01The Four Decisions in This Guide
- Standardize or coexist: one tool org-wide or an approved list; both are defensible with different tradeoffs.
- Which layer: IDE-native plugin, IDE fork, CLI or agent-first tool, or a repo-graph enterprise platform.
- Which vendor within the layer: Copilot, Cursor, Windsurf, Claude Code, Cody, Tabnine, Amazon Q, or JetBrains AI, matched to the layer and to your security posture.
- How to measure success: DORA outcomes plus SPACE dimensions, not lines of code or suggestion acceptance rate.
02Executive Summary
AI coding assistants have moved from experimental to expected inside most engineering organizations in the last 18 months, and the buying question has moved with them. The question is no longer whether to use one, but which layer of the market to standardize on, which vendor to buy inside that layer, and how to control cost, code egress, and productivity measurement across a real engineering org.
The market divides into four distinct layers: IDE-native plugins that install into an existing editor (GitHub Copilot, Sourcegraph Cody, Tabnine, Amazon Q Developer, JetBrains AI Assistant); IDE forks that ship as their own editor (Cursor, Windsurf); CLI or agent-first tools that operate on a working tree (Claude Code, Aider, OpenAI Codex CLI); and repo-graph enterprise platforms that lead with code retrieval at scale and expose IDE surfaces on top (Sourcegraph Cody, Augment Code). Selecting inside the wrong layer is the single most common reason a well-funded pilot fails to reach production adoption.
StackAuthority's analysis of the Thoughtworks Technology Radar Vol. 33, community reports of the mid-2026 Cursor pricing incident, and enterprise deployment write-ups from Northflank converges on one recurring pattern: engineering leaders who define the layer, the security posture, and the productivity measurement approach before the vendor decision outperform teams that pick a vendor first and retrofit the constraints later.
03Why This Decision Matters Now
Three forces have made the current buying window different from the pilots of 2024 and 2025.
Pricing model shape has shifted. GitHub Copilot moved to a credit-metered model in mid-2026 alongside seat-flat tiers, Cursor introduced usage-based Ultra pricing at 200 dollars per month, and Claude Code launched Max tiers at 100 to 200 dollars per month. Heavy agent users routinely land at the top of these ranges, and finance teams accustomed to seat-flat forecasting are now approving line items that vary by an order of magnitude month over month (Developers Digest analysis).
Enterprise controls have caught up unevenly. GitHub Copilot Business and Enterprise contractually exclude customer prompts from Microsoft's training pipeline, Sourcegraph Cody Enterprise ships zero data retention and uncapped IP indemnity, and Tabnine offers fully air-gapped deployment via its Dell AI Factory partnership (Sourcegraph, Tabnine deployment docs). Cursor, Windsurf, and Claude Code do not offer on-premises deployment as of this writing.
Agentic capability has become the primary axis of vendor differentiation. Cursor Agent, Windsurf Cascade, Claude Code, Copilot Workspace, and Cody agents all write and edit code across multiple files with varying reliability. The Northflank enterprise agent deployment analysis reports that roughly 88 percent of enterprise agentic pilots do not reach production, and the blocker is almost never the model itself; it is governance, isolation, and data residency infrastructure the vendor does not ship with the tool.
Relevant baseline sources
- Thoughtworks Technology Radar Vol. 33
- Northflank enterprise AI coding agent deployment guidance
- DORA report and DX measurement guidance
- SPACE developer productivity framework
04What an AI Coding Assistant Is
An AI coding assistant is any tool that generates, edits, or reviews source code by calling a large language model, delivered either as an IDE plugin, an IDE fork, a command-line agent that operates on a working tree, or a repo-graph platform that indexes an entire codebase. Compared with a general chat interface, an assistant is embedded in the engineer's workflow and has direct access to files, diffs, terminals, or the repository index. Compared with a code generation script, an assistant is interactive and expects supervision.
The cautionary read is that a chat window pointed at a general model is not an AI coding assistant, and treating it as one produces the shadow-AI code-egress patterns enterprise security teams increasingly flag. The buying decision is about which supervised, controlled surface the organization sanctions, not about whether engineers will use language models at all.
