Enterprise-Governed AI Coding Lands in VS Code Copilot

Enterprise-governed AI coding arrived in VS Code on June 5, 2026, when GitHub put enterprise-managed Copilot plugins into public preview — and the quieter half of the story, an air-gapped bring-your-own-key path that no longer needs a GitHub sign-in, landed a week earlier in VS Code 1.122. Read together, they are less a feature drop than a change in who is allowed to deploy AI coding at all.

The headline most coverage missed is the procurement angle. Until the spring of 2026, financial-services, healthcare, and US government buyers were effectively closed to Copilot by compliance table-stakes: no FedRAMP path, no air-gap support, no fleet-wide control surface. Three releases in roughly eight weeks — managed plugins, FedRAMP authorization, and BYOK without OAuth — removed those blockers together. The gate that mattered was never the model. It was the paperwork.

This guide combines the two VS Code developments into one governance deep-dive built for regulated teams. We cover what managed plugins actually distribute, the thirteen named enterprise AI policies and which audit concern each one answers, what "air-gapped" really requires, the FedRAMP and data-residency nuance, the new usage-based billing, and a day-one rollout checklist. Every figure below traces to a GitHub Changelog entry or VS Code documentation page — verify the live versions before you ship.

Most coverage of these releases frames them as "more capabilities." That framing buries the lede. For a large bank, a hospital network, or a government contractor, the question was never whether Copilot could write good code — it was whether the tool could pass a compliance review at all. Without a FedRAMP path, a way to keep prompts off the public internet, and a fleet-wide control surface, AI coding assistants were simply non-starters in the RFP.

Three things changed that in roughly eight weeks. FedRAMP Moderate authorization for Copilot landed in April 2026, making it eligible for US federal procurement that requires FedRAMP as a minimum entry criterion. VS Code 1.122 removed the GitHub OAuth requirement for BYOK on May 28, opening the door to genuinely air-gapped operation. And enterprise-managed plugins entered public preview for VS Code on June 5, giving platform teams a single file from which to govern every developer's agents and tools. The procurement gate, not the model quality, was the bottleneck — and it is the thing that just moved.

This is why the right mental model is infrastructure, not tooling. A single settings file now decides which agents, hooks, and MCP servers every developer in a fifty-thousand-person enterprise can use. That is the same architectural moment as when organizations first started pushing browser configuration and VPN certificates through device management: a new distribution channel that will feel obvious in two years and is worth understanding now, while it is still being standardized.

Enterprise-managed plugins entered public preview for VS Code on June 5, 2026, building on the Copilot CLI preview that launched on May 6. The capability is available to Copilot Business and Copilot Enterprise licensees. The mechanism is deliberately boring, which is exactly why it matters: a single policy file at .github-private/.github/copilot/settings.json governs the entire enterprise fleet. Both VS Code and Copilot CLI automatically pull and apply those settings whenever a licensed user authenticates.

What a single plugin bundle can carry is the part that did not exist in VS Code before. One bundle can ship slash commands, agent skills (instructions, scripts, and resources), custom agents with specialized personas and tool configurations, hooks that fire shell commands at agent lifecycle points, and MCP servers. Plugins install automatically on user authentication — no separate marketplace visit — and administrators verify active configurations in the Agents section of enterprise AI controls on GitHub. Plugins check for updates roughly every 24 hours.

The plugin manifest itself is minimal. plugin.json requires only a name (lowercase letters, numbers, and hyphens, up to 64 characters); optional fields include a description, a semver version, an author, and paths to skills, agents, hooks, and MCP servers. Copilot-format plugins keep hook files at a root-level hooks.json, while Claude-format plugins use hooks/hooks.json. The simplicity is the point: the bundle is a thin packaging layer over assets your platform team already knows how to write.

VS Code now ships thirteen named enterprise AI policies. Most published coverage lists a few of them; what compliance reviewers actually need is a mapping from each policy to the audit risk it addresses. The matrix below is our synthesis of the VS Code Enterprise AI Settings reference and the agent-plugins documentation — the resource to bring into a governance review rather than a feature list to skim.

The single most powerful combination in that table is McpGalleryServiceUrl paired with ChatMCP=registry. Together they mean no MCP server outside your internal registry can run at runtime — complete server-allowlist enforcement, decided centrally rather than per developer. For a regulated team, that single pairing converts "which tools could a developer wire in?" from an open question into a closed, auditable list.

The quieter release is the structural one. Before VS Code 1.122, shipped May 28, 2026, even when all inference routed to a bring-your-own-key provider, the Chat view would not activate without a successful GitHub OAuth handshake with github.com. For an isolated network that could not reach github.com, that single dependency made BYOK unusable no matter how local the model was. VS Code 1.122 removed it. Configuring at least one BYOK model via the Command Palette now suppresses the GitHub sign-in prompt entirely and routes requests directly to the provider.

BYOK in VS Code 1.122 supports six named provider categories — Anthropic, Azure, Gemini, OpenAI, Ollama, and OpenRouter — plus any custom endpoint implementing the Chat Completions, Responses, or Messages APIs. The Custom Endpoint provider moved to Stable in the same release. Billing for BYOK usage goes directly to the chosen provider and does not count against GitHub Copilot request quotas, which removes the per-seat model-spend ceiling for heavy enterprise users. The release also added 1M-context support for Anthropic (Claude Opus 4.7) and OpenAI-compatible models (GPT-5.5) in BYOK configurations, enabling whole-codebase context on large monorepos with no extra setup.

