MergeGuide
AI-assisted code governance

Embrace AI velocity.
Without sacrificing control.

MergeGuide is the velocity enabler for AI-assisted development, not the security tool that slows you down. Your AI writes compliant code from the first keystroke, so nothing gets kicked back and nothing ungoverned ever reaches your repo.

Book a Demo Get Started Free See how it works
// Governs the code your AI writes, across your entire stack.
mergeguide · IDE
POLICY VIOLATIONS
L14 · Prompt injection
L41 · Hardcoded secret
L88 · PII in logs
L97 · Weak crypto
12public string Handle(string input){
13 var msg = BuildPrompt(input);
14 return Chat(msg);
15}
⚠ MergeGuide · Prompt Injection Severity: ERROR · violates SOC 2 CC6.1 · HIPAA §164.312(a)(1) Fix: validate & structure user input before prompt assembly
Checking the active MergeGuide policies, then building a compliant endpoint.
Called mergeguide · check_policy
Drafting a FastAPI endpoint and validating with check_policy before writing.
Called mergeguide · check_policy
Policy flags f-string-built SQL (mg-python-sql-fstring-variable). Inlining the columns into a plain string literal and re-checking.
✓ Policy check passed. Writing api/users.py.
MergeGuide-driven hardening (beyond the literal ask)
Parameterized query as a plain string constant: no f-string SQL
Column allowlist baked in, so password_hash / PHI never leave the DB
DSN from env, not hardcoded · audit log on every lookup
✻ Hardened in 1m 48s · 0 violations shipped
Evidence Artifact
IDeval-cli-08dfe14b-2feb-4e76-b076-f95e24f9d45e
TimestampMay 19, 2026 · 09:13 AM
ResultPassed
Violations0
Sourcefile · acme/payments-api
Duration5661 ms
▾ Raw JSON Datasigned · immutable
{ "schema_version": "1.0", "artifact_type": "evaluation", "id": "eval-cli-08dfe14b-2feb-4e76-b076-f95e24f9d45e", "timestamp": "2026-05-19T14:13:08.922Z", "source": { "type": "file", "location": "acme/payments-api", "ref": "898d6eef062b72a71cc4e596447e390e834660f3" }, "context": { "org_id": "org-7f3a21c4-demo", "repo": "acme/payments-api", "author": "unknown" }, "evaluation": { "passed": true, "total_violations": 0, "errors": 0, "warnings": 0, "infos": 0 } }
MergeGuide
Test Org · 177197… ▾
Dashboard
Compliance
PolicyMerge
Repositories
Evidence
SECURITY INSIGHTS
CICD Security
IaC Security
Signatures
Compliance Dashboard
Controls passing43/59
Evaluation pass rate51%
Evaluations11,816
OWASP Top 10
10 controls
CWE Top 25
18 controls
NIST 800-53
31 controls
MergeGuide
Test Org · 177197… ▾
Dashboard
Compliance
PolicyMerge
Repositories
Evidence
SECURITY INSIGHTS
CICD Security
IaC Security
Signatures
PolicyMerge · overlap analysis
Frameworks Shared Control Areas Merged Merged Controls (32) NIST SSDF (27) OWASP ASVS (46) PCI DSS (29) SOC 2 (23) Access Control (3) Configuration (3) Cryptography (4) Dependencies (3) Deserialization (2) Infrastructure as Code (1) Injection (4) Logging (2) Path Traversal (1) Secrets (5) SSRF (1) XSS (3)
4 frameworks · 29 unique controls: assessed once, not 82 times
Catch violations as they're written, in the IDE
App code Infrastructure as Code CI/CD pipelines Supply-chain provenance AI & agents via MCP
The whole point

You shouldn't have to choose between shipping fast and shipping safely.

AI changed how code gets written. It didn't change what you're accountable for. MergeGuide closes that gap at the moment of creation, so velocity and control stop being a tradeoff.

01

Prevent at creation

Your AI assistant generates code that already meets your policies. Violations are prevented before a line is written, not caught in review.

02

Stay in flow

Real-time guidance lives in the IDE your team already uses. No new tool, no context-switch, no code kicked back days later.

03

Prove it automatically

Every check produces signed, immutable evidence. Audit prep is continuous, not a fire drill when the auditor shows up.

Why we built this

AI is a brilliant, reckless developer.

It ships in hours what used to take weeks. It also guesses, takes shortcuts, and hallucinates to get there, because its objective is speed. Meanwhile, your regulations didn't relax because your code got faster, and you're still accountable for everything you put into production.

So we put deterministic controls at the moment of generation: every policy you set is verified in the code itself, and if the AI didn't actually do it, it does it again.

That's MergeGuide. Not a brake on AI development: the thing that lets you floor it.

Here's exactly how.

How it works · PolicyMesh

Catch it earlier. Ship it faster.

The same controls run at four graduated points, from AI generation to merge. The earlier a violation is caught, the cheaper it is to fix and the less it slows anyone down.

cost & time to fix ↑ 0 sec MCP prevented ~5 sec IDE inline fix ~5 min Pre-commit local hooks ~30 min PR Gate review cycle

// Same detection engine at every layer. The earlier it's caught, the cheaper the fix, and the less it slows the team.