05Who This Guide Is For
Fit criteria
your organization has more than 50 product engineers writing production code across multiple teams; developers are already using AI coding assistants in some form, sanctioned or not; security or compliance requires evidence of code egress controls, model training exclusion, or audit surface; and leadership wants a defensible answer to whether the AI coding investment is producing measurable throughput improvement.
This guide is less useful for very small teams under 20 engineers where any individual can pick a tool with minimal blast radius, or for organizations that have already banned language-model tools outright and are enforcing that ban through endpoint controls.
06The Four Layers of the AI Coding Assistant Market
| Layer | What it is | Example vendors | Primary strength | Primary risk |
|---|---|---|---|---|
| IDE-native plugins | Installs into an existing editor | Copilot, Cody, Tabnine, Amazon Q, JetBrains AI, Continue | Editor preservation, broad IDE support | Agent depth limited by host IDE |
| IDE forks | Ships as its own editor derived from VS Code | Cursor, Windsurf | Deeper agent loops, controlled surface | Editor lock-in to vendor product |
| CLI or agent-first | Runs in the terminal on the working tree | Claude Code, Aider, OpenAI Codex CLI | Composability, headless execution | Thinner review surface, needs supervision |
| Repo-graph enterprise | Code index and retrieval across the codebase | Sourcegraph Cody, Augment Code | Cross-file reasoning, air-gap option | Value depends on index quality |
IDE-native plugins
Plugins install into an existing editor such as Visual Studio Code, JetBrains IDEs, Neovim, or Eclipse. Compared with IDE forks, plugins preserve the organization's existing editor standardization and avoid switching cost. Compared with CLI agents, plugins operate primarily on the current file and its immediate context rather than the full working tree. The cautionary read is that a plugin cannot deliver an agent-first experience beyond a certain point because the host IDE was not designed for long-horizon agent loops; teams that want deep agent workflows tend to migrate off plugin surfaces within a year.
Vendors in this layer include GitHub Copilot, Sourcegraph Cody, Tabnine, Amazon Q Developer, JetBrains AI Assistant and Junie, and Continue.
IDE forks
IDE forks ship as their own editor derived from Visual Studio Code. Compared with plugins, forks control the entire editor surface and can deliver deeper agent loops without host-IDE constraints. Compared with CLI agents, forks preserve a graphical editing environment familiar to most engineers. The cautionary read is that adopting a fork replaces the organization's editor standard with a vendor-controlled product; engineers on JetBrains IDEs cannot use the fork without switching editors, and the fork vendor becomes a critical dependency in the developer toolchain.
Vendors in this layer include Cursor and Windsurf.
CLI or agent-first tools
CLI tools run in the terminal and operate on the working tree directly, without an IDE surface of their own. Compared with plugins and forks, CLI agents are the most composable with existing workflows and the most amenable to headless execution in CI or scheduled jobs. Compared with graphical tools, CLI agents demand higher supervision discipline; the surface for reviewing agent-generated diffs is thinner, and the failure mode of accepting bad changes is closer at hand. The cautionary read is that CLI agents reward engineers who already have strong version control and review habits, and expose weaknesses in engineers who do not.
Vendors and tools in this layer include Claude Code, Aider, and OpenAI Codex CLI.
Repo-graph enterprise platforms
Repo-graph platforms lead with a code index and retrieval layer across an entire codebase and expose IDE plugins or agents on top of that index. Compared with plugins that see only the current file, repo-graph tools can reason about cross-file relationships and dependency structure. Compared with IDE forks, repo-graph tools are typically neutral about the editor and can be used across an organization with mixed editor standards. The cautionary read is that the value of a repo-graph platform is proportional to the quality of the code index; poorly indexed monorepos or codebases with weak documentation extract less value than the vendor's marketing implies.
Vendors in this layer include Sourcegraph Cody and Augment Code.
07Decision Framework: Should You Standardize or Coexist
Standardize on one assistant when
security and compliance require a single audit surface and a single training-exclusion contract; procurement wants a single vendor relationship with volume pricing; the organization uses a single editor standard; and platform capacity exists to enforce the standard and support the tool.
