Security, Governance & Architecture
The enterprise-readiness conversation that unblocks adoption
Data privacy & the trust question
After this you can answer the #1 enterprise blocker: where does our code go
Inside a strategic account, the deal does not die on price. It stalls on one question a security lead asks in the first 20 minutes: where does our code go?
As the post-sale SA, you inherit accounts that already bought Cursor for one team and now want to expand. Expansion routes straight through the security org, so the privacy answer is your unblock, not a footnote. Get it precise and you open the door to every other team. Get it vague and the account freezes at its current seat count.
What Privacy Mode actually guaranteessay it precisely
Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. with zero-data-retention terms means code sent for inference is not stored and is not used to train models. That is the claim a customer can put in front of their own legal team, so state it as a bounded fact rather than a comfort blanket.
- Retention
- Under Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. + ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it., code sent for inference is not retained after the request completes
- Training
- Your code is not used to train models
- Encryption
- AES-256 at rest, TLS 1.2+ in transit
- Attestation
- SOC 2 Type II; annual third-party penetration testing
- Hard boundary
- ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. does NOT apply when the customer brings their own API keys - the upstream provider's terms govern that traffic
Perishable specifics (certs, exact terms) change; confirm against current security docs before you put them in a customer's hands.
How a request actually flows
Reviewers trust people who can draw the data path. Walk it concretely: the editor builds context from the open files and indexed codebase, sends only what the request needs to Cursor's backend, which routes to a model provider for inference and returns the completion.
- 1Editor. Your local Cursor client assembles context - the active file, relevant indexed snippets and the prompt. Indexing computes embeddings; the plaintext code is not warehoused for training.
- 2Cursor backend. Receives the request over TLS, applies your org's policy (model allowlist, Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code.) and forwards to the selected provider.
- 3Model provider. Runs inference and returns the completion. Under managed inference with ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it., that request is not retained provider-side.
- 4Return path. The completion comes back to your editor as a diff you review like any other change.
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
Be able to draw this cold - the policy gate at the backend is what makes Privacy Mode enforceable.
The single most expensive mistake is implying ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. covers a bring-your-own-keys configuration. It does not. With BYO keys, the upstream provider's retention terms govern, not Cursor's.
State that boundary unprompted. A reviewer who catches you overclaiming once stops trusting every other claim you make.
Addressing IP-leak fear head-on
The fear under the question is rarely about retention mechanics. It is the nightmare of proprietary source landing in a model's training corpus and resurfacing for a competitor. Name that fear out loud, then hand back specifics: ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. terms, the SOC 2 report, Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. as an enforceable org setting and private connectivity options for traffic that must stay off the public internet.
- Legal / security objection
- “Our code could be used to train a competitor's model.”
- What resolves it
- Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. + ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. terms; code is not trained on
- Legal / security objection
- “We need proof, not promises.”
- What resolves it
- SOC 2 Type II report + annual third-party pen test results
- Legal / security objection
- “Data can't traverse the public internet.”
- What resolves it
- AWS PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet. / Cloudflare Tunnel for private connectivity
- Legal / security objection
- “What if a dev forgets to enable Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code.?”
- What resolves it
- Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. enforced org-wide as an admin policy, not left to individuals
- Legal / security objection
- “We self-host our models.”
- What resolves it
- Model routing / BYO keys - but flag that ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. terms then shift to the provider
| Legal / security objection | What resolves it |
|---|---|
| “Our code could be used to train a competitor's model.” | Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. + ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. terms; code is not trained on |
| “We need proof, not promises.” | SOC 2 Type II report + annual third-party pen test results |
| “Data can't traverse the public internet.” | AWS PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet. / Cloudflare Tunnel for private connectivity |
| “What if a dev forgets to enable Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code.?” | Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. enforced org-wide as an admin policy, not left to individuals |
| “We self-host our models.” | Model routing / BYO keys - but flag that ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. terms then shift to the provider |
“Under Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. with zero-data-retention, your code is sent for inference and not stored or trained on. I'll put the data-flow and the SOC 2 report in front of your security team this week. And I'll tell you the one boundary up front: if you bring your own model keys, your provider's terms govern that traffic, not ours.”
