AI-assisted code review is moving beyond a simple product toggle. Once a reviewer can read repository instructions, execute setup steps, access networks, and run on different compute environments, it becomes part of the software delivery platform. That changes the governance question from “Should we enable AI review?” to “Under which versioned and auditable contract may it operate?”
GitHub’s latest Copilot code review improvements make that shift visible. Copilot code review can now read instructions from the pull request’s head branch, consume additional instruction formats such as REVIEW.md, GEMINI.md, and CLAUDE.md, execute custom setup steps, run behind a configurable firewall, and use runner settings that are independent from the Copilot cloud agent.
These capabilities can improve relevance and reduce false positives. They also expand the execution surface around every review. Enterprises should therefore treat the configuration as platform policy rather than scattered repository preferences.
The reviewer now has an execution environment
Traditional static analysis usually operates under a relatively fixed contract: a known rule set evaluates a defined artifact and emits deterministic results. An AI reviewer behaves differently. Its output depends on context, instructions, available tools, network access, and the environment in which it runs.
AI review can work in an enterprise, but model selection is only one part of the operating model.
Four control planes now shape the result:
- Instruction policy: which repository files influence the review and who may change them.
- Setup policy: which commands and dependencies prepare the review environment.
- Network policy: which external destinations the reviewer may reach.
- Runner policy: where the review executes and which identities, secrets, and internal resources are available there.
If these controls evolve independently, two repositories using the same AI reviewer can have very different security and quality properties. A platform contract makes those differences explicit.
Instructions are executable review policy
Reading custom instructions from the head branch is useful because teams can test review guidance before merging it. It also creates a trust-boundary question: a pull request can propose code changes and changes to the instructions used to review that code.
This is not inherently unsafe. Pull requests already modify workflows, build scripts, and policy files. The important point is that instruction files deserve comparable governance.
A practical enterprise baseline should:
- define which instruction formats are supported and where they may live;
- assign CODEOWNERS to organization-critical instruction and agent-skill paths;
- require human review when a pull request changes both application code and reviewer policy;
- separate mandatory organization guidance from repository-specific context;
- test instruction changes against representative pull requests before broad rollout;
- retain the exact instruction revision with review evidence where audit requirements justify it.
Product teams still need room for domain-specific guidance. The platform team should own the contract, validation, and protected baseline, while repository owners maintain local context within those boundaries.
Setup steps belong to the software supply chain
Custom setup steps can make reviews substantially better. A reviewer may need generated code, dependency metadata, project-specific linters, or a compiled schema before it can understand a change.
However, setup steps are code execution. They can download dependencies, run scripts from the branch, and interact with credentials exposed to the runner. Treating them as harmless customization would recreate risks that enterprises already learned to manage in CI/CD.
The platform contract should require:
- minimal and explicit setup steps;
- pinned versions or immutable references for downloaded tools and reusable actions;
- dependency caching that does not weaken provenance checks;
- timeouts and resource limits;
- no production credentials in the review environment;
- clear separation between untrusted pull-request code and trusted setup logic;
- logs that show what ran without exposing secrets.
Where setup behavior is common across many repositories, publish a maintained golden path instead of copying shell fragments. Teams can then inherit a reviewed baseline and add only the repository-specific preparation they need.
Network access needs an exception model
GitHub states that Copilot code review now runs behind a firewall by default and that its network rules can be configured independently from the Copilot cloud agent. This is an important default because review tasks often need less network access than general-purpose coding agents.
The right enterprise pattern is deny by default with narrow, observable exceptions. Typical allowed destinations may include an internal package repository, a schema registry, or an approved documentation endpoint. General internet access should require a documented reason.
Every exception should answer four questions:
- Which destination is required?
- Which review capability depends on it?
- What data may leave the runner?
- Who owns and periodically revalidates the exception?
The current GitHub notice also matters operationally: self-hosted runners do not support the code-review firewall. Organizations using self-hosted runners therefore need compensating controls at the network, workload, or runner-pool level. “Self-hosted” should not be interpreted as “automatically safer.”
Runner selection is a data-boundary decision
Separating runner configuration for Copilot code review from the Copilot cloud agent allows enterprises to match infrastructure to the task. It also prevents an overly broad agent configuration from becoming the default for review workloads.
Runner policy should be based on data classification and required connectivity:
- use isolated hosted runners when repositories need no private network access;
- use hardened self-hosted pools only when internal dependencies make them necessary;
- keep runner images minimal and reproducible;
- use short-lived credentials with repository-scoped permissions;
- prevent persistence between review jobs;
- separate runner pools for different trust zones.
Runner selection affects far more than performance. It determines what source code, internal services, credentials, and telemetry the review process can reach.
A platform contract for AI code review
A useful contract should be small enough for teams to understand and strict enough for governance teams to trust. It can be implemented as policy-as-code, reusable repository configuration, protected settings, and automated conformance checks.
The contract should define at least:
- Purpose: AI review supplements human review and deterministic controls; it does not become an unmeasured release gate.
- Instruction ownership: approved formats, protected paths, and required reviewers.
- Execution policy: allowed setup operations, dependency provenance, resource limits, and secret handling.
- Egress policy: default network posture, approved destinations, and exception ownership.
- Runner policy: permitted runner classes by repository classification and connectivity need.
- Evidence: the configuration version, runner class, policy result, and operational outcome retained for each review where needed.
- Escalation: how developers report incorrect findings, missing context, or policy constraints that reduce review quality.
This contract should be versioned. A change to review instructions, setup behavior, firewall rules, or runner selection can alter both quality and risk. It deserves the same change-management discipline as a CI template or deployment policy.
Measure the operating model, not just adoption
Counting how many repositories enabled AI review says little about whether it works safely. Platform and engineering leaders need evidence across quality, reliability, and governance.
Useful measures include:
- acceptance and dismissal rates for review findings;
- time from finding to resolution;
- setup-step failure and timeout rates;
- repositories compliant with the approved runner and firewall baseline;
- number and age of network exceptions;
- frequency of instruction changes and their effect on finding quality;
- cases where deterministic checks or human reviewers contradicted the AI reviewer.
These measures create a feedback loop. Teams can improve instructions and setup context while the platform team identifies systemic policy or reliability problems.
A pragmatic rollout sequence
Enterprises do not need to design the final governance model before gaining value. A controlled rollout can proceed in four steps:
- Inventory: identify existing instruction files, setup workflows, runner types, and network dependencies.
- Baseline: define one default contract with protected instructions, minimal setup, restricted egress, and an approved runner class.
- Pilot: onboard a representative set of repositories and measure finding quality, setup reliability, and exceptions.
- Scale: publish golden-path configuration, automate conformance checks, and review exceptions periodically.
This approach lets the organization learn without turning every repository into a separate governance experiment.
From feature configuration to delivery policy
GitHub’s new controls are useful because they expose the real shape of AI-assisted review: it is a configurable workload operating inside the delivery system. Instructions influence judgment. Setup steps execute code. Network rules define egress. Runners define the data boundary.
Enterprises now have to make this customization reviewable, reusable, and measurable.
Platform teams should provide the paved road: a versioned contract, secure defaults, approved extension points, and evidence that the reviewer operated within policy. Product teams should own the domain context that makes reviews useful. Security and engineering leadership should define the exceptions and success measures.
That division of responsibility allows AI code review to improve delivery quality without creating an invisible parallel control plane.
GitHub’s implementation details are described in the Copilot code review customization announcement, the code review environment documentation, the repository custom instructions guidance, and the firewall configuration guidance.