Approve a list and let teams choose when
developers work across multiple editor environments (JetBrains and Visual Studio Code coexist); the organization is already running informal AI usage that would be costly to consolidate; agent workflows matter more to some teams than others and one tool cannot serve both well; and platform capacity exists to run security review on multiple vendors rather than one.
Both approaches are defensible. The failure mode is neither standardize nor coexist; it is the implicit default where each team picks a tool without security review and the organization discovers the exposure during an audit or a cost surprise.
08Decision Framework: Which Layer to Buy
Buy an IDE-native plugin when
engineers work across multiple editor environments that must be preserved, agent workflows are secondary to autocomplete and in-line assistance, and the priority is minimum switching cost with the strongest possible enterprise controls.
Buy an IDE fork when
engineers already work primarily in Visual Studio Code, agent workflows are a first-class requirement, and the organization is willing to accept a vendor-controlled editor in exchange for a deeper agent experience.
Buy a CLI or agent-first tool when
engineers have strong version control and review habits, the target use case includes headless or scheduled runs, and the tool is intended to complement rather than replace an existing IDE plugin or fork.
Buy a repo-graph enterprise platform when
the codebase is large enough that cross-file retrieval is a material productivity constraint, the organization has strong compliance requirements that vendor-hosted SaaS cannot meet, or the deployment environment must support on-premises or air-gapped operation.
Decision Framework: Copilot vs Cursor vs Claude Code vs Cody vs Windsurf
The most common short-list decision compares GitHub Copilot, Cursor, Claude Code, Sourcegraph Cody, and Windsurf. Choosing between them without first deciding the layer is a category error; the tools are not competing in the same layer.
Side-by-side comparison
| Dimension | GitHub Copilot (Business / Enterprise) | Cursor | Windsurf | Claude Code | Sourcegraph Cody (Enterprise) |
|---|---|---|---|---|---|
| Layer | IDE plugin (+ Workspace agent) | IDE fork | IDE fork | CLI agent | Plugin + repo-graph |
| Pricing model | Seat-flat plus credit metering (2026) | Seat plus credit metering | Seat plus credit metering | Seat plus credit metering | Enterprise custom |
| Typical published prices | 19 USD Business, 39 USD Enterprise | 20 USD Pro, 40 USD Business, 200 USD Ultra | 20 USD Pro, 40 USD Teams, 200 USD Max | 20 USD Pro, 100 to 200 USD Max | Custom |
| Agentic capability | Copilot Workspace, in-editor agents | Cursor Agent, strong loop | Cascade agent | Native CLI agent, sub-agents, MCP, hooks | Cody agents with repo-graph context |
| Editor support | VS Code, JetBrains, Neovim, Eclipse, Xcode | Cursor editor only | Windsurf editor only | Editor-agnostic; runs in terminal | VS Code, JetBrains, others |
| On-premises or VPC option | No (SaaS only) | No | No | No (SaaS; Bedrock and Vertex pass-through) | Yes, self-hosted and air-gapped |
| Trains on customer code | No for Business and Enterprise | No for Business and Enterprise | No for Enterprise | No | No, zero retention |
| Compliance posture | SOC 2, ISO 27001 via Microsoft | SOC 2 Business tier | SOC 2 Enterprise tier | SOC 2, HIPAA options via BAA | SOC 2 Type II, ISO 27001, uncapped IP indemnity |
| Best-fit segment | Existing GitHub estate, JetBrains and VS Code mix | Teams choosing an agent-first VS Code fork | Teams that want long-horizon Cascade flows | Teams with strong CLI habits, headless use cases | Regulated buyers, large monorepos, air-gapped needs |
| Primary risk | Vendor lock-in to GitHub estate | Editor lock-in, credit-metered cost variance | Editor lock-in, agent reliability variance | Supervision discipline, cost variance under heavy use | Higher upfront platform investment |
Public source references: GitHub Copilot, Cursor, Windsurf, Claude Code, Sourcegraph Cody.