In the technical or discovery round, an interviewer may bait you: “So you guarantee our code is never retained, right?” The senior answer volunteers the BYO-keys exception before they corner you on it. Selling on the caveat, not around it, is the exact judgment this role tests.
Takeaway. Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. + ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. means code is not stored or trained on under managed inference - and stating the BYO-keys boundary unprompted is what gets security to “yes,” which is the key for org-wide expansion.
Self-check
QWhy does getting security to “yes” early matter more for an SA than for an AE?
Identity, access & admin controls
After this you can configure enterprise identity and policy for a large org
At a few seats, identity is a login. At a few thousand seats, identity is a lifecycle and the lifecycle is what a security reviewer audits.
Your job as SA is to wire Cursor into the identity machinery the customer already runs, so that provisioning, access and offboarding happen without a human touching a console. Three primitives carry the weight.
The three identity primitives
Authentication through the customer's IdP (Okta, Entra, Ping).
One set of corporate credentials and MFA policy; no separate Cursor passwords to manage or leak.
OIDCOpenID Connect. A modern standard that powers single sign-on, built on OAuth. supported alongside SAMLAn enterprise standard that powers single sign-on..
Automated provisioning and deprovisioning from the IdP.
Offboard an engineer in the directory and their Cursor access is revoked automatically - no orphaned seats.
Group membership can drive team assignment.
Roles define who can change org settings, manage members and view analytics.
Least privilege: most engineers are members; a small set hold admin.
Policy enforced org-wide, not per individual.
The objection you will hear most from a security team is “an offboarded engineer still had access for three weeks.” SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. is the answer: deprovisioning is event-driven off the directory, so revocation is immediate and provable.
This single control closes a recurring audit finding, which is why it lands harder than any feature demo.
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
Identity decides who's in; policy decides what they can do; audit proves the controls operate.
Admin controls and org-wide policy
Identity decides who is in. Policy decides what they can do once in. For a large org you set org-wide defaults so an individual developer cannot quietly weaken the posture.
- Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. enforced as an org policy, not a per-user toggle.
- Model and MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. allowlists that bound what tools and providers are reachable.
- Team-scoped settings so a regulated business unit can run a stricter policy than a platform team.
- Admin-only control of billing, member management and analytics access.
Audit & visibility for the compliance team
Security and compliance teams do not just want controls. They want to see the controls operating. Audit logs and usage analytics give them the immutable who-did-what record and seat-level visibility they need for their own reporting.
- Reviewer's checklist item
- Authentication via our IdP with MFA
- Cursor control that answers it
- SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. (SAMLAn enterprise standard that powers single sign-on. / OIDCOpenID Connect. A modern standard that powers single sign-on, built on OAuth.)
- Reviewer's checklist item
- Automated provisioning at scale
- Cursor control that answers it
- SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. provisioning
- Reviewer's checklist item
- Immediate revocation on offboarding
- Cursor control that answers it
- SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. deprovisioning
- Reviewer's checklist item
- Least-privilege admin model
- Cursor control that answers it
- RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually. roles
- Reviewer's checklist item
- Org-wide enforceable settings
- Cursor control that answers it
- Admin policy + team-scoped settings
- Reviewer's checklist item
- Tamper-evident activity record
- Cursor control that answers it
- Audit logs
- Reviewer's checklist item
- Seat utilization & adoption visibility
- Cursor control that answers it
- Usage analytics
| Reviewer's checklist item | Cursor control that answers it |
|---|---|
| Authentication via our IdP with MFA | SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. (SAMLAn enterprise standard that powers single sign-on. / OIDCOpenID Connect. A modern standard that powers single sign-on, built on OAuth.) |
| Automated provisioning at scale | SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. provisioning |
| Immediate revocation on offboarding | SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. deprovisioning |
| Least-privilege admin model | RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually. roles |
| Org-wide enforceable settings | Admin policy + team-scoped settings |
| Tamper-evident activity record | Audit logs |
| Seat utilization & adoption visibility | Usage analytics |
Enterprise identity surface: SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. (SAMLAn enterprise standard that powers single sign-on. / OIDCOpenID Connect. A modern standard that powers single sign-on, built on OAuth.), SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. provisioning/deprovisioning, RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually., audit logs, usage analytics, org-wide admin policy.
