Skip to main content
AI code governance is the practice of keeping policy, security, and compliance control over code as your team’s velocity increases — including the growing share of code that AI assistants help write. MergeGuide’s promise is simple: AI velocity, enterprise governance. Embrace AI speed without sacrificing control. Governance runs where developers already work, so it accelerates the path to a clean, shippable change rather than adding a separate gate that slows everyone down.
This page explains the user-facing concept. It is not a description of how MergeGuide’s detection works internally — see the how-to and reference sections for what you actually do with the product.

Why a governance layer for AI-era code

Two things changed at the same time:
  1. More code, faster. AI assistants generate large amounts of code quickly. Review capacity did not grow at the same rate.
  2. Higher stakes. Security and compliance expectations (SOC 2, ISO 27001, PCI DSS, the emerging AI regulations) keep rising, and auditors increasingly ask how you govern AI-assisted development specifically.
Without a governance layer, teams face a false choice: slow down to stay in control, or move fast and lose it. MergeGuide removes that trade-off by applying the same policies consistently at every point in the workflow.

What MergeGuide governs

MergeGuide checks both AI-written and human-written code against the policies and compliance frameworks your organization selects. You decide what “good” means; MergeGuide enforces it consistently and shows developers what to fix.
  • Policies — the rules your code must satisfy (for example, “no hardcoded secrets”). You select which apply at the org, project, group, or repo level.
  • Compliance frameworks — named standards (such as SOC 2 or ISO 27001) that map to sets of controls. Activating a framework scopes the checks that run.
  • Findings — what MergeGuide reports when code doesn’t satisfy a policy, with the file, line, severity, and guidance on how to fix it.
For precise definitions of these terms, see Core concepts.

Governance that meets developers where they work

The same governance is applied at several points in your workflow, so problems are caught at the earliest, cheapest moment:

In your IDE

The extension surfaces findings as you edit, before you commit.

In your AI assistant

The MCP server lets AI coding tools check a change against your policies as part of the loop.

On local commits

Git hooks check staged changes before they leave your machine.

On pull requests

The PR gate evaluates each PR on GitHub, GitLab, Bitbucket, or Azure DevOps and reports inline.
This is not “more gates.” It is the same governance, applied earlier. A finding you resolve in the IDE never has to be caught again at the PR — that is what lets you keep AI velocity without giving up control.

Where to go next

Quickstart

Install, authenticate, and run your first check.

Core concepts

Policies, frameworks, findings, severity, and enforcement layers.