marketing-shibata50/claude-code-ultimate-guide
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
claude-code-ultimate-guide/examples/scripts/ai-usage-charter-template.md
Florian BRUNIAUX 77b48db01b docs(security): add enterprise AI governance guide + templates 
New section for org-level Claude Code governance — fills the gap
between individual dev security (security-hardening.md) and what
engineering managers actually need when deploying at scale.

New files:
- guide/security/enterprise-governance.md (1117 lines)
  6 sections: local/shared split, usage charter, MCP approval
  workflow, 4 guardrail tiers (Starter/Standard/Strict/Regulated),
  policy enforcement at scale, SOC2/ISO27001 compliance guide
- examples/scripts/mcp-registry-template.yaml
  Org-level MCP registry with approved/pending/denied tracking
- examples/hooks/bash/governance-enforcement-hook.sh
  SessionStart hook validating MCPs against approved registry
- examples/scripts/ai-usage-charter-template.md
  Full charter template with data classification, use case rules,
  compliance mapping (SOC2/ISO27001/HIPAA/PCI DSS/GDPR)

Enriched sections:
- adoption-approaches.md: enterprise rollout (50+ devs) with
  3-phase approach and common mistakes
- observability.md: manager audit checklist, compliance reporting
- ai-traceability.md: evidence collection table for auditors
- production-safety.md + security-hardening.md: cross-references
  with explicit scope boundaries

Integration: guide/README.md, reference.yaml (22 new entries),
CHANGELOG.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-10 11:05:21 +01:00

8.2 KiB
Raw Blame History

AI Coding Tools Usage Charter

Template — Copy to docs/ai-usage-charter.md in your organization's docs repo. Adapt sections marked with [BRACKETS].

Related: guide/security/enterprise-governance.md §2

Organization: [Your Organization] Applies to: Claude Code and all AI coding assistants Effective date: [DATE] Owner: [Engineering Lead / CTO / CISO] Review cadence: Quarterly Version: 1.0.0

1. Purpose

This charter defines how [Organization] employees may use AI coding assistants, which tools are approved, what data can be used with them, and who is accountable for compliance. The goal is to enable productive AI-assisted development while managing security, privacy, and regulatory risk.

2. Approved Tools

Tool Plan / Tier Scope Administered by
Claude Code Team/Enterprise All engineering work Platform Team
Claude Code Personal Pro Personal dev only (no company data above INTERNAL) Individual
[Other Tool] [Plan] [Scope] [Team]

Using non-approved AI coding tools on company systems is prohibited. If you believe an additional tool would benefit your work, submit an approval request to [engineering-lead@company.com].

3. Data Classification Rules

All data at [Organization] is classified into four levels. Your use of AI tools must comply with this classification.

Classification Examples Claude Code permitted? Notes
PUBLIC Open-source code, public documentation Yes — no restrictions
INTERNAL Internal tools, non-sensitive business code Yes — standard config Use company accounts
CONFIDENTIAL Customer data (non-PII), business secrets, proprietary algorithms Yes — Enterprise plan only, with approved config
RESTRICTED PCI card data, PHI, credentials, auth tokens, encryption keys Never No exceptions

Hard Rules

  • RESTRICTED data never enters an AI context window — not in prompts, not in files Claude reads, not as examples.
  • Personal AI accounts (personal Pro subscriptions) may only be used with PUBLIC or INTERNAL data.
  • Company credentials and API keys are RESTRICTED. Never paste them into prompts.

Technical Enforcement

Projects handling CONFIDENTIAL or RESTRICTED data must configure permissions.deny in .claude/settings.json to block AI access to sensitive files. See the Standard or Regulated tier config for ready-to-use configurations.

