Skip to main content
Agentic Universityv1.14.0
|

All articles

ai-actcomplianceagentic-ai

5 security questions every CTO must ask their coding agent vendor

Your devs are already using Cursor, Copilot or Claude Code, often without formal approval. These five questions decide whether your codebase is still safe.

Sebastian LangApril 29, 20269 min read

Key numbers at a glance

  • 60 percent of AI-generated code suggestions contained high-severity security issues in one sample (SQL injection, authentication bypass, Snyk 2025).
  • 73 percent of enterprise AI coding pilots are stopped by security reviews according to Knostic 2025.
  • 90 percent of Fortune 100 companies use GitHub Copilot. The race is not "if" but "how safely".
  • 15 million euros in fines apply from August 2 2026 under AI Act Art. 4 for missing AI competence in the team. Audit trails of your coding agents are mandatory evidence.
  • 44 percent of DACH companies see data protection and legal uncertainty as their top blocker according to Bitkom 2026, ahead of missing team competence.

Your developers are already using Cursor, Claude Code, Copilot or Codex. Probably without formal approval. That is not an anomaly, that is the 2026 reality: 90 percent of Fortune 100 companies have Copilot, the DACH mid-market is no different, only the compliance situation is mostly still unclear. Now you sit there as a CTO with the question of how much code security you are handing over to vendors whose contracts you have never read.

At Sentient Dynamics we accompany DACH mid-market companies through exactly this discussion. What we see in every engagement: the devs are three steps ahead, compliance is three steps behind, in between sits the CTO with the mandate to keep pace without compromising the codebase. The following five questions are the minimum viable audit every CTO must run with their coding agent vendor before formally approving tool usage.

Question 1: Where is our data stored, and which jurisdiction applies?

What you concretely ask: "Where are code snippets, prompts and tool outputs processed and stored? Which jurisdiction applies? Is there an EU data residency option?"

What a good answer looks like: Concrete region (for example EU Frankfurt or EU Zurich), clear jurisdiction (EU GDPR, no Schrems II risks), DPA ready to sign. Anthropic offers EU hosting for Claude Enterprise since 2025, GitHub Copilot Business has had EU data residency since 2024, Cursor runs in the US by default or in the EU with Enterprise setup.

Red flag: "Processing primarily in the US, EU data possible but premium plan only", or worse, "We cannot guarantee that right now". If the salesperson dodges or points to a future quarterly release, today's answer is no.

From Sentient practice: In an early 2026 engagement we put three vendor answers on data residency side by side with the CTO. One vendor took three weeks to commit to a written statement. That was a clear knock-out criterion for the pilot.

Start the AI Readiness Check, 5 minutes, free →

Question 2: How is your zero data retention setup contractually secured?

What you concretely ask: "Are our code snippets or prompts used for model training? If not, in which contract clause is this defined? How long are logs retained, and can we configure that retention?"

What a good answer looks like: Zero data retention as standard in the Enterprise plan, written into the contract, with a concrete retention period for audit logs (typically 30 to 90 days). Anthropic has zero retention in the Enterprise contract, GitHub Copilot Business too, Cursor Business on request.

Red flag: "Data is anonymised but used for model improvement", "You can switch that off in settings" (settings are not enough, this belongs in the contract), or "Logs are kept indefinitely".

From Sentient practice: In regulated-industry engagements like private banks or insurers, zero data retention is non-negotiable. We review the contract clause word for word, because "we do not use it for training" and "we store it for 12 months" are two very different things. The log retention should not get lost in server-logfile sprawl either.

Question 3: How granular are tool permissions, and can we configure them per repository?

What you concretely ask: "Can the agent read, write and execute everything in every repository? Or can we configure read, write and bash rights per repository, per branch and per tool type separately?"

What a good answer looks like: Granular permission settings per tool class (Read, Edit, Bash, MCP calls), per repository and ideally per branch. Plus an allowlist for bash commands (for example npm run test allowed, rm -rf blocked). Plus explicit deny lists for secret files (.env, .p12, .jks, credentials*).

Red flag: "The agent has full access to the working directory" as the only mode. Or "You can solve that yourself in code via hooks" (that means security responsibility lies with the customer, not the vendor, and you must know that).

From Sentient practice: We configured the coding agent settings in a mid-market engagement so that the agent could only read the auth/ directory, never write. Plus a pre-bash hook that blocks dangerous commands before execution. These hooks are not a vendor feature but our own work. Vendors that do not even allow it are out.

Question 4: How complete is the audit trail, and who has access to it?

What you concretely ask: "Which action was taken when by which employee with which tool and which input? Can we evaluate that per employee and per repository? Who can view these logs, and who can delete them?"

What a good answer looks like: Complete audit trail with user ID, tool call, input hash, output hash, timestamp, plus the pull request link the action ended up in. Logs visible in the admin dashboard, exportable as CSV or JSON, with role-based access. Deletion only by audit admin with a four-eyes principle.

Red flag: "Users can see their own history" as the only audit mechanism. "We log it but the format is proprietary and not exportable". Or "Logs are only available for 7 days".

From Sentient practice: Audit trails in 2026 are no longer compliance theatre, they are an operational KPI tool. From the logs we build adoption rate and the ability and willingness score per employee, which becomes the basis for workforce steering. If the vendor cannot deliver a clean audit trail, our entire KPI framework falls apart.

ROI calculator: what would 1.5x mean for your team? →

Question 5: What does your kill switch and rollback workflow look like?

What you concretely ask: "If a security incident happens tomorrow, how fast can we stop all coding agent sessions in the team? Can we lock individual employees without blocking the rest? What rollback mechanism exists for unauthorised code changes?"