Organizations (GA to Enterprise June 3, 2026) is the org-level plane over teams; Groups scope model access, spend limits and agent permissions per cohort, with most-permissive effective settings when memberships overlap.
Confirm exact control availability against current enterprise docs before quoting it in a security questionnaire.
Tie identity back to the rollout plan when asked. Provisioning at scale is not an IT chore - it is the mechanism that turns a 50-seat pilot into a 5,000-seat deployment without a manual onboarding bottleneck. SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. groups can mirror the customer's team topology, so expansion is a directory change, not a project.
Takeaway. SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. authenticates, SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. runs the provision/deprovision lifecycle and RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually. plus org-wide policy enforce least privilege - and SCIM deprovisioning is the control that closes the recurring offboarding audit finding.
Self-check
QA security team's top concern is orphaned access: people who left the company still showing as active. Which control do you lead with and why?
Governing AI-generated code
After this you can advise on guardrails for code authored or edited by AI
A platform lead's real worry is not that AI writes code. It is that AI writes a lot of code, fast and their existing safety net was sized for human throughput.
Your advice flips that worry into a design principle: AI raises the volume of change, so review and testing rigor matters more, not less. The good news you deliver next is that the safety net already exists in their pipeline and does not need rebuilding.
Code review and CI are the safety net
AI-authored changes flow through the identical gates as human changes. The agent is an author. It opens a diff that a human reviews and that CI gates before merge. Nothing about AI involvement bypasses the existing controls.
Every AI change is a scoped diff through normal PR review.
SASTStatic Application Security Testing. Scanning source code for vulnerabilities without running it., DASTDynamic Application Security Testing. Testing a running application for vulnerabilities from the outside., SCASoftware Composition Analysis. Scanning third-party dependencies for known vulnerabilities and license problems., secrets scanning all run on the diff regardless of author.
Separation of duties holds: author ≠ approver ≠ deployer.
Throughput rises, so reviewer load and test coverage matter more.
Reviewers need to read for intent, not rubber-stamp volume.
Standards and Rules pre-shape output so less is caught late.
Rules and standards as the upstream constraint
Catching every problem in review is expensive. The cheaper lever is constraining output before it is written. Cursor Rules (and .cursorrules / .cursor/rules) encode the org's conventions, banned patterns and security practices so generated code starts aligned with the house standard.
# Security & convention rules applied to AI-authored code - Never log secrets, tokens or PII; use the redaction helper in lib/log. - All DB access goes through the repository layer; no raw SQL in handlers. - Validate and parameterize every external input; no string-built queries. - New endpoints require an authz check and a test before they merge.
Rules do not replace review. They raise the floor, so the diff a reviewer sees already follows conventions and the review focuses on intent and edge cases instead of style nits.
Licensing & provenance - talk about it honestly
Senior engineers will ask about licensing and provenance of generated code. Do not wave it away. The honest framing: treat AI-suggested code with the same diligence as any code entering the repo and lean on the supply-chain controls already in CI.
- SCASoftware Composition Analysis. Scanning third-party dependencies for known vulnerabilities and license problems. flags known-CVE and license-incompatible dependencies an agent might pull in.
- SBOMSoftware Bill of Materials. A list of every component and dependency in a build, like an ingredients label for software. keeps the component inventory accurate regardless of who added a dependency.
- Human review remains the accountability boundary for what enters the codebase.
- Where the customer has a stricter policy, encode it as a Rule so it shapes output early.
Do not promise that AI never produces vulnerable or improperly licensed code. No tool can promise that. Promise instead that AI changes run the same gauntlet as human changes and that review plus CI is the accountability layer.