Solutions

Governance for every layer of your stack.

Wherever your team (or your AI) writes code, MergeGuide governs it with the same policy set and the same evidence trail.

APP

Application Development

Govern human and AI-written application code across every language your team ships, in real time.

Explore →
 IaC

Infrastructure as Code

Catch misconfigurations in Terraform, Dockerfiles, K8s and CloudFormation before apply.

Explore →
 SBOM

Provenance & Supply Chain

SBOMs, artifact signing, SLSA and cryptographic evidence on every build.

Explore →
 CI/CD

CI/CD Governance

Server-side PR Gate enforcement and pipeline policy as the authoritative control point.

Explore →
 MCP

AI & Agentic Governance

Policy injection so Claude, Copilot and Cursor generate compliant code by default.

Explore →
 GRC

Compliance & Audit

Enforce the frameworks you're accountable to: assessed once, evidence always ready.

Explore →
Lives where developers already work

No new tool to learn. Nothing to switch into.

VS CodeCursorGitHubGitLab BitbucketAzure DevOpsMCP ServerSlackJiraLinear
Compliance

Enforce whatever you're accountable to.

Pre-built, auditor-ready templates, not empty shells. Deploy the one you need; PolicyMerge assesses overlapping controls once across all of them.

SOC 2 Type II
PCI-DSS v4.0
HIPAA Security Rule
ISO 27001 :2022
FedRAMP Moderate
EU AI Act high-risk
See the full framework library & how PolicyMerge works →
PolicyMerge · unified compliance

Multiple frameworks. One assessment.

Most teams assess the same control many times: once per framework, in slightly different words. PolicyMerge finds the overlap, applies the strictest requirement, and proves that meeting it satisfies the rest.

Frameworks Shared Control Areas Merged SOC 2 (58) PCI-DSS (52) ISO 27001 (61) Injection (9) Cryptography (9) Secrets (8) Access Control (8) Authentication (7) Dependencies (7) XSS (5) Configuration (5) Path Traversal (4) SSRF (3) Deserialization (2) Merged Controls (67) assessed once ★ strictest wins
SOC 2 PCI-DSS ISO 27001

67 shared controls across the three frameworks, assessed once. Meeting the strictest requirement satisfies the rest, automatically.

Why MergeGuide is different

Not another security tool that slows you down.

SAST scans after commit. GRC platforms report after the fact. AI security tools intercept but don't enforce. MergeGuide governs the full lifecycle, and the earlier it acts, the faster your team moves.

CapabilityMergeGuideTraditional SASTAI security toolsGRC platforms
When enforcement happensBefore code is writtenAfter commitAfter AI generatesAfter the fact
Prevents violations at AI generationYesNoIntercept onlyNo
Graduated multi-layer enforcement4 layers1–2 layers1 layerNone
Real-time guidance in the IDEYesSomeSomeNo
Multi-framework, one assessmentYesNoNoNo
Signed, immutable evidenceYesNoNoVaries

// Comparison by category, not named vendors. Status shown by label + mark, not color.

Built for both sides of the table

Velocity for developers. Visibility for security.

For developers

  • Stop getting code kicked back days after you committed it
  • Know what you need to fix up front: write it once, move on
  • Your AI assistant writes compliant code by default, via MCP

For engineering leaders

  • Faster PR cycles: violations caught before submission
  • One standard across all code, human or AI-generated
  • No workflow disruption: governance in existing tools

For security & compliance

  • Visibility into what AI is generating across the codebase
  • Enforcement that scales with AI development velocity
  • Continuous, audit-ready evidence: OSCAL native
FAQ

Questions, answered.

What is AI code governance?

AI code governance is the practice of enforcing your security, compliance, and policy requirements on AI-generated code at the moment it's written, rather than catching violations after commit or after an audit. MergeGuide applies it across the IDE, the AI assistant, Git hooks, and the pull-request gate.

How is MergeGuide different from SAST or AI security tools?

Traditional SAST scans after commit, AI security tools intercept but don't enforce, and GRC platforms report after the fact. MergeGuide prevents violations at the moment of AI generation and enforces across four graduated layers through to a server-side PR gate.

Does MergeGuide slow developers down?

No. It's a velocity enabler. It gives real-time guidance in the IDE and makes your AI assistant generate compliant code by default, so developers avoid rework and nothing gets kicked back days after review.

Which compliance frameworks does it support?

SOC 2, PCI-DSS, HIPAA, ISO 27001, NIST 800-53, FedRAMP, EU AI Act and more. PolicyMerge assesses overlapping controls across multiple frameworks once, using a strictest-wins engine.

Where does MergeGuide run?

In the tools your team already uses: VS Code and Cursor (IDE), your AI assistant via MCP, Git pre-commit hooks, and a server-side PR gate, across GitHub, GitLab, Bitbucket, and Azure DevOps.

How much does it cost?

Free is $0 for 1 user and 1 repository. Builder is $29 per seat/month ($24 billed annually) with uncapped seats and 5 repos per seat. Enterprise is custom-priced. Every tier ships the full product: there's no feature gating.

Let your team go fast, and stay in control.

See MergeGuide govern AI-assisted code across your stack, live.

Book a Demo