How to Prevent Source Code Leaks to ChatGPT, Claude, and Copilot: Developer AI Security Controls
Layered controls to block secrets and confidential code without banning AI tools.
A familiar pattern in security reviews: a developer copies proprietary code — sometimes with an API key or schema — into Claude, ChatGPT, Copilot, or Cursor to debug faster.
The intent is rarely malicious. The risk is real: IP exposure, credentials in prompts, customer data in context windows, and weak audit trails.
The default response — “ban AI for code” — typically fails. Developers route around policy, productivity drops, and governance teams still lack visibility.
This guide documents a layered control model to prevent source code leaks to ChatGPT and similar tools using AI-002, AI-003, and AI-010 — without banning AI-assisted development outright.
Operational guidance only. This guide supports technical and policy controls for AI coding tools. It is not legal advice. Engage counsel for IP, employment, and contractual obligations.
1. Classify (AI-002) repos as public / internal / confidential / secret
2. Scan pre-commit for secrets
3. Warn on copy of classified code
4. Block (AI-010) at the prompt layer before external APIs. Start with layer 1 today.
On this page
Why This Is a Top AI Governance Risk
Daily workflows now include ChatGPT/Claude web UIs, GitHub Copilot, Cursor, Claude Code, and Copilot Chat with repo and terminal access. The challenge isn’t stopping AI — it’s controlling what reaches external models.
Readiness check
- We classify source code by sensitivity
- Technical controls block sensitive code before external AI
- Developers know approved tools and safe usage
- We log/monitor code-related AI prompts
- We can demonstrate leakage prevention to auditors
Which AI Coding Tools Create the Highest Leakage Risk?
| Tool type | Risk | Primary concern | Control |
|---|---|---|---|
| Public chatbots (ChatGPT, Claude web) | High | Manual paste of code/logs | Prompt firewall + AUP |
| IDE assistants (Copilot) | Medium | Repo context exposure | Classification + repo policy |
| Agentic tools (Cursor, Claude Code) | High | Autonomous file + API access | Enterprise + HITL |
| Self-hosted models | Lower external | Internal access control | RBAC + logging |
Developer pushback — practical responses
| Concern | Response |
|---|---|
| “I need AI to debug” | Approved tools + retention opt-out; redact utility |
| “Firewall blocks too much” | Weekly false-positive tuning |
| “I’ll use my personal account” | Improve approved tooling; AUP escalation |
AI-002: Data Classification for Source Code
Start with repository-level defaults from AI-002:
| Repo type | Default tier |
|---|---|
| Public OSS | Public |
| Internal tooling | Internal |
| Core product | Confidential |
| Auth / security | Secret |
Add function-level tags later for high-risk modules. Classification + prompt firewall rules work best together.
Tiered approval for AI tools
| Criterion | Confidential | Internal | Public |
|---|---|---|---|
| Training opt-out | Required | Required | Recommended |
| SOC 2 / ISO 27001 | Required | Recommended | — |
| Audit logs | Required | Required | — |
AI-010: Block Secrets in LLM Prompts
Even with classification, developers paste sensitive snippets. Filter at the prompt layer with AI-010.
| Pattern | Regex (summary) |
|---|---|
| API keys | sk-…, ghp_…, AKIA… |
| DB connection strings | postgres://…, mongodb://… |
| Hardcoded secrets | password=api_key=… (exclude placeholders) |
| AI-002 tags | classification=confidential|secret |