Part 4 — The hard cross-cutting problems

Parts 2 and 3 covered the per-tool configuration for Claude Code and Copilot. This section covers what happens when you have to make all of it work across a real organization: many repositories, real compliance requirements, genuine security risks, and infrastructure that isn’t in one place. These are the problems that separate a real platform from a pile of config files.

Q4.1 — We have hundreds of repos. How do I distribute harness assets across a polyrepo?

This is the question that separates a real platform from a pile of CLAUDE.md files. Use three patterns in combination:

1. 1.
   A private Claude Code plugin marketplace in one platform repo, locked via managed-settings.json (extraKnownMarketplaces to auto-register it, strictKnownMarketplaces with a hostPattern to forbid anything else).
2. 2.
   An org-level Copilot marketplace synced from a private GitHub repo. On Enterprise plans this auto-syncs when a PR merges. You get group-level per-plugin overrides — Required, Installed by default, Available for install, Not available — so you can force the code-intelligence plugin on for all engineers while making the payments-domain plugin opt-in for the payments team only.
3. 3.
   Repository templates plus reusable workflows. The harness lives in one acme/dev-platform repo. New product repos are created from GitHub repository templates that pre-populate .github/, AGENTS.md, and CLAUDE.md from golden templates. Cross-cutting Agentic Workflows are consumed as reusable workflows. Each repo can still add a local CLAUDE.md/AGENTS.mdfor its own conventions — the platform repo holds only what’s universal.

For retrofitting existing repos, ship a bootstrap-repo.sh script that drops in the standard .github/files and rulesets. This is not glamorous work, but it’s how you get from zero to consistent.

Q4.2 — How do I enforce governance, audit, and compliance end to end?

Think of it as one enforcement chain:

• Identity — SSO + SCIM at your IdP (Okta, Entra ID), with group-scoped provisioning of plugins and agents.
• Policy distribution — Claude Code managed-settings.json pushed via Jamf/Kandji (macOS), Intune/GPO (Windows), or /etc/claude-code/ (Linux); use managed-settings.d/ for team-owned fragments. On GitHub: the AI Controls tab, repository rulesets, and org custom instructions.
• Mandatory review — Claude PreToolUse hooks (exit 2) gate edits to protected paths and can spawn a reviewer subagent; GitHub repository rulesets require a human PR review and auto-request Copilot review, so every AI-authored change gets both an AI and a human pass.
• Audit pipeline — Claude Code OpenTelemetry → collector → SIEM; GitHub enterprise audit log streamed to the same SIEM; correlate the two on user identity (user_id, agent_session_id). Schedule Compliance API pulls into your warehouse.
• Rollout discipline— Anthropic’s recommended sequence is audit mode first (permissive allow rules, an HTTP audit hook logging everything) for weeks 1–2, a baseline policy in weeks 3–4, then tighten denies from week 5 once you have real data.

For framework mapping: a deployed managed-settings.json with allowManagedPermissionRulesOnly and disableBypassPermissionsMode is your inspectable access-control artifact. It maps cleanly onto ISO 27001 Annex A.9 (access) and A.12 (operations), and onto NIST SP 800-53 AC-6 (least privilege).

Q4.3 — What are the real security risks, and how do I close them?

Three categories to address systematically.

Secrets.

Never distribute static API keys. Use AWS IAM Identity Center + Bedrock, GCP workload identity + Vertex, or a policyHelper that fetches short-lived credentials. Set CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 and add Read(**/.env) to your deny list.

MCP supply chain.

CVE-2025-59536 showed that a malicious MCP config inside a cloned repo could execute commands before the trust dialog appeared. Controls: allowManagedMcpServersOnly: true on Claude; the MCP servers in Copilot policy with a registry allowlist on GitHub; a centralized MCP gateway for auth, rate-limiting, and audit; and read-only-by-default for any MCP server touching production data.

Plugin supply chain.

Pin plugins by commit SHA in marketplace manifests — Anthropic’s community marketplace does exactly this after automated validation. For autonomous repo automation, GitHub Agentic Workflows’ read-only + safe-outputs + network-firewall model is your best defense against prompt injection. The Cline and Shai-Hulud incidents are the cautionary tales here: both involved autonomous agents with write access being manipulated through crafted inputs.

Q4.4 — How do I run all of this in a hybrid cloud without surprises?

• Cloud inference — Bedrock geo-restricted CRIS profiles for data residency; Vertex for GCP-anchored orgs; Foundry for Microsoft shops. Pin every model version in managed-settings.json.
• On-prem / sovereign— route Claude Code through an internal LLM gateway (LiteLLM) or a self-hosted Anthropic-compatible proxy in your VPC. Note that AWS’s European Sovereign Cloud, launched January 2026, did not yet host Claude models — so a fully sovereign Claude deployment may mean a self-hosted proxy fronting a permitted region. Verify this at deployment time.
• Self-hosted runners for Copilot — Agentic Workflows run on the standard Actions runner pool; for strict egress control, run them on self-hosted runners inside your network and use the AWF egress proxy as the chokepoint.
• Network / proxy — set HTTPS_PROXY and a corporate CA bundle for Claude Code; for Node-based plugins, point NODE_EXTRA_CA_CERTS at your corporate root.

The recurring theme across all four of these: the tools give you the primitives, but you have to wire them together deliberately. Hybrid cloud with AI agents does not work by default; it works because someone did the plumbing.