10Evaluation Criteria for Vendor Selection
Use a 1 to 5 scale per criterion and require a written rationale so scoring does not drift across reviewers.
| Criterion | Weight | What to look for | Minimum acceptable signal |
|---|---|---|---|
| Fit with existing editor standard | 10% | plugin support across editors in use | plugin available for at least the top 2 editors in the org |
| Training-on-code contractual exclusion | 15% | explicit contractual exemption from vendor training | written exemption in the master agreement |
| Deployment posture | 10% | SaaS, VPC, on-premises, or air-gapped options | posture documented and matches security requirement |
| Data retention policy | 10% | zero retention or documented retention window | retention window compatible with compliance policy |
| Audit surface | 5% | audit log for prompts, completions, and admin changes | audit log queryable via API or export |
| Agentic capability | 10% | agent that operates across multiple files with review surface | agent with a diff-review surface before commit |
| Cost model predictability | 10% | seat-flat vs credit-metered; per-seat consumption reporting | forecastable cost within 20 percent month over month |
| IP indemnity | 5% | vendor indemnity for AI-generated code claims | indemnity present, cap disclosed |
| Repo-scale context capability | 10% | cross-file and monorepo retrieval quality | reference customer at your codebase scale |
| Extensibility and API surface | 10% | MCP support, plugin API, or custom integration surface | at least one non-trivial extension possible internally |
| Product roadmap and backing | 5% | funding, release cadence, enterprise references | at least two references at your scale |
Total score should inform decisions, not replace engineering judgment. A vendor that scores well on agentic capability but poorly on deployment posture will still fail regulated procurement even if engineers prefer the developer experience.
11Common Failure Modes in Enterprise AI Coding Rollouts
Failure Mode 1: Credit-metered cost shock
Adopting a credit-metered plan without per-seat consumption monitoring produces month-over-month cost variance leadership cannot forecast. Reported cases include individual users generating hundreds of dollars in weekly overage and small teams generating thousands of dollars in monthly overage after Cursor's mid-2026 pricing shift (WeAreFounders timeline). Fix: default to seat-flat pricing at the enterprise tier unless a platform team actively monitors per-seat token consumption and enforces caps.
Failure Mode 2: Unmeasured productivity
Rolling out an AI coding assistant without a productivity measurement plan produces a Day 90 leadership conversation in which nobody can defend the investment. Fix: pick a measurement framework before rollout, either DORA outcomes with SPACE overlays or an internal composite; report it monthly starting in the pilot.
Failure Mode 3: Code egress via shadow AI
When the sanctioned tool is slow or restrictive, developers route private source code through unsanctioned chat interfaces. The failure signal is a rising rate of paste-into-chat activity visible in endpoint telemetry combined with low sanctioned-tool usage (ReliaQuest analysis). Fix: make the sanctioned tool the fastest path for the top three developer workflows, not just the policy-compliant one.
Failure Mode 4: IDE fork lock-in
Adopting Cursor or Windsurf organization-wide replaces the editor standard with a vendor-controlled product. The failure signal is that engineers who prefer JetBrains have no supported path and either accept a downgrade or route around the standard. Fix: standardize the fork only when Visual Studio Code was already the sole editor standard; otherwise choose a plugin.
Failure Mode 5: Absent agent supervision
Enterprise agent pilots that reach production without a diff-review, sandbox, or approval gate produce audit failures and, occasionally, production incidents from unreviewed agent-generated changes (Northflank). Fix: require a review gate on every agent-generated change before merge; do not permit direct commits from an agent to protected branches.
Failure Mode 6: Reviewer overload
AI-generated pull request volume rises faster than reviewer capacity, and code review becomes the bottleneck the AI was supposed to relieve. The failure signal is rising time-to-first-review even as individual PR throughput improves. Fix: track review load as a first-class metric alongside PR throughput; adjust review capacity or PR size guidance before rollout expansion.
12Sizing and Adoption Heuristics
These heuristics are directional, drawn from published pricing and benchmarks, and should be adjusted for organizational context.
- Under 50 engineers: seat-flat plans (Copilot Business at 19 USD per user, Amazon Q Developer Pro at 19 USD per user, Cursor Business at 40 USD per user) are the lowest-overhead starting point; a dedicated platform owner is not required.
