AI Tool Governance
AI coding tools are becoming standard in engineering teams. Claude Code, GitHub Copilot, Cursor, Windsurf — developers use them daily. But most organisations have no visibility into which tools are being used, where they are being used, or whether the code they produce meets the same standards as human-authored code.
SGD provides three capabilities for AI tool governance: provenance detection, policy enforcement, and comparative metrics.
AI provenance detection
SGD detects AI tool involvement in pull requests using multiple signals. No single signal is definitive — the platform combines them for a confidence score.
| Signal | What SGD looks for | Confidence |
|---|---|---|
| Git metadata | Author email patterns (e.g., noreply@github.com for Copilot), commit message signatures (Co-Authored-By: Claude, Generated by Copilot) | High |
| Branch naming | Patterns like claude/, copilot/, cursor/, ai/ prefixes | Medium |
| PR patterns | PR descriptions containing AI tool references, standardised AI disclosure sections, automated PR templates | Medium |
| MCP session data | When AI tools connect via the SGD MCP server, the session records which tool was used and which spec it was working against | Very High |
| Commit velocity | Unusually high commit frequency or large diffs in short time windows (corroborative, not standalone) | Low |
Provenance confidence levels
| Level | Meaning |
|---|---|
| Confirmed | MCP session data or explicit Co-Authored-By header. Tool identity is certain. |
| Likely | Multiple medium-confidence signals agree (branch name + PR pattern + git metadata). |
| Possible | Single medium-confidence signal. Flagged for review but not asserted. |
| Unknown | No AI signals detected. Treated as human-authored. |
Privacy-aware detection
SGD detects AI tool involvement, not individual developer behaviour. Provenance data is attached to the PR, not the developer. The platform does not monitor keystrokes, editor activity, or local tool usage — it only analyses what appears in git history and PR metadata.
Policy enforcement
SGD allows organisations to define AI tool policies at the organisation, capability, or repository level. Policies are evaluated during governance checks and produce pass/warn/fail results like any other governance rule.
Example policies
"Only Claude Code for payment-critical repos"
policy:
name: payment-ai-tool-restriction
scope:
capabilities: ["payment-processing", "card-management"]
rule:
ai_tool_allowed: ["claude-code"]
ai_tool_blocked: ["copilot", "cursor", "windsurf"]
on_violation: fail
message: >
This capability requires Claude Code for AI-assisted development.
Other AI tools are not permitted on payment-critical repositories.
See policy ADR-052 for rationale."Copilot for test scaffolding only"
policy:
name: copilot-test-only
scope:
repositories: ["*"]
rule:
ai_tool: copilot
allowed_file_patterns: ["**/*.test.*", "**/*.spec.*", "**/tests/**"]
blocked_file_patterns: ["src/**"]
on_violation: warn
message: >
Copilot-authored changes detected in production source files.
Organisation policy restricts Copilot to test scaffolding.
Consider using Claude Code for production code changes."AI PRs on regulated repos require senior reviewer"
policy:
name: ai-senior-review-required
scope:
labels: ["regulated"]
rule:
when: ai_provenance_confidence >= "likely"
require_reviewer_from: ["@org/senior-engineers"]
min_reviewers: 2
on_violation: fail
message: >
AI-assisted PRs on regulated repositories require review
from at least 2 senior engineers. Current reviewers do not
meet this requirement.Policy evaluation
Policies are evaluated as part of the standard governance check pipeline. When a PR is opened or updated:
- SGD runs provenance detection on the PR
- If AI involvement is detected, applicable AI policies are evaluated
- Policy results appear alongside other governance checks in the PR status
- Results are recorded in the audit trail for compliance reporting
Comparative metrics
SGD tracks code quality metrics segmented by AI tool, giving you an objective view of how different tools perform in your specific codebase and governance context.
Metrics tracked per tool
| Metric | What it measures | Why it matters |
|---|---|---|
| Rework rate | Percentage of PRs requiring changes after governance check | Lower = tool produces code that meets standards first time |
| Test coverage delta | Change in test coverage on files modified by the tool | Positive = tool adds tests alongside implementation |
| First-time approval rate | Percentage of PRs that pass all governance checks on first run | Higher = tool aligns with your governance rules |
| Incident rate | Post-merge incidents per 100 deployments, per tool | Lower = tool produces more stable code |
Example comparison view
| Metric | Claude Code | Copilot | Human (no AI) |
|---|---|---|---|
| Rework rate | 11% | 27% | 22% |
| Test coverage delta | +4.2% | -1.1% | +0.8% |
| First-time approval | 84% | 58% | 63% |
| Incident rate (per 100) | 0.8 | 2.1 | 1.4 |
Context matters
These metrics reflect performance in your codebase with your governance rules. A tool that scores well in one organisation may score differently in another. Use the data to inform tooling decisions, not as an absolute ranking.
Trend analysis
Metrics are tracked over time, so you can answer questions like:
- "Has Claude Code's rework rate improved since we added better CLAUDE.md files?"
- "Did Copilot's test coverage improve after we restricted it to test scaffolding?"
- "How does the new version of Cursor compare to the previous version on first-time approval?"
Trends are available in the dashboard and included in the Annual AI Governance Report.
AI governance dashboard
The AI governance dashboard provides a single view of AI tool usage across your organisation:
- Tool distribution — Which AI tools are used, in which capabilities, at what volume
- Policy compliance — Pass/fail rates for AI-specific policies
- Quality comparison — Side-by-side metrics for each detected tool
- Provenance coverage — Percentage of PRs with confirmed AI provenance vs unknown
This data feeds directly into the Annual AI Governance Report and is available for ad hoc audit packs.