Overclaiming on quality is how you lose a skeptical senior engineer in one sentence.
Helping a platform team write an internal AI-coding policy
The deliverable a platform team actually wants from you is a short, enforceable policy they can publish. Help them write it around four decisions.
- Where AI is allowed
- Which repos and systems; what is out of scope (e.g., payments, crypto) for autonomous work
- How it's reviewed
- Same PR + CI gates as any change; agents author, humans approve
- What's encoded as Rules
- Org conventions, banned patterns and security practices that shape output upstream
- What's tracked
- Disclosure of AI involvement plus audit logs, so changes are attributable
A policy this concrete is something a CISO can sign and a developer can actually follow.
“AI changes nothing about what you need to prove - that change is reviewed, tested and accountable. It changes how much you'll be proving it about. So we put more impact into your gates: Rules to shape output up front, the same review and CI to catch the rest and tracking so every change is attributable.”
Takeaway. AI accelerates output, so review and testing rigor matters more, not less - constrain output upstream with Rules, keep the same PR and CI gates downstream and make AI involvement attributable.
Self-check
Leading an architecture review
After this you can run the architecture/governance review the JD calls for
An architecture review is where you stop being a vendor presenting features and become the peer the customer's architects design with.
The JD asks you to lead these reviews for a reason: in a strategic account, the platform and security architects decide whether Cursor becomes standard tooling or stays a quarantined experiment. A good review produces a written recommendation those architects can circulate and defend internally.
The structure that earns trust
- 1Current state. Map their SDLC, identity stack, network boundary and CI/CDContinuous Integration / Continuous Delivery. The automated pipeline that builds, tests and ships code so changes reach production safely and often. topology as it exists today - before proposing anything.
- 2Requirements & constraints. Capture the non-negotiables: data residency, ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. requirements, approved IdP, network egress rules, in-scope regulated systems.
- 3Integration points. Identify exactly where Cursor touches their world: IdP for SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool./SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave., git host and CI for the change pipeline, MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. for internal context sources.
- 4Risks. Surface what could go wrong and how each is mitigated - before security raises it.
- 5Recommended target architecture. Propose a concrete configuration, then explicitly contrast the ideal with what they can adopt now.
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
The risk step is the gate - surface and mitigate risks yourself before security finds them.
Mapping Cursor into their topology
The heart of the review is placing Cursor into four existing planes the customer already runs. Do it as a table they can paste into their own doc.
- Their plane
- SDLC
- Where Cursor slots in
- Author step upstream of PR review and CI; agent produces scoped diffs
- What you must confirm
- Branch protection and review gates stay mandatory
- Their plane
- Identity
- Where Cursor slots in
- SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. (SAMLAn enterprise standard that powers single sign-on./OIDCOpenID Connect. A modern standard that powers single sign-on, built on OAuth.) + SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. against their IdP; RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually. for admin
- What you must confirm
- Which IdP; SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. group-to-team mapping
- Their plane
- Network
- Where Cursor slots in
- Private connectivity via PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet. / Cloudflare Tunnel; IP allowlist
- What you must confirm
- Egress policy; can traffic stay off public internet
- Their plane
- CI/CDContinuous Integration / Continuous Delivery. The automated pipeline that builds, tests and ships code so changes reach production safely and often.