- 50 to 500 engineers: enterprise controls (SSO, audit log, contractual training exclusion) become non-negotiable; Copilot Enterprise at 39 USD per user or Amazon Q Pro at 19 USD per user are baselines; expect a platform team of 1 to 2 engineers to own policy and rollout.
- 500 to 5,000 engineers in regulated industries: air-gapped or VPC deployment via Sourcegraph Cody Enterprise or Tabnine on Dell AI Factory becomes viable; annual contracts typically move into 6 or 7 figure ranges (IntuitionLabs analysis).
- Heavy agent users at the individual level land at 100 to 200 USD per seat per month across every major vendor (Cursor Ultra, Claude Code Max, Windsurf Max), regardless of the underlying pricing model, and this ceiling is now the practical enterprise per-seat cost for engineers who adopt agent-first workflows (Developers Digest).
- Adoption reality check: GitHub's own randomized study of 95 developers reported 55 percent faster completion of a scoped HTTP-server task (GitHub Blog, vendor-authored). Independent studies including METR-style controlled experiments on experienced open source developers with early-2025 tooling have reported neutral or negative effects, indicating that scoped-task results do not extrapolate to organization-level throughput (DevX critique).
13Measuring Productivity
Weekly active user counts and suggestion acceptance rates are not productivity metrics; they are activity metrics. Productivity measurement requires a composite that combines delivery outcomes with developer-reported experience.
Measure these
- DORA outcomes: deployment frequency, lead time for changes, change failure rate, mean time to recovery. These anchor the conversation in delivery, not in tool usage (DORA guidance).
- SPACE dimensions: Satisfaction, Performance, Activity, Communication, and Efficiency and flow. SPACE captures developer-reported effects that DORA alone misses (SPACE framework).
- Pull request throughput and time-to-first-review: throughput on its own can rise while review capacity becomes the bottleneck; report both together.
- Change failure rate and defect escape rate: catches the "shipping wrong things faster" pattern that raw throughput hides.
Do not measure
- Lines of code, either produced or accepted; language models reward verbose output.
- Suggestion acceptance rate as a proxy for value; acceptance and value are only weakly correlated in reported studies.
- Portal page views or Copilot chat message counts as adoption; these are activity metrics that predict nothing on their own.
- Vendor-supplied ROI dashboards as the primary source; treat them as one input among several, not the whole picture.
14Vendor Reference Table
This table is inventory, not a ranking. Vendor mentions follow StackAuthority's canonical entity policy and are based on public positioning and community traction rather than paid placement.
| Vendor | Layer | Positioning | Typical target segment |
|---|---|---|---|
| GitHub Copilot | IDE plugin (+ Workspace agent) | Enterprise default across GitHub estates | Any org already standardized on GitHub |
| Cursor | IDE fork | Agent-first VS Code fork | VS Code shops wanting deeper agent loops |
| Windsurf | IDE fork | Cascade agent editor | Teams betting on long-horizon agent flows |
| Claude Code | CLI agent | CLI-first agent with sub-agents and MCP | Teams with strong CLI and review habits |
| Sourcegraph Cody | Plugin + repo-graph | Enterprise repo-graph with air-gap option | Regulated buyers, large monorepos |
| Tabnine | IDE plugin | Privacy-first with air-gapped option | Regulated industries needing on-prem |
| Amazon Q Developer | IDE plugin | AWS-native with IP indemnity | AWS-heavy shops, IAM Identity Center users |
| JetBrains AI Assistant / Junie | IDE plugin | JetBrains-native with BYOK | JetBrains-standard shops with EU residency needs |
| Continue | IDE plugin (open source) | Model-agnostic self-hostable plugin | Teams wanting open source and BYOK |
| Aider | CLI agent (open source) | Git-native terminal pair programmer | Individual power users, small teams |
| OpenAI Codex CLI | CLI agent | Terminal agent bundled with ChatGPT tiers | Teams standardized on OpenAI models |
| Augment Code | Repo-graph | Code-graph platform with agent surfaces | Large codebases prioritizing retrieval quality |
Public source references: GitHub Copilot, Cursor, Windsurf, Claude Code, Sourcegraph Cody, Tabnine, Amazon Q Developer, JetBrains AI, Continue, Aider, OpenAI Codex CLI, Augment Code.