4. Approved Use Cases

The following uses of AI coding assistants are approved without additional review:

  • Code completion and generation for approved data classifications
  • Code review and quality analysis
  • Test generation and mutation testing
  • Documentation drafting and updating
  • Debugging, root cause analysis, log analysis
  • Architecture analysis of internal systems
  • CLI scripting, automation, build tooling
  • Refactoring and code cleanup

5. Prohibited Use Cases

The following are not permitted without explicit written approval:

Prohibited use Reason Exception process
Processing raw PCI cardholder data Regulatory (PCI DSS) None — technically enforced
Generating code handling unencrypted PHI without security review Regulatory (HIPAA) Security review required
Autonomous deployment to production Human oversight requirement Approval from Eng Director
Using personal AI accounts for CONFIDENTIAL data Data residency/privacy Upgrade to company account
Sharing customer data as examples in prompts Privacy, data handling Use synthetic data
Bypassing governance controls (hooks, deny rules) Policy violation None

6. MCP Server Governance

Model Context Protocol (MCP) servers extend Claude Code's capabilities and introduce additional risk surface. All MCP servers used on company projects must be:

  1. Listed in the approved registry (.claude/mcp-registry.yaml in the platform config repo)
  2. Pinned to an exact version (never @latest)
  3. Re-reviewed every 6 months or on major version bumps

Approval process: Submit a request with server name, source URL, intended use case, and data scope to [platform-team@company.com] or [#claude-code-requests Slack channel].

Unapproved MCPs detected in project configs will be flagged at session start. Developers have 48 hours to remove or seek approval.

7. Code Review and Attribution

AI Attribution

All pull requests where AI assisted in writing code must include an AI disclosure section:

## AI Assistance
- AI tool used: Claude Code
- Scope: [e.g., "Generated tests for auth module", "Refactored payment handler"]
- Human review: Reviewer checked logic, security implications, and edge cases

The standard Co-Authored-By: Claude <noreply@anthropic.com> commit trailer (added automatically by Claude Code) satisfies attribution for routine changes. Explicit PR disclosure is required for:

  • Any change to authentication or authorization
  • Any change to payment or financial logic
  • Any database schema change
  • Any new external API integration

Code Review Expectations

AI-generated code is not exempt from code review. Reviewers should apply the same — or stricter — scrutiny to AI-generated sections, particularly for:

  • Security-sensitive paths (auth, crypto, access control)
  • Data handling (PII, financial data)
  • Edge cases and error conditions that AI tools often miss

8. Accountability

Developer Responsibilities

By using Claude Code on company systems, you agree to:

  • Follow this charter
  • Report suspected data exposure to [security@company.com] within 24 hours
  • Participate in quarterly access reviews
  • Complete AI tools onboarding checklist when joining or switching teams
  • Not circumvent governance controls (hooks, deny rules, registry)

Team Lead Responsibilities

  • Ensure projects are configured with the appropriate guardrail tier
  • Review MCP registry quarterly
  • Include AI charter in team onboarding
  • Escalate charter violations per §9

Platform Team Responsibilities

  • Maintain shared governance config (settings.json templates, hooks)
  • Review MCP approval requests within 1 week
  • Update charter when tools, tiers, or risks change
  • Conduct semi-annual governance audit

9. Incident Response

If you suspect data exposure

  1. Stop the current AI session immediately
  2. Document what data may have been included in the context (which files, what prompts)
  3. Report to [security@company.com] with "AI Data Exposure" in subject, within 24 hours
  4. Do not attempt to investigate or remediate without security guidance

Charter violations

Severity Examples Response
Minor Forgot AI attribution in PR, used unapproved MCP briefly Coaching, remediation
Moderate Used personal account with CONFIDENTIAL data, bypassed a hook Formal warning, re-training
Severe Processed RESTRICTED data with AI, persistent bypass of controls HR/legal involvement

10. Compliance Mapping

This charter addresses the following compliance requirements:

Framework Relevant Controls This Charter Addresses
SOC 2 CC6.1 (Logical access), CC7.1 (Monitoring), CC9.2 (Vendor risk) Data classification, MCP registry, audit logging
ISO 27001 A.8.3 (Access restriction), A.8.25 (Secure dev lifecycle), A.5.23 (Cloud services) Approved tools, governance tiers, data handling
HIPAA (if applicable) Security Rule §164.312 (Access control, Audit controls) RESTRICTED data prohibition, compliance-mode logging
PCI DSS (if applicable) Req 6.3 (Security vulnerabilities), Req 12 (Policy) PCI data prohibition, code review requirements
GDPR/CCPA Data minimization, purpose limitation CONFIDENTIAL/RESTRICTED classification, data scope rules

11. Revision History

Version Date Author Changes
1.0.0 [DATE] [Name] Initial version

Questions or exceptions: [engineering-lead@company.com] | Slack: [#ai-tools-governance]