- Where Cursor slots in
- Unchanged - same SASTStatic Application Security Testing. Scanning source code for vulnerabilities without running it./DASTDynamic Application Security Testing. Testing a running application for vulnerabilities from the outside./SCASoftware Composition Analysis. Scanning third-party dependencies for known vulnerabilities and license problems./secrets gates run on the diff
- What you must confirm
- Existing gates remain; nothing weakened
| Their plane | Where Cursor slots in | What you must confirm |
|---|---|---|
| SDLC | Author step upstream of PR review and CI; agent produces scoped diffs | Branch protection and review gates stay mandatory |
| Identity | SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. (SAMLAn enterprise standard that powers single sign-on./OIDCOpenID Connect. A modern standard that powers single sign-on, built on OAuth.) + SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. against their IdP; RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually. for admin | Which IdP; SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. group-to-team mapping |
| Network | Private connectivity via PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet. / Cloudflare Tunnel; IP allowlist | Egress policy; can traffic stay off public internet |
| CI/CDContinuous Integration / Continuous Delivery. The automated pipeline that builds, tests and ships code so changes reach production safely and often. | Unchanged - same SASTStatic Application Security Testing. Scanning source code for vulnerabilities without running it./DASTDynamic Application Security Testing. Testing a running application for vulnerabilities from the outside./SCASoftware Composition Analysis. Scanning third-party dependencies for known vulnerabilities and license problems./secrets gates run on the diff | Existing gates remain; nothing weakened |
The fastest way to lose an architecture review is to let the security architect find a risk you skipped. The fastest way to win one is to raise it yourself, with the mitigation already attached.
Volunteering the BYO-keys ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. boundary or the fact that autonomous merge would break separation of dutiesNo single person can author, approve and deploy the same change. The core control AI autonomy has to respect., reads as senior judgment - not weakness.
The written artifact
Reviews that live only in a meeting evaporate. Produce a short recommendation document stakeholders can forward to their CISOChief Information Security Officer. The executive who owns security; usually the hardest and most important person to win over. and CTO. It does not need to be long - it needs to be defensible.
- Current state
- One diagram-as-table of their SDLC/identity/network/CI today
- Requirements
- The constraints captured, in their words
- Target architecture
- The concrete Cursor configuration you recommend
- Risk register
- Each risk with owner and mitigation
- Phasing
- What ships now vs. what's deferred, with why
Do not present the ideal architecture as the only architecture. An org that cannot adopt PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet. this quarter still needs a safe path. Balance the target against what they can actually run now and phase the rest.
An unadoptable recommendation is a failed review, however elegant.
In the demo or scenario round, if asked to “walk us through how you'd run an architecture review,” lead with the structure (current state → constraints → integration → risk → target) and name the written artifact at the end. Ending on a circulatable document signals you understand the review is a means to an internal decision, not a meeting for its own sake.
Takeaway. Run the review as current state → requirements → integration points → risks → recommended target, surface risks before security does and end with a circulatable written recommendation balanced against what the org can adopt now.
Self-check
QYou're leading an architecture review and you know one constraint - the customer can't enable PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet. for another quarter. Do you (a) omit it to keep the recommendation clean, (b) recommend PrivateLink as required and stall or (c) something else?
Deployment & integration topology
After this you can reason about how Cursor slots into enterprise infrastructure
In a locked-down enterprise, the question is not whether Cursor is good. It is whether Cursor can reach what it needs through a proxy, a firewall and an egress policy designed to say no.
You need a working mental model of how Cursor connects, integrates and routes, so you can answer infra questions in the room and know the line where you pull in Cursor's product or security experts instead of guessing.
Network, proxy & connectivity
Locked-down environments route egress through corporate proxies and allow only approved destinations. Cursor must be reachable through that path and sensitive customers want the path to stay off the public internet entirely.
- Corporate proxy
- Cursor traffic routes through the customer's egress proxy; confirm the required endpoints are allowlisted
- AWS PrivateLink
- Private connectivity that keeps traffic off the public internet
- Cloudflare Tunnel
- Private connectivity option for orgs not on AWS PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet.
- IP allowlisting
- Restrict access to corporate network ranges
Verify current endpoint and connectivity specifics against Cursor's enterprise networking docs before committing them in a deal.
Integrating into the existing toolchain
Cursor lives inside the developer's loop, so it touches the tools that loop already runs. Two categories matter: the change pipeline and the context sources.
Git hosting (GitHub, GitLab, Bitbucket) and the PR review flow.
