You replace build-push-pull image pipelines with a declarative Flox environment, the dependencies of which resolve to hash-addressed packages that live in an immutable, node-local store. Organizations can run their own private, signed binary caches, enabling them to build or mirror packages inside their networks, generate SBOMs and attestations (see SBOMs, below), and point security scanners at that cache. At runtime, nodes fetch only hash-addressed artifacts, so existing provenance, approval, and CVE workflows carry over.

In sum: organizations shift from shipping snapshots (container images) to shipping recipes (declarative environments); recipes yield SBOMs-by-default, single-edit A/B and atomic rollbacks, faster CVE triaging, and other operational benefits. For developers, AI/ML engineers, and other practitioners, Flox environments run as subshells, not containers, so developers can work directly on their local systems, with free access to all resources. Flox development environments are co-located with Git repos, so PRs always update code and runtime together. The same environment travels across the SDLC: local dev → CI → production Kubernetes clusters.