What It Took to Actually Govern Claude Code Across Our Engineering Team
A security audit revealed significant governance gaps in the use of Claude Code across an engineering team, including unmanaged API keys, lack of traffic visibility, and inadequate filesystem controls. The discovery was prompted by two critical vulnerabilities, CVE-2025-59536 and CVE-2026-21852, which demonstrated that malicious code repositories could lead to API key theft or arbitrary code execution on developer machines. Addressing these issues required a shift in how terminal-based AI tools are managed, moving beyond simple patching to a more robust security model involving centralized key management and CI checks. AI
IMPACT Highlights critical security considerations for integrating AI coding assistants into development workflows, emphasizing the need for robust governance beyond standard web app security.