CI/CDContinuous Integration / Continuous Delivery. The automated pipeline that builds, tests and ships code so changes reach production safely and often. where SASTStatic Application Security Testing. Scanning source code for vulnerabilities without running it./DASTDynamic Application Security Testing. Testing a running application for vulnerabilities from the outside./SCASoftware Composition Analysis. Scanning third-party dependencies for known vulnerabilities and license problems./secrets gates run on the diff.
Ticketing for traceability of why a change was made.
Cursor sits upstream as the author; the pipeline is unchanged.
MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. connects Cursor to internal docs, services and tools.
An MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. allowlist bounds which servers and tools agents can reach.
Brings real internal context to the agent without exposing everything.
This is the lever that makes Cursor fluent in the customer's own systems.
Model routing & data locality
Model selection is a trade-off you must be able to explain. Managed inference keeps ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. terms intact and is the simplest posture. Bring-your-own keys gives the customer provider control but moves the data terms to that provider, which is a governance change, not just a config flag.
- Routing choice
- Managed inference (default)
- Upside
- ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. terms apply; simplest to govern; model allowlist enforced org-wide
- Trade-off to flag
- Customer relies on Cursor's provider relationships
- Routing choice
- Bring-your-own keys
- Upside
- Customer controls the provider account directly
- Trade-off to flag
- ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. no longer applies - provider's retention terms govern that traffic
- Routing choice
- Model allowlist
- Upside
- Constrain which models any team may use
- Trade-off to flag
- Must be set and maintained per org/group policy
| Routing choice | Upside | Trade-off to flag |
|---|---|---|
| Managed inference (default) | ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. terms apply; simplest to govern; model allowlist enforced org-wide | Customer relies on Cursor's provider relationships |
| Bring-your-own keys | Customer controls the provider account directly | ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. no longer applies - provider's retention terms govern that traffic |
| Model allowlist | Constrain which models any team may use | Must be set and maintained per org/group policy |
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
BYO keys is a governance change, not a config flag - flag the ZDR shift unprompted.
Standardizing config so expansion stays governable
The whole point of post-sale ownership is that team #12 should be as governed as team #1. Standardize the configuration so expansion is a repeatable change, not a fresh negotiation each time.
- Use Organizations as the admin plane, with Groups for per-business-unit policy.
- Ship a baseline config (Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. on, model allowlist, MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. allowlist) every new team inherits.
- Mirror SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. groups to team topology so onboarding a team is a directory change.
- Keep Rules in the repo so standards travel with the codebase, not the individual.
You are deeply technical, not the security or product team. When a customer asks for a contractual data-residency commitment, a certification you are not certain Cursor holds or a network design beyond the documented options, pull in Cursor's security/product experts rather than improvising.
“Let me bring in our security team to get you a precise answer” costs nothing. A fabricated commitment costs the deal when their auditor checks.
“Cursor sits upstream of your pipeline as the author and connects to your internal context through MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs., all behind your existing identity, proxy and CI controls. For the network path, we can keep traffic off the public internet with PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet. or Cloudflare Tunnel - and I'll loop in our security team to nail down the exact endpoints and any data-residency commitment in writing.”
When an interviewer probes deployment topology, narrate the four planes (network, toolchain, model routing, standardized config) and then name the escalation boundary. Volunteering when you'd pull in Cursor's experts signals the judgment Cursor screens for: hands-on credibility without overclaiming.
Takeaway. Reason in four planes - network/proxy, toolchain + MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs., model routing, standardized config - keep managed inference for intact ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. and know the boundary where you pull in Cursor's security and product experts instead of guessing.
Self-check
QA platform team wants to bring their own model API keys for full provider control. What governance change must you flag?
Governing agents at scale
After this you can layer agent controls on the secure foundation and scale them
The privacy foundation answers where code goes. The next question a platform team asks is sharper: now that an agent can run commands and reach tools on its own, what stops it from doing the wrong thing?
Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. by default, ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. with every provider, SOC 2 Type II and SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool./SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave./MDM are the secure foundation you already sold. Agent governance is the layer on top. As an agent gets more agency - running terminal commands, editing files, calling tools - the security surface grows with it. Three controls put deterministic boundaries around that agency, and each is enforceable org-wide so an individual cannot quietly disable it.
