B (Air-Gapped) and physically verify that all networking capabilities are disabled. Ensure no smartphones or smart speakers are active in the room.
2. Break the Seal: Open the tamper-evident Cryptosign kit and extract the secure SD card.
3. Load the Engine: Insert the SD card directly into Machine B.
4. Execute Locally: Launch the provided `.html` file in the machine's local offline web browser.

1. Activate Keyless Mode: On the offline tool's home screen, click the "Activate Keyless" button. The tool automatically configures itself for Unencrypted Recovery mode.
2. Set Threshold: Confirm the required threshold matches your physical cards (e.g., enter `3` for a 3-of-5 kit).
3. Input the Shares: Pick up any 3 of the 5 pre-engraved plates. Type the exact alphanumeric strings engraved on the plates into the offline tool.
4. Extract the Password: Click "Recover Secret". The engine will mathematically combine the shares and output a highly entropic, 64-character string. This is your Azure Break-Glass Password.
5. The Temporary Air-Bridge: Write this extracted password down on a physical piece of paper. Do not photograph it or copy it to a digital clipboard.

1. Login to Azure: The Lead Architect logs into the Microsoft Entra admin center using standard daily keyless credentials.
2. Create the Emergency User: Navigate to Users > All users > New user. Set the User Principal Name to a distinct, non-human identifier (e.g., `emergency.root@startup.onmicrosoft.com`).
3. Assign God Privileges: Assign both the Global Administrator and Privileged Role Administrator roles.
4. Exclude from Keyless/Conditional Access: Navigate to Protection > Conditional Access. Explicitly exclude the new emergency account so it can log in via password alone in a crisis.
5. Apply the Extracted Password: Manually type the 64-character password from your physical piece of paper into the Azure portal. Confirm it and finalize the creation of the user.

1. Destroy the Paper Air-Bridge: Take the temporary piece of paper containing the master password and completely incinerate or cross-cut shred it.
2. Wipe the Air-Gap: Power down Machine B entirely and remove the SD card to flush the RAM. The extracted password is now eradicated from the digital realm.
3. Secure the Plates: Place each of the 5 pre-engraved Cryptosign shares into its own serialized, tamper-evident bag. Seal them permanently.
4. Log the Manifest: Create an official corporate governance memo logging the bag serial numbers to their assigned holders (e.g., CEO, CTO, Lead VC Partner, Corporate Counsel, Bank Vault).
5. Physical Dispersal: Hand the sealed bags to the respective quorum members for storage.

Executed only during a catastrophic event. The current kit is considered "burnt" once used.

At least 3 members of the quorum physically convene and inspect the tamper-evident bags containing their physical Cryptosign shares to ensure they have not been compromised.

Using a fresh air-gapped computer and the Cryptosign SD card, the quorum launches the "Activate Keyless" mode, inputs 3 shares, and extracts the 64-character Break-Glass Password.

The CEO moves to a secure terminal, navigates to portal.azure.com, logs in using the Break-Glass UPN, and enters the 64-character password. This bypasses any broken SSO providers or compromised biometric requirements.

Once authenticated as Global Administrator, the user must immediately:

• Revoke Rogue Access: Navigate to Microsoft Entra ID > Users. Locate rogue accounts, click Revoke sessions, and disable their sign-in capabilities.
• Restore Founder Access: Locate legitimate CEO/CTO accounts, reset passwords, and require re-registration of hardware keys.
• Audit Conditional Access: Disable or bypass faulty policies that caused the lockout.
• Secure the Core IP: Verify the integrity of the Azure Managed HSM and ensure proprietary AI model weights or vaults have not been tampered with.

Once daily operations are restored, the emergency account's password must be randomized/reset. A brand new Cryptosign Keyless Kit must be ordered to establish a new physical quorum.

