The VP Geek Speaks

GitHub's Agent Control Plane: What Enterprise AI Governance Actually Looks Like

On February 26, 2026, GitHub made its Enterprise AI Controls and agent control plane generally available. The timing is notable: it came in the same week that Claude and Codex became available for Copilot Business and Pro users, and as GitHub Enterprise Server 3.20 hit release candidate. The GA isn’t a coincidence—it reflects an industry that has moved from “should we let agents into our codebase?” to “how do we govern agents that are already in our codebase?”

The PR Tsunami: What AI Code Volume Is Doing to Your Review Process

AI coding tools delivered on their core promise: developers write less, ship more. Teams using AI complete 21% more tasks. PR volume has exploded—some teams that previously handled 10–15 pull requests per week are now seeing 50–100. In a narrow sense, that’s a win.

But there’s a tax on that win that most engineering leaders aren’t accounting for: AI-generated PRs wait 4.6x longer for review than human-written code, despite actually being reviewed 2x faster once someone picks them up. The bottleneck isn’t coding anymore. It’s review capacity, and it’s getting worse as AI generation accelerates.

Vibe Coding Won. Now What?

Vibe coding went from a niche provocation to the dominant paradigm of software development in less than 18 months. Collins English Dictionary named it 2025 Word of the Year. OpenAI co-founder Andrej Karpathy coined the term in February 2025; by early 2026, approximately 92% of US developers use AI coding tools daily, and 46% of all new code is AI-generated. The adoption battle is over—vibe coding won.

So why does it feel like the victory lap is getting complicated?

SERA and the Case for Open-Source Coding Agents That Know Your Repo

If your team has tried Cursor, Copilot, or other AI coding tools and found them underwhelming on your codebase—wrong conventions, missing context, generic suggestions—you’re running into a fundamental limit: those models are trained and optimized for the average repo, not yours. In early 2026, AI2 (Allen Institute for AI) released SERA (Soft-Verified Efficient Repository Agents), an open-source family of coding agents built for something different: specialization to your repository through fine-tuning, at a cost that makes it realistic for more teams.

Cursor vs. Copilot in 2026: What Actually Matters for Your Team

By 2026 the AI coding tool war is a fixture of tech news. Cursor—the AI-native editor from a handful of MIT grads—has reached a $29.3B valuation and around $1B annualized revenue in under two years. GitHub Copilot has crossed 20 million users and sits inside most of the Fortune 100. The comparison pieces write themselves: Cursor vs. Copilot on features, price, workflow. But for teams that have adopted one or both and still don’t see clear performance benefits, the lesson from 2026 isn’t “pick the winning tool.” It’s that the tool is often the wrong place to look.

Prompt Injection Is Coming for Your Coding Agent

In early 2026, a critical vulnerability in Anthropic’s Claude Code made the rounds: CVE-2026-24887, which let an attacker bypass the user-approval prompt and execute arbitrary commands via prompt injection. Around the same time, researchers demonstrated prompt-injection-to-RCE chains in GitHub Actions—an external PR could trigger Claude Code in a workflow and, with a malicious payload in the PR title, achieve code execution with workflow privileges. Real incidents have shown agents exfiltrating SSH keys and credentials from hidden instructions in docs or comments. NIST has called prompt injection “generative AI’s greatest security flaw,” and it’s #1 on the OWASP LLM Top 10. If your team is rolling out AI coding assistants or agentic workflows, this isn’t theoretical. It’s the threat model you need to plan for.

Why Mandating AI Tools Backfires: Lessons from Amazon and Spotify

Two stories dominated the AI-and-work conversation in early 2026. Amazon told its engineers that 80% had to use AI for coding at least weekly—and that the approved tool was Kiro, Amazon’s in-house assistant, with “no plan to support additional third-party AI development tools.” Around the same time, Spotify’s CEO said the company’s best engineers hadn’t written code by hand since December; they generate code with AI and supervise it. Both were framed as the future. Both also illustrate why mandating AI tools is a bad way to get real performance benefits, especially for teams that are already skeptical or struggling to see gains.

OpenClaw in 2026: Security Reality Check and Where It Still Shines

OpenClaw (the project formerly known as Moltbot and Clawdbot) had a wild start to 2026: explosive growth, a rebrand after Anthropic’s trademark request, and adoption from Silicon Valley to major Chinese tech firms. By February it had sailed past 180,000 GitHub stars and drawn millions of visitors. Then the other shoe dropped. Security researchers disclosed critical issues—including CVE-2026-25253 and the ClawHavoc campaign, with hundreds of malicious skills and thousands of exposed instances. The gap between hype and reality became impossible to ignore.

GitHub Agentic Workflows Are Here: What They Change (and What They Don't)

In February 2026, GitHub launched Agentic Workflows in technical preview—automation that uses AI to run repository tasks from natural-language instructions instead of only static YAML. It’s part of a broader idea GitHub calls “Continuous AI”: the agentic evolution of continuous integration, where judgment-heavy work (triage, review, docs, CI debugging) can be handled by coding agents that understand context and intent.

If you’re weighing whether to try them, it helps to be clear on what they are, what they’re good for, and what stays the same.

The METR Study One Year Later: When AI Actually Slows Developers

In early 2025, METR (Model Evaluation and Transparency Research) ran a randomized controlled trial that caught the industry off guard. Experienced open-source developers—people with years on mature, high-star repositories—were randomly assigned to complete real tasks either with AI tools (Cursor Pro with Claude) or without. The result: with AI, they took 19% longer to finish. Yet before the trial they expected AI to make them about 24% faster, and after it they believed they’d been about 20% faster. A 39-point gap between perception and reality.