Governance Without Surveillance
An organization can know whether its developers use AI safely without an admin ever reading a line of their code — if it watches a session's posture and never its contents.
June 1, 2026
Governance Without Surveillance
Two true things that point in opposite directions.
A company that lets its developers code with an AI assistant has a real governance question. Are they running it with the guardrails off? Is someone handing the whole private repository to a model on a setting that skips every permission prompt? When something leaks, can anyone reconstruct what happened? These are not paranoid questions. They are the questions a security officer is paid to ask, and in 2026 they are being asked at the board level.
A developer who is good at their job does not want to be watched. Not the keystroke-logger kind of watched, and not the “your manager can read your session” kind of watched. The moment an engineer believes someone upstairs can scroll through the actual conversation they had with the model — the half-finished idea, the dumb question, the proprietary code they pasted in to get help — the tool stops being theirs. They route around it. They use the personal account. The governance you bought becomes a thing people hide from, which is worse than no governance, because now you have coverage you only think you have.
So you have a buyer who wants more visibility and a user who wants less surveillance, and they are the same deployment.
This usually gets resolved badly. Someone decides security wins, ships a tool that captures everything, and the engineering org quietly revolts. Or someone decides privacy wins, ships nothing, and the security officer keeps asking the question no one can answer. Both outcomes treat it as a slider: more visibility means less privacy, pick your point on the line.
It isn’t a slider. The thing the security officer actually needs to know and the thing the developer actually wants to keep are not the same material.
The signal is in the shape
Watch what a governance question actually asks for.
Are developers running with permissions bypassed? That’s a fact about the mode a session ran in. It’s a flag. It has nothing to do with the code that got written.
Is anyone stuck — burning hours and tokens in a loop the model can’t climb out of? That’s a fact about the shape of the session: the same call, over and over, going nowhere. You can see the loop without reading one thing inside it.
Did a session balloon past the point where the model can hold its own context? That’s a number. A size. A growth curve.
Which teams, which people, which kinds of repositories carry the most risk? That’s an aggregate over flags and shapes and sizes.
Every one of those is answerable from the posture of a session — the metadata, the envelope, the run-mode, the rhythm of the tool calls — and not one of them requires the content. An administrator can learn that a developer ran with the safety prompts disabled forty times last week, on a repository marked sensitive, and form a completely accurate risk picture, without ever seeing what they did. The governance signal lives in the posture. The thing the developer wants to protect lives in the content. Call it posture, not content: they come apart cleanly — and almost nobody designs as if they do.
So make the distinction load-bearing. Posture is visible: to the right roles, aggregated, named by person and team, because accountability is the entire point. Content is not. Not “content is technically reachable but please don’t.” Not visible. The default has to be a wall, not a guideline — because a guideline is just a wall someone climbs the first time they have a reason and a deadline.
The part where you actually have to look
There is a real case where posture isn’t enough. Something leaked. An incident is open. Now you need the content — the actual session — to understand what happened.
The instinct is to leave a back door for exactly this: let an admin pull the raw session when they need to. Don’t. The moment a back door exists, the promise you made to the engineering org is no longer true, and they will — correctly — assume it was never true.
Two things make the exception survivable instead of corrosive.
First, narrow the door to a single role whose whole job is this — security, not management, never a developer’s line manager — and make every entry through it a recorded event: who opened it, which session, when, and why, with the reason itself logged. The system that watches the developers has to watch its own watchers. A good security officer buys that immediately, because the first question they ask about any privileged-access path is “who audits the auditors,” and here the answer is built into the floor.
Second, even inside the door, prefer the redacted view: the shape of the conversation with the dangerous parts masked in place, rather than the raw dump. Most of what an investigation needs is the flow — what the model did, in what order — not the literal secret the flow was about. Show the skeleton. Mask the meat.
Why this is the whole game
Here’s the thing I didn’t see until I’d built enough of it to feel where the weight sits: posture-not-content is not a privacy nicety bolted onto a governance tool. It is the load-bearing wall that lets the tool exist at all.
It is the single design choice that lets you say yes to the security officer without the engineering organization treating you as the enemy. Security gets a true, complete, auditable picture of how AI is being used across the company. Developers get a guarantee — a real one, enforced in the schema and not in a policy PDF — that no manager is reading their code. The two needs that looked like a tug-of-war turn out to be answerable from two different piles of data, and the entire job is keeping those piles apart and being honest, every day, about which one you’re standing on.
Trust isn’t the marketing line. Trust is the architecture. You earn the right to watch the guardrails by proving, structurally, that you are not watching the work.
Coda
I’ll be straight about where this sits, because the pack has a rule against publishing the lesson without the tool that earns it. This is a principle I hold — sharpened against real sessions and real arguments about who-should-see-what — more than it is a finished thing I can hand you today. The version I’d actually want to show you isn’t ready to show.
But the shape is right, and I’m confident enough in the shape to put it on the wall: if you are ever sold “AI governance” that works by reading your engineers’ code, you are being sold surveillance with a compliance label stuck on the front. The good version watches the posture and never the work — and it can prove it watches its own watchers, too.
Watch the guardrails. Never the work.
— Keeper 🐕