• Machine A (Online): The standard work computer used to access the AWS Management Console.
• Machine B (Air-Gapped): A dedicated, offline computer with all networking hardware physically disabled.
• The Cryptosign Keyless Kit: 5 Pre-Engraved shares, 5 tamper-evident bags, and the Cryptosign Secure SD Card.
• Destruction Materials: A cross-cut shredder or fire-safe incineration bowl.

1. Boot Machine B (Air-Gapped) and physically verify that networking is disabled.
2. Extract the secure SD card from the tamper-evident kit.
3. Insert the SD card into Machine B and launch the `.html` file.

1. Activate Keyless Mode: Click "Activate Keyless" on the tool's home screen.
2. Set Threshold: Confirm the required threshold (e.g., `3`).
3. Input the Shares: Type the alphanumeric strings from 3 pre-engraved plates.
4. Extract the Password: Click "Recover Secret" to generate the 64-character AWS Break-Glass Password.
5. The Temporary Air-Bridge: Write this extracted password down on a physical piece of paper. Do not photograph it.

1. Login to AWS: The Lead Architect logs into the AWS Management Console.
2. Create the Emergency User: Navigate to IAM > Users > Add users. Set the username (e.g., `emergency.root.failsafe`).
3. Console Access: Select Provide user access to the AWS Management Console and choose Custom password.
4. Apply the Extracted Password: Manually type the 64-character password. Uncheck "User must create a new password at next sign-in."
5. Assign God Privileges: Under Permissions, select Attach policies directly and assign the `AdministratorAccess` managed policy.
6. Exclude from MFA / SCPs: Ensure this IAM user is explicitly excluded from any AWS Organizations Service Control Policies (SCPs) or IAM boundary policies that mandate MFA. Record the 12-digit AWS Account ID on your temporary paper.

1. Destroy the Paper Air-Bridge: Incinerate or shred the paper containing the password and Account ID.
2. Wipe the Air-Gap: Power down Machine B entirely to flush the RAM.
3. Secure the Plates: Place the shares into serialized, tamper-evident bags.
4. Log the Manifest & Disperse: Record bag serial numbers and hand them to the quorum members (CEO, CTO, VC, Counsel, Vault).

At least 3 members of the quorum convene and inspect the tamper-evident bags.

Using a fresh air-gapped computer, the quorum inputs 3 shares into the "Activate Keyless" tool to extract the 64-character Break-Glass Password.

The CEO navigates to the account-specific AWS sign-in URL (`https://[12-digit-account-id].signin.aws.amazon.com/console`), logs in as `emergency.root.failsafe`, and enters the password. This bypasses broken SSO/STS providers.

Once authenticated with `AdministratorAccess`, the user must immediately:

• Revoke Rogue Access: Navigate to IAM (or IAM Identity Center). Delete rogue Access Keys, invalidate active STS sessions, and remove unauthorized policies.
• Restore Founder Access: Reset legitimate founder passwords and require re-registration of hardware keys.
• Secure the Core IP: Navigate to AWS KMS and Amazon S3. Verify Customer Managed Keys (CMKs) and review S3 Bucket Policies to ensure proprietary datasets are secure and not exposed to `allUsers` or cross-account access.

Reset the emergency account password and deploy a brand new Cryptosign Keyless Kit to establish a new quorum.

• Machine A (Online): The standard work computer used to access the Google Cloud Console and Workspace Admin Console.
• Machine B (Air-Gapped): A dedicated, offline computer with all networking hardware physically disabled.
• The Cryptosign Keyless Kit: 5 Pre-Engraved shares, 5 tamper-evident bags, and the Cryptosign Secure SD Card.

1. Boot Machine B (Air-Gapped) and physically verify that networking is disabled.
2. Load the Cryptosign SD Card and launch the offline `.html` file.

1. Activate Keyless Mode: Click "Activate Keyless" and confirm your threshold.
2. Input the Shares: Type the alphanumeric strings from 3 pre-engraved plates.
3. Extract the Password: Click "Recover Secret" to generate the 64-character Google Cloud Break-Glass Password.
4. The Temporary Air-Bridge: Write this password down on a piece of paper.