What a good answer looks like: Admin kill switch in the dashboard that ends all active sessions in under 5 minutes. Granular user blocking. For code changes: every agent action goes through pull request review (no direct push to main), rollback is standard git revert.

Red flag: "You would need to contact our support" as the only emergency mechanism. Or "Direct pushes to production are possible if the user has the rights". Direct push to production by a coding agent is a 2026 show stopper.

From Sentient practice: We set up a 30-second kill switch in the admin dashboard in every engagement and test it as a live drill at the end of setup. A CTO who does not know in week one how to shut everything down if something goes wrong feels at the mercy of the tool. The drill solves that.

What happens if the vendor dodges more than two questions

If you go through these five questions cleanly and the vendor dodges or gives non-committal answers on more than two, the tool selection is wrong. There are at least four enterprise coding agent vendors in 2026 who can answer all five clearly (Anthropic Claude Code, GitHub Copilot Business, Cursor Business, OpenAI Codex Enterprise). Settling for less saves 1,000 euros per licence and costs you an audit procedure later that runs into hundreds of thousands plus the CTO's job.

The five questions are not the maximum, they are the minimum. If you need more depth (SOC2 reports, ISO27001 certificates, incident response playbooks), layer that on top. But without this minimum, tool approval is irresponsible.

Pre-buy checklist for CTOs

Before you as a CTO sign off on a coding agent procurement, you should have these answers in writing from the vendor:

  1. Data residency: EU region named, DPA ready to sign
  2. Zero data retention: anchored in the contract, retention period configurable
  3. Permissions: granular per tool class, repository, branch, plus bash allowlist and secret deny list
  4. Audit trail: fully exportable, role-based access, not deletable without four-eyes principle
  5. Kill switch: admin dashboard, effect under 5 minutes, tested as a live drill

These five points belong in every coding agent contract as an annex. If the vendor refuses to put it in writing, the sales story was thinner than the operational reality.

How to audit your current coding agent landscape

For DACH mid-market companies that already have Cursor, Copilot or Claude Code in use and now need to clear the security question retroactively, we offer a 90-minute audit at Sentient Dynamics. We go through the five questions with your engineering lead, review the contract situation, scan the tool configuration and deliver a remediation plan for what to adjust before the next external audit round.

The output is a PDF document you can pass directly to your CISO or CCO.

Request a 90-minute coding agent audit →

Plus if you want to clear the structural "How do we get AI Act Art. 4 compliance" question at the same time, we cover it in the same session. AI Act Art. 4 competence proof and coding agent security audit have a similar structure and share 70 percent of the evidence requirements.

AI Act compliance checklist, 5 min, free →

Frequently asked questions

Is self-hosting our coding agents enough as a security solution? Self-hosting solves data residency, but not the other four questions. Tool permissions, audit trail, kill switch and zero retention are independent of hosting. Whoever thinks "on-prem is safe per se" misses the operational security layer.

What about GDPR with open-source models like Llama or DeepSeek? The open-source model is one thing, the hosting provider another. If you run DeepSeek models on a Chinese cloud provider, the data protection risk is independent of the open-source licence. Hosting region and data flows count, not just model provenance.

How often should the coding agent audit be updated? At least annually, in regulated industries every six months. Plus every time your vendor does a major feature release or sub-processor update. Sub-processor lists are being adjusted significantly more often in 2026, especially when new model versions arrive.

What does AI Act Art. 4 specifically say about coding agents? Art. 4 requires verifiable AI competence in the team. Coding agents qualify as AI systems under the Act, competent usage must be documented and auditable. Audit trails of your coding agent usage are one of the evidence sources you use to prove competence.

Should the audit be done by an internal team or externally? First round externally because the tooling and contract language are specific. Follow-up rounds can run internally once you have a methodology. We pass on the methodology in our 90-minute audit so you can run it yourself from audit two onwards.

What does a professional coding agent security audit cost? At Sentient, the 90-minute audit is part of our Pro programme (success-based) or bookable as a stand-alone Light add-on from 2,500 euros. More demanding industry cases (banks, insurers, healthcare) are priced individually.

Sources

About the author

Sebastian Lang is Co-Founder at Sentient Dynamics and leads the Agentic University programme. Before Sentient he ran AI workforce programmes in SAP's Strategy Practice with 15 plus years of engineering leadership experience. Sentient Dynamics works on success-based pricing and is in use at SHD and Bregal portfolio companies.

Subscribe to the newsletter | Sebastian on LinkedIn

About the author

Sebastian Lang

Co-Founder · Business & Content Lead

Co-Founder von Sentient Dynamics. 15+ Jahre Business-Strategie (u.a. SAP), MBA. Schreibt über AI-Act-Compliance, ROI-Messung und wie Mittelstand-CTOs agentische KI tatsächlich einführen.

Keep reading

Apr 28, 202612 min read

Gartner: 40 percent of all agentic AI projects fail by 2027 — the five anti-patterns

Gartner predicts 40 percent pilot mortality by 2027. The five anti-patterns that kill mid-market agentic AI pilots, with counter-patterns from live engagements.

Agentic AIEU AI ActCompliance
May 2, 20269 min read

Bitkom 2026: 89 percent of German companies are in on AI. Which group are you in?

Bitkom 2026: 41 percent run AI in production, 48 percent are planning, 11 percent are falling behind. What the top 20 percent are doing differently.

Agentic AIROISales
Apr 30, 202613 min read

1.5x as the realistic first-year target: measuring AI productivity beyond lines of code

Four KPIs beyond lines-of-code: adoption rate, cycle time per size class, ability and willingness, workforce mix. Plus DORA cross-validation and the SHD Düsseldorf case.

Agentic AIROISales

Once a month. Only substance.

No motivational fluff. No tool lists. Only what CTOs, COOs and MDs in DACH really need to know about AI adoption.