AI for Engineering#
Scope#
This document applies to all internal engineering teams and codebases from the CPO organization.
It covers engineering AI-assisted activities, including code generation, code review, grooming, documentation, and automation. This includes all engineering activities where AI had an input, data was sent to an AI, and/or AI contributed to the output.
It does not cover AI usage in customer-facing products.
Why do we use AI coding tools?#
AI coding tools can dramatically increase the delivery throughput and the efficiency of software engineers:
- They can generate code and documentation of good technical quality much faster than a human typing. It removes the bottleneck of typing the code, remembering the proper syntax, etc.
- They can bring ideas and help brainstorm about architecture, best practices and how to approach a problem.
- They can bring ideas on how to possibly improve existing code.
- They can parse and search through code efficiently to provide insights.
When used efficiently, they allow software engineer to spend more time on high added-value tasks such as functional & technical design, quality assurance, etc.
Like many tools, AI coding tools can be poorly used and ultimately reduce the efficiency of the software developer, by generating more issues, and creating knowledge gaps. The following
Guiding Principles#
Human-in-the-loop#
AI can assist but cannot replace human judgment. All AI-generated outputs must be reviewed and approved by a human before being considered final. The human using the AI remains the owner of and is responsible for the produced content. The human thinks and leverages the AI to act faster.
No replacement of mandatory human steps#
Poor code create more issues than it solves. Just like any developers, AI can generate poor code by making mistakes, or by implementing what it is asked to if the ask is not correct or precise enough. We have processes in our workflows to avoid such issues (grooming, peer reviews, testing, quality assurance, etc.).
AI cannot substitute required human actions in our processes such as code reviews, grooming, or testing. AI can and should be used to facilitate those steps, but it must not replace human validations. Therefore, we apply the same control on human-generated code an AI-generated code. Regardless of the origin, if mistakes are made and pass our validation process, the process must be improved.
Example: AI can provide a self-service review to catch basic issues and provide a first quick feedback to the developer, but a human review remains mandatory. AI helps reviewers focus on reviewing high-added value functional aspects rather than low-level details by handling this first review.
Transparency#
Any natural language deliverables partially or fully generated with or by AI must be clearly declared as such.
Examples:
- Documentation written by AI must be identified as such with a note.
- Grooming generated by AI must be clearly identified as such AI involvement before human approval.
Any deliverables for which AI was used to generate code more autonomously than line by line (i.e., excluding code completion features, including AI-generated functions, classes, tests, etc.) must be clearly declared as such so that the next human in the process is aware.
Examples:
- A PR fully generated by AI must be identified as such, with a note in the PR description.
- A PR including tests or functions written by AI from a natural language description must be identified as such, with a note in the PR description.
- A PR in which AI has only been used with code completion and to brainstorm, but not generate code, does not need to be identified as generated with AI.
Approved AI Usage#
AI usage for engineering is only permitted through company-approved tools under an company-managed license and Data Processing Agreement (DPA).
AI usage for engineering is only permitted on repositories and codebases clearly identified as AI-compatible:
- Engineering leaders in the CPO organization are autonomous to define which repositories can be flagged as AI-compatible, based on the guidelines and practices in this policy, including ownership by the CPO organization and accepted mitigations related to data risks (see below) being applied.
- All repositories where AI usage is authorized must be flagged as is with a clear statement (typically in the readme.md file): "AI tools approved by group.one AI policy can be used with this repository." Without this mention, AI must not be used on this repository to perform tasks covered by the scope of this policy.
As a result, only approved tools can be used, and uniquely on repositories and codebases that are either public or that meet our data risk management guidelines (see below).
Data Risk Management#
As we apply this policy, AI tools will get access to our source code repositories. Despite a DPA agreement and an enterprise license, we must remain vigilant with data risks. We identified four key risks and mitigation strategies:
5.1 Customer Data Leakage#
Risk: Real customer data (e.g., emails) appearing in code or tests.
Possible mitigations:
- Policy banning the use of real customer data in our repositories.
- Automated scanning on pull requests to detect potentially sensitive data and raise warnings to authors so they can assess and fix issues before merging.
5.2 Employee Personal Data#
Risk: Personal emails or identifiers in commits or code.
Possible mitigations:
- Enforce company email usage for commits.
- Automation to scan for personal identifiers and raise warnings to authors so they can assess and fix issues before merging.
5.3 Secrets in Code#
Risk: Credentials or secrets put directly in source code repositories.
Possible mitigations:
- Automated scanning of repositories to flag secrets and raise warnings for the owning team to resolve.
- A secret that has been shared like this should be immediately rotated.
5.4 Intellectual Property#
Risk: Leakage of proprietary code or algorithms.
Possible mitigations:
- AI usage allowed with approved tools unless the specific repository is classified as highly sensitive.
Getting Started: Documentation & Good Practices#
Read the following documentation to get started with the AI coding tools and understand how they are best used.
General - Internal documentation#
- Basic workflow with AI coding tools
- group.one AI Skills Library — reusable skill templates for common engineering workflows (grooming, code review, PR creation, definition of done, documentation, ticket writing). Works as slash commands in Claude Code and as agent instructions in GitHub Copilot and other tools.
- Project instructions template — a template for
CLAUDE.md/AGENTS.md/.github/copilot-instructions.md. Giving your AI tool persistent context about your repo's architecture and conventions leads to more consistent, project-aware output.
General - External documentation#
- Your job is to deliver code you have proven to work
- Writing a good instruction file
- Getting better at using Coding agents
GitHub Copilot#
- Best practices for using GitHub Copilot
- About Copilot Agents
- Using Copilot Agents to work on tasks
- Choosing the right AI tool for your tasks