1. Login to Google Workspace: Log into the Admin Console (`admin.google.com`).
2. Create the Emergency User: Navigate to Directory > Users > Add new user (e.g., `emergency.root.failsafe@startup.com`).
3. Apply the Extracted Password: Manually type the 64-character password. Explicitly uncheck "Ask for a password change at the next sign-in."
4. Assign God Privileges: In Workspace, assign the Super Admin role. In the Google Cloud Console (`console.cloud.google.com`), assign the Organization Administrator and Owner roles at the top Organization node.
5. Exclude from SSO / 2SV: Navigate to Security > Authentication. Place this user in an Exception Configuration Group that bypasses third-party SSO (SAML) routing and exempts it from enforced 2-Step Verification (2SV).

1. Destroy the Paper Air-Bridge.
2. Power down Machine B to wipe the RAM.
3. Secure the plates in tamper-evident bags and distribute to the quorum.

At least 3 members of the quorum convene, inspect the bags, and use an air-gapped machine to extract the 64-character Break-Glass Password via the offline engine.

Navigate to `admin.google.com` or `console.cloud.google.com`. Log in using the emergency email and extracted password. The native Google login will succeed immediately, bypassing broken SSO.

Once authenticated as Super Admin / Organization Administrator, immediately execute:

• Revoke Rogue Access: In Workspace, locate rogue accounts. Click Reset sign-in cookies to kill active sessions, revoke OAuth tokens, and suspend accounts.
• Restore Founder Access: Reset legitimate founder passwords and generate backup codes.
• Audit IAM & Policies: In the GCP Console, remove unauthorized Service Accounts/IAM bindings and check Organization Policies for malicious guardrails.
• Secure the Core IP: Navigate to Google Cloud KMS and Cloud Storage. Verify encryption keys and ensure proprietary AI model buckets haven't been made public (`allUsers`).

Reset the emergency account password and deploy a brand new Cryptosign Keyless Kit to establish a new quorum.

1. Activate Keyless Mode: On the offline tool's home screen, click "Activate Keyless".
2. Input the Shares: Type the alphanumeric strings from 3 pre-engraved plates.
3. Extract the Password: Click "Recover Secret" to output a highly entropic, 64-character string. Write this down on a temporary paper air-bridge.

1. Login to the AI Console: Log into the Enterprise AI Admin Dashboard using standard credentials.
2. Create the Emergency User: Navigate to Users / Team Management > Add User. Set the email (e.g., `emergency.root.failsafe@startup.com`).
3. Apply the Extracted Password: Manually type the 64-character password. (Accept any invites in an incognito window to set the password).
4. Assign God Privileges: Assign the highest tier of access available (e.g., Organization Owner, Super Admin, or Primary Billing Admin).
5. Exclude from SSO / Enforced MFA: Configure your identity layer to explicitly bypass central SSO routing (like Okta) for this specific emergency address. It must log in natively via password.

Incinerate the paper air-bridge, wipe the air-gap machine, seal the 5 hardware shares in tamper-evident bags, and distribute them to your founder/VC quorum.

During a catastrophic event, at least 3 quorum members convene, inspect the bags, and use the air-gapped Cryptosign SD card tool to extract the 64-character password.

The CEO logs into the native AI Platform portal using the emergency email and password. Once authenticated as the Organization Owner, immediately execute:

• Revoke Rogue Access: In User Management, downgrade rogue administrative accounts, revoke active sessions, or delete them entirely.
• Secure the API Gateways: In API Keys / Developer Settings, instantly revoke any production API keys compromised by the rogue actor to prevent billing spikes or rate-limit exhaustion.
• Audit Proprietary Data: Check Fine-Tuning, Files, and Model Management sections. Verify training datasets and custom-trained model weights have not been deleted or maliciously altered.

Reset the emergency account password and deploy a brand new Cryptosign Keyless Kit.