Three layers on the secure foundation
Deterministic scripts that fire at lifecycle checkpoints you own - before a tool runs, before a file is read, after an edit.
You write them and check them into the repo, so the behavior is auditable and version-controlled.
Enterprise hooks pushed via MDM outrank user-defined hooks, so a developer cannot weaken the org's policy locally.
Allowlist or denylist which models are usable org-wide.
Choose which MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. servers are available and, within each, which individual tools an agent can call.
Set each tool to auto-run or require manual approval, so high-blast-radius tools always stop for a human.
Contains the blast radiusHow much breaks if a change goes wrong; the scope of potential damage.: file access scoped to the workspace, network off by default, git read-only.
An agent can read and propose, but cannot reach outside the box or push on its own.
Org-enforced, so an individual developer cannot turn it off.
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
Hooks, model/MCP control and sandbox mode layer on the privacy foundation - each contains a blast radius the others can't, and each is enforced org-wide.
- Hooks
- Deterministic scripts at lifecycle checkpoints you own and check into the repo; enterprise (MDM) hooks outrank user hooks
- Model & MCP control
- Allowlist/denylist models org-wide; pick which MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. servers AND which individual tools are available, each set to auto-run or manual approval
- Sandbox mode
- File access scoped to the workspace, network off by default, git read-only; org-enforced so individuals can't disable it
All three sit on top of the secure foundation: Privacy Mode default, ZDR with every provider, SOC 2 Type II, SAML/OIDC/MDM.
Egress control: default-deny by design
Sandbox mode turns the network off by default. When an agent does need to reach out, egress is governed the same way model and tool access is - explicit allow, explicit block, deny everything else.
- Allowlist
- Destinations the agent may reach auto-run, without a prompt
- Denylist
- Destinations that are always blocked, no override
- Default
- Deny everything else - anything not explicitly allowed is refused
- Enforcement
- DNS filtering plus an HTTP proxy carry the policy at the network layer, not just in the app
Default-deny egress means a misbehaving or prompt-injected agent has nowhere to send data it shouldn't.
Why the controls have to scale with the code
More agency means more security surface, and that math does not stay small. At NVIDIA-scale - on the order of 40,000 engineers using agents daily - the governance question stops being "is this safe for one developer" and becomes "how do we govern responsibly at scale."
There is a second-order effect to name. If a team ships roughly 40% more code with agents, the controls that gate code - review capacity, policy, access controls - have to scale with that volume. Governance that was sized for human throughput becomes the bottleneck, or worse, the gap. The three layers exist so the boundaries scale as deterministic policy rather than as more manual review.
"The privacy foundation - Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code., ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it., SOC 2, your IdP and MDM - is what gets you to yes on where code goes. On top of that we give you three agent controls: hooks you write and check into the repo, model and MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. allowlists down to the individual tool with auto-run or approval per tool, and a sandbox that scopes file access, turns off network by default and makes git read-only. All three are org-enforced. As you ship more code with agents, those boundaries scale as policy, not as more manual review."
If an interviewer asks how you'd govern agents for a 40,000-engineer customer, do not list features. Lead with the principle - more agency is more surface, so controls scale with code - then name the three layers and that each is org-enforced. Closing on egress default-deny (allowlist auto-run, denylist always blocked, everything else refused, via DNS filtering and an HTTP proxy) shows you can govern the blast radiusHow much breaks if a change goes wrong; the scope of potential damage., not just describe it.
Takeaway. On the secure foundation (Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code., ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it., SOC 2, IdP/MDM), three org-enforced layers govern agency: hooks (deterministic, repo-checked, MDM outranks user), model/MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. control (allowlist down to the tool, auto-run or approval) and sandbox mode (scoped files, network off, git read-only) - and because more agency is more surface, the controls scale with the ~40% more code you ship.
Self-check
QHow is an agent's network egress governed in a sandboxed configuration?