AI Governance · Case Study
Vibe-coded to compliant: governing dev-tool AI use
Engineers using ChatGPT, Copilot, Cursor, and Claude across an enterprise without policy, review, or data-handling rules. Closed the gap without killing velocity.
Regulated SaaS provider · engineering org of ~60 · enterprise customer base with growing AI-risk scrutiny
Challenge
A customer security review surfaced the question: "What policy governs your engineers' use of AI coding tools?" The honest answer was "none." Engineering had quietly adopted ChatGPT, Copilot, Cursor, and Claude across the team. There was no inventory, no data-handling rules, no review process. Sales and customer security were both starting to feel the heat.
Approach
- 1
Surveyed the engineering org to inventory which AI dev tools were actually in use and on what data.
- 2
Drafted a dev-tool AI usage policy distinguishing public, internal, and sensitive code paths.
- 3
Built a lightweight gate for new AI use cases: one-page intake, named reviewer, register entry.
- 4
Established model-card discipline for five internal AI-assisted features that touched customer data.
- 5
Trained the engineering org in one 75-minute working session with concrete examples.
- 6
Updated the customer-facing security questionnaire response.
“We didn't want a policy that read like it was written for lawyers. We needed something engineers would actually follow. They got it.”
VP Engineering, Regulated SaaS provider · Composite engagement
Outcomes
What the engagement actually shipped.
23
dev-tool AI use cases inventoried
4
use cases gated pending review
5
internal AI features with model cards
0
velocity loss reported by engineering leads
Composite case study. Details combine multiple engagements and are anonymized for client confidentiality.
Have a similar challenge?
Talk to a founder. We respond within 24 business hours.