>mind boggling Byzantine rules

Hint: by all means possible, make sure you are not the owner of (or manager of the person who owns) any assets beyond your personal laptop. If, for example, you end up being the owner of all the development and test servers of the original company, then it will become your responsibility to ensure that each OS (of each LPAR of each VM) is security compliant, is running the end-point asset manager, and has up to date OS patches, that the DASD is encrypted, and you must periodically show physical proof that the asset still exists and indicate where it's located- photos of assets tags or whatever. It will be your responsibility to dispose of the asset (with all associated paperwork) at the end of its life.

It helps if such machines are not actually on the 9. network, or are behind an internal firewall (then they don't care about the security compliance as much).