15Evidence Package to Request From Every Vendor
Ask for evidence in a comparable format so internal review remains objective. Vendor decks are not evidence.
- master agreement clause excluding customer prompts and completions from vendor model training
- SOC 2 Type II report and ISO 27001 certificate current within 12 months
- data retention policy documented per tier with retention window in days
- audit log documentation with sample export
- deployment options documented (SaaS, VPC, on-premises, air-gapped) with reference customer per option
- IP indemnity clause with disclosed cap and exclusions
- one reference customer at your scale with a named engineering leader who can be contacted
- one 12-month cost projection with per-seat consumption assumptions and overage exposure
Weak or generic artifacts in this package are a stronger negative signal than a weak sales conversation.
16Interview Script: High-Signal Questions
Security and compliance questions
- Show the contractual clause that excludes our prompts and completions from your model training.
- Show your data flow diagram for a completion request, including any third-party model providers.
- Show one reference customer in our industry that passed a SOC 2 or ISO audit using your product.
Cost and pricing questions
- Show how per-seat consumption is reported to the buyer in your enterprise tier.
- Show what happens when a user exceeds their monthly credit; is the credit soft-capped, hard-capped, or overage-billed?
- Show three reference customers at our scale with their actual monthly per-seat cost over the last 6 months.
Agent and reliability questions
- Show your agent's diff-review surface before commit.
- Show a documented case where your agent caused a production incident and what the vendor did about it.
- Show your telemetry for agent reliability: what percentage of agent-initiated tasks complete without human correction?
Vendors that decline to answer cost variance and agent reliability questions in favor of feature demonstrations are usually selling a demo, not a production capability, and the difference tends to be felt after purchase.
17Pilot Structure Before Full Contract
A narrow, measurable pilot produces stronger decision signal than a long proposal cycle.
Recommended pilot scope:
- 2 to 4 product teams with different service profiles, including at least one team on JetBrains and one on Visual Studio Code
- 8 weeks minimum pilot duration; 4 weeks is too short to see review-load effects
- baseline DORA and SPACE metrics captured for 4 weeks before pilot start
- per-seat cost reporting weekly for the full pilot period
Pilot decision criteria:
- DORA outcomes stable or improved, not degraded
- SPACE-reported developer satisfaction net positive from a written survey, not a Slack poll
- change failure rate flat or lower, catching the "faster wrong code" pattern
- weekly cost per active user within 20 percent of the forecast
- security review completed against actual usage patterns, not a hypothetical
If pilot criteria are met, expand with phased scaling language. If not, revise the layer choice, the vendor choice, or the productivity target before expanding.
18Due Diligence Questions by Stakeholder
For the CTO and VP Engineering
- What productivity outcome will define success in 6 and 12 months, and how will it be measured?
- What is the escape path if the vendor is acquired, changes pricing, or exits the market?
- What decision reverses this contract, and when?
For the Head of Platform
- What editor and IDE standards must this tool support?
- What sanctioned workflows will the tool be part of on day one?
- What is the platform team's role in supporting the tool through the first 12 months?
For Security and Compliance
- What contractual protection exists against vendor training on our code?
- What audit and retention surface is available for evidence collection?
- What deployment posture is acceptable given our data residency and regulatory requirements?
For Finance and Procurement
- What is the forecasted 12-month cost including expected overage?
- What is the per-seat cost cap and how is it enforced?
- What is the renewal risk if per-seat consumption rises 3 times over the pilot baseline?
Weak answers from any one group predict rollout friction even when the tool is technically sound.
19Procurement and Contracting Guidance
The highest-value contract terms are usually operational, not financial.
Recommended contract elements
- explicit exemption from vendor model training with defined liability
- per-seat cost cap with vendor-enforced hard limit or documented soft-cap behavior
- data portability commitment covering prompts, completions, and audit logs
- SLA on agent uptime and reliability with credits, not just apologies
- exit clause with defined transition period if per-seat cost or usage rises beyond agreed thresholds
- IP indemnity with disclosed cap and clear exclusions
Avoid contracts that price only on seats without any operational commitment from the vendor on cost predictability, audit surface, or training exclusion. Seat-only contracts push all rollout risk onto the buyer.