There is one boundary worth stating plainly, because no other coverage does: BYOK does not cover code completions or Next Edit Suggestions (NES). Those surfaces still require a GitHub sign-in. BYOK powers chat, tools, and MCP servers only. A "fully air-gapped" deployment therefore still loses inline autocomplete — a meaningful gap for a developer's minute-to-minute flow, and a fair point of future pressure on GitHub to close.

GitHub obtained FedRAMP Moderate authorization for Copilot in April 2026, making it eligible for US federal procurement that requires FedRAMP as a minimum entry criterion. Coverage spans the generally available Copilot features: agent mode, inline suggestions, chat, the cloud agent, code review, PR summaries, and the CLI. The precise wording matters for procurement language — GitHub describes Copilot as becoming FedRAMP authorized along the underlying hosting infrastructure's authorization path, so the honest framing is "authorized on a FedRAMP-Moderate path," not "FedRAMP certified" full stop.

Data residency covers the US now and the EU from May 1, 2026 (EU member states plus the EFTA countries: Iceland, Liechtenstein, Norway, and Switzerland), with Japan and Australia planned for later in 2026. Data-resident requests carry a 10% multiplier on the model cost — a small, explicit premium that buys a clean answer to the "where is our code processed?" question that anchors most regulated reviews.

The Agents window underpins the long-running side of this story. It supports multiple parallel sessions, remote sessions over SSH and Dev Tunnels, and session sync to GitHub accounts, and its /chroniclecommand queries past sessions to generate standup-style productivity reports. VS Code 1.121 (May 20, 2026) added the remote-agent support that lets sessions persist after the local client disconnects and execute over SSH or Dev Tunnels — so an enterprise can run agents on secure jump-hosts inside its own perimeter rather than on a developer's laptop. For a fuller view of how this surface overlaps with GitHub's separate effort, see our coverage of GitHub's standalone Copilot desktop app.

GitHub Copilot moved to usage-based AI Credit billing on June 1, 2026, replacing the flat premium-request-unit model. Credit allowances track each plan's monthly price: Pro includes $10 in credits, Pro+ includes $39, Business includes $19 per user, and Enterprise includes $39 per user. A promotional bump runs June through August 2026 — Business gets $30 per user and Enterprise gets $70 per user. Code completions and NES remain included on every plan without consuming credits, which keeps the high-frequency surface predictable while agentic usage becomes metered.

The cost lever most teams overlook lives in two settings: chat.utilityModel and chat.utilitySmallModel. They route lightweight utility tasks — commit message generation, rename suggestions, title creation — to cheaper, faster models, while heavy coding tasks use a frontier BYOK model. At enterprise scale, that split routing can meaningfully reduce per-developer token costs without touching the quality of the work that actually matters.

For a regulated enterprise the billing change has a quiet upside. Because BYOK usage is billed by the provider directly and does not draw on Copilot credits, a team that routes heavy work to a self-hosted or contracted model keeps its Copilot spend bounded while still using the governance layer. The credits then cover the convenience surfaces — chat utility tasks, the occasional cloud agent — rather than the bulk inference. Budget controls and model choice become two separate dials, which is exactly the separation a procurement team wants.

The unique, actionable move in this whole release window is deciding what goes into the baseline plugin every developer receives. The checklist below synthesizes the agent-plugins docs, the BYOK changelog entries, and the enterprise settings reference into a single decision order. The standout step is the third one: seed the baseline with a CRM connector MCP and one internal-API documentation MCP, so the first agent a new hire fires up already knows your customer data model and your internal services — no other published rollout guidance names that specific day-one content.

If you run a Zoho, Salesforce, or HubSpot back office, the day-one MCP decision is where most of the practical value lands — and it is the kind of integration work our CRM automation engagements are built around. A baseline plugin that connects your CRM and your internal API docs turns "a coding assistant" into "a coding assistant that already understands your business" on the first session, which is the difference between a tool developers tolerate and one they actually adopt.

The decision tree differs sharply by industry posture. The matrix below sorts the four common situations and the move each one points to.

Looking forward, the policy file is the part to watch. Once a single settings file routinely governs the agents, hooks, and MCP servers of an entire engineering org, two things follow. First, the baseline plugin becomes a product in its own right — a thing platform teams version, review, and treat as critical infrastructure rather than a convenience. Second, the competitive question shifts from "which assistant writes the best code" to "which assistant plugs cleanly into the governance and context an enterprise already has." That is the same logic that decided earlier platform wars, and it favors whoever makes the control plane easiest to trust.

The honest caveat is that much of this is still public preview. Policy names, plan eligibility, and the exact air-gap requirements can shift before general availability, and the FedRAMP wording is deliberately careful. The right posture is to pilot now on a small group, document the trust boundaries (especially the implicitly-trusted plugin MCP servers), and avoid writing preview-stage specifics into a binding compliance attestation until the surface settles. For how this stacks against rival approaches, our look at Cursor Organizations enterprise governance is a useful side-by-side, and the broader AI coding adoption data sets the context for why regulated industries were the last segment to unlock.