marketing-shibata50/claude-code-ultimate-guide
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs(security): add enterprise AI governance guide + templates

Browse source 
New section for org-level Claude Code governance — fills the gap
between individual dev security (security-hardening.md) and what
engineering managers actually need when deploying at scale.

New files:
- guide/security/enterprise-governance.md (1117 lines)
  6 sections: local/shared split, usage charter, MCP approval
  workflow, 4 guardrail tiers (Starter/Standard/Strict/Regulated),
  policy enforcement at scale, SOC2/ISO27001 compliance guide
- examples/scripts/mcp-registry-template.yaml
  Org-level MCP registry with approved/pending/denied tracking
- examples/hooks/bash/governance-enforcement-hook.sh
  SessionStart hook validating MCPs against approved registry
- examples/scripts/ai-usage-charter-template.md
  Full charter template with data classification, use case rules,
  compliance mapping (SOC2/ISO27001/HIPAA/PCI DSS/GDPR)

Enriched sections:
- adoption-approaches.md: enterprise rollout (50+ devs) with
  3-phase approach and common mistakes
- observability.md: manager audit checklist, compliance reporting
- ai-traceability.md: evidence collection table for auditors
- production-safety.md + security-hardening.md: cross-references
  with explicit scope boundaries

Integration: guide/README.md, reference.yaml (22 new entries),
CHANGELOG.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Florian BRUNIAUX 2026-03-10 11:05:21 +01:00
parent b65630641b
commit 77b48db01b
12 changed files with 1797 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

17
guide/ops/ai-traceability.md
View file

@ -735,6 +735,23 @@ git-ai init
- Mandatory human-only review for security-critical?
- Approval workflow for AI-heavy PRs?
### Evidence Collection for Auditors
When SOC2, ISO27001, or HIPAA auditors ask for evidence of AI code governance, here's what to provide and where to find it:
| Auditor request | Evidence source | How to generate |
|-----------------|----------------|-----------------|
| "Show your AI usage policy" | `docs/ai-usage-charter.md` | See [charter template](../../examples/scripts/ai-usage-charter-template.md) |
| "Show access controls for AI tools" | `.claude/settings.json` (permissions.deny) | Committed to each project repo |
| "Show third-party AI component vetting" | `.claude/mcp-registry.yaml` | See [registry template](../../examples/scripts/mcp-registry-template.yaml) |
| "Show audit log of AI actions" | `~/.claude/projects/**/*.jsonl` | Native session logs |
| "Show code review process for AI code" | PR descriptions with AI disclosure | PR template + attribution policy |
| "Show how AI incidents are handled" | Incident response runbook | Add AI section to existing IR docs |
**Practical tip**: Run `./scripts/claude-governance-audit.sh` (see [enterprise-governance.md §5.3](../security/enterprise-governance.md#53-compliance-checking)) before each audit to verify controls are in place and generate a baseline report.
**For session-level audit trails** with full context (prompts, reasoning, tool calls, diffs), Entire CLI creates cryptographically-linked checkpoints in Git. This is one approach among several — evaluate based on your retention requirements and team size. See [§5.1 Entire CLI](#51-entire-cli) for setup and evaluation criteria.
---
## Templates