2090-Day Success Markers
A healthy first 90 days usually includes:
- baseline DORA and SPACE metrics captured before rollout begins
- 60 percent or higher weekly active use within the pilot cohort by day 60
- change failure rate flat or lower than baseline
- weekly per-seat cost reporting available to platform leadership
- security review completed against actual usage patterns
- reviewer load and time-to-first-review tracked alongside PR throughput
If these markers are missing, assess whether the rollout is missing measurement discipline, not just tool coverage.
21Common Evaluation Mistakes and How to Avoid Them
Mistake 1: Comparing tools before deciding the layer
Comparing Copilot to Cursor to Claude Code is a category error because they sit in different layers of the market. First decide whether the priority is editor preservation (plugin), agent-first UX (fork), or headless composability (CLI). Then compare vendors within the layer.
Mistake 2: Treating vendor productivity claims as evidence
Vendor-published productivity numbers are usually derived from scoped, favorable studies that do not extrapolate to organization-level throughput. Treat vendor ROI as one input, not the primary evidence, and require an internal pilot with DORA and SPACE measurement.
Mistake 3: Accepting credit-metered pricing without cost controls
Credit-metered pricing without per-seat consumption caps produces exposure that finance teams cannot forecast. Require either seat-flat pricing at the enterprise tier or per-seat hard caps with vendor enforcement.
Mistake 4: Skipping the security review for CLI tools
CLI agents that read and write files on developer machines expose the same code egress risk as chat tools, and enterprise security teams often miss them because they are not GUI applications. Include CLI agents in the same security review as IDE tools.
Mistake 5: Underestimating reviewer overload
AI-assisted PR throughput can rise faster than reviewer capacity, and the bottleneck moves from writing to reviewing. Track review load from the pilot forward, not from the incident forward.
22Architecture Diagram: AI Coding Assistant Governance Loop
[Sanctioned tool + editor standard]
|
v
[Contractual training exclusion + audit surface]
|
v
[Per-seat cost reporting and caps]
|
v
[Agent review gate before merge]
|
v
[DORA + SPACE measurement in production]
|
v
[Shadow AI telemetry check + policy update]
|
v
[Renewal decision with measurable evidence]
The loop is continuous. AI coding assistant governance is a recurring platform function, not a one-time procurement event.
23External References
- Thoughtworks Technology Radar Vol. 33
- Northflank enterprise AI coding agent deployment
- DORA metrics guidance from DX
- SPACE developer productivity framework
- Cursor pricing incident timeline
- Sourcegraph Cody enterprise posture
24Decision Questions for Leadership
How do we know we need a sanctioned AI coding assistant rather than a ban
If endpoint telemetry shows engineers pasting private source code into consumer chat interfaces, if a security team has already flagged shadow-AI code egress as a risk, or if peer companies at similar scale have moved from ban to sanctioned tool, the sanctioned-tool path is stronger. Bans are enforceable only when endpoint controls actually block the alternatives.
Should we standardize on one tool or approve a list
Standardize when the organization has a single editor standard, a strong platform team, and a security posture that benefits from a single vendor audit. Approve a list when editor environments are mixed, agent workflows matter unequally across teams, and platform capacity exists to run security review on more than one vendor.
When is Cursor or Windsurf the right call
When the organization is already standardized on Visual Studio Code, agent-first workflows are a first-class requirement, and the buyer accepts editor-vendor lock-in in exchange for a deeper agent experience. Below any of those thresholds, an IDE plugin or a CLI agent typically produces better outcomes at lower switching cost.
How do we prevent cost surprises with credit-metered pricing
Require seat-flat pricing at the enterprise tier, or negotiate per-seat hard caps with vendor enforcement. Weekly per-seat cost reporting and cost anomaly alerts should be in place before any credit-metered plan is rolled out to more than a pilot cohort.
