AlphaThis is a new service – your feedback will help us to improve it.

  1. Home
  2. Documentation
  3. OCTO Strategic Documentation
  4. AI Coding Assistant Strategy

AI Coding Assistant Strategy

AI Coding Assistant Strategy

Status: Draft
Date: 12 June 2026
Aligned with: Dan James, Justice AI Unit

Vision

By 2028, all MOJ engineering teams have consistent, governed access to AI coding tools that measurably improve delivery outcomes. Teams can choose the right tool for their context, with confidence that all approved tools meet MOJ's security, legal, and quality standards. MOJ is not dependent on any single vendor or model, and can adapt its tooling portfolio as the market and technology evolve