๐ผ Air Traffic Control Briefing
The Tower governs who flies, when and under which rules. Org-level policies, seat management, audit telemetry and compliance mappings live here. GitHub ships new Copilot admin controls regularly โ this surface grows with them.
โฌ Compliance Frameworks
The frameworks Copilot governance controls map to. Framework IDs inside each control reference entries here.
โ Governance Controls
Every admin and governance control GitHub exposes for Copilot. Click a row โ or deep link via #control=<id> โ to highlight one. Links from the Cockpit detail panel land here.
๐ก Sovereign Cloud & Data Residency
Where Copilot data lives, how it's encrypted, and what you actually control. Enterprise evaluators: the gap between what you expect and what GitHub delivers is larger than most assume.
Sovereignty Pillars
Data Flow Architecture
Every Copilot request โ completions, chat, agent actions โ passes through GitHub's API proxy for intent detection and telemetry collection. This hop occurs on GitHub infrastructure regardless of your data residency or BYOK configuration. The proxy then forwards to either GitHub-managed model providers (standard path) or your own endpoint (BYOK path). Only VS Code user-level BYOK bypasses the proxy entirely.
Deployment Options
Data Flow Matrix
Provider EU Strategies
Residual Risks
โ Flight Plans
Model routing recommendations by task type. Which model to dispatch for a given job โ and which to avoid. Flight plans are governance decisions: the Tower decides routing.
โ On Final Approach
Planned Tower expansions as GitHub ships them and as we catch up on their rollout:
Recently landed:
- โ MCP Allowlist Governance โ admins control which MCP servers are permitted (GA April 2026)
- โ Copilot usage metrics for EU/AU/US/JP data residency tenants (preview Jan 2026)
- โ BYOK + local models in Copilot CLI โ Ollama, vLLM, Foundry Local, air-gap (April 2026)
- โ Auto model resolution in usage metrics โ see actual model names instead of "Auto" (March 2026)
- โ CLI activity included in aggregate usage metrics (April 2026)
Still on approach:
- Fine-grained content exclusion UI (per-path, per-repo glob patterns)
- Org-level model allowlists & deny-lists (which models your seats can reach)
- Usage analytics dashboards GA (acceptance rate, active seats, feature adoption)
- Seat lifecycle automation (onboarding/offboarding hooks)
- SOC 2 / ISO 27001 / GDPR evidence pack generation
- Audit log retention + SIEM export configuration
- Autopilot governance controls (org-level enable/disable for autonomous mode)