25Frequently Asked Questions
What is an AI coding assistant
An AI coding assistant is any tool that generates, edits, or reviews source code by calling a large language model, delivered either as an IDE plugin, an IDE fork, a command-line agent that operates on a working tree, or a repo-graph platform. A general chat window pointed at a language model is not an AI coding assistant, because it lacks the workflow embedding, supervision surface, and enterprise controls that define the category.
What is the difference between Cursor and GitHub Copilot
Cursor is an IDE fork built on Visual Studio Code; adopting Cursor replaces the editor. GitHub Copilot is a plugin that installs into Visual Studio Code, JetBrains IDEs, Neovim, and other editors; adopting Copilot preserves the existing editor standard. Cursor typically ships a deeper agent experience; Copilot typically preserves more of the existing developer workflow. The two tools sit in different layers of the market and compete only when the organization is already Visual Studio Code standardized.
Is Claude Code an IDE
No. Claude Code is a CLI agent that operates on a working tree from the terminal. It integrates with IDEs through extensions but does not ship as its own editor. Its strengths are headless execution, sub-agent workflows, and long-context reasoning; its constraints are supervision discipline and the thinner diff-review surface that comes with terminal-first tools.
How do we control AI coding assistant costs
Default to seat-flat pricing at the enterprise tier (GitHub Copilot Business or Enterprise, Amazon Q Developer Pro, JetBrains AI Assistant) unless the platform team actively monitors per-seat consumption. For credit-metered plans (Cursor Ultra, Claude Code Max, Windsurf Max), require per-seat hard caps with vendor enforcement, weekly cost reporting, and cost anomaly alerts before rollout beyond a pilot cohort.
How do we measure whether AI coding assistants improve productivity
Measure a composite of DORA outcomes (deployment frequency, lead time for changes, change failure rate, mean time to recovery) and SPACE dimensions (satisfaction, performance, activity, communication, efficiency and flow). Baseline these metrics for 4 weeks before the pilot starts. Do not report lines of code, suggestion acceptance rate, or vendor-supplied ROI dashboards as the primary evidence.
Do AI coding assistants actually train on our code
For enterprise tiers of the major vendors, no. GitHub Copilot Business and Enterprise, Cursor Business, Windsurf Enterprise, Sourcegraph Cody Enterprise, Tabnine, Amazon Q Developer, and JetBrains AI Assistant all exclude enterprise customer code from model training as of this writing. This exclusion should be verified in the master agreement, not assumed from the marketing page, and it typically does not apply to the vendor's free or consumer paid tiers.
Which AI coding assistant supports on-premises or air-gapped deployment
Sourcegraph Cody supports self-hosted and air-gapped deployment on customer infrastructure. Tabnine offers air-gapped deployment via its Dell AI Factory partnership. JetBrains AI Enterprise documents running on premises. GitHub Copilot, Cursor, Windsurf, and Claude Code are SaaS-only as of this writing; Claude Code can pass through Amazon Bedrock or Google Vertex, but the client remains SaaS.
Why do enterprise AI coding rollouts fail
Roughly 88 percent of enterprise agentic AI pilots do not reach production. The blocker is almost never the model itself; it is governance, isolation, data residency, cost variance, code egress, agent supervision, and reviewer overload. Rollouts that fail typically skipped the layer decision, adopted credit-metered pricing without cost controls, or launched without a productivity measurement plan.
26Related Reading
- Internal Developer Platforms: A Decision Guide for Platform Teams
- Build vs Partner for AI Agent Capabilities Buying Guide
- Leading AI Engineering Service Providers
- Leading AI Agent Development Partners
- Methodology
27Limitations
This guide improves layer selection, vendor evaluation, and rollout planning for AI coding assistants. It does not replace internal legal review of vendor training and indemnity clauses, security review of specific deployment postures, or environment-specific risk decisions. Pricing and enterprise controls are current as of publication and change frequently; verify against vendor documentation before contract. Productivity benchmarks cited from third-party sources are directional and vary substantially across organizations and codebases.
Author: Ishan Vel Reviewed by: StackAuthority Editorial Team Review cadence: Quarterly (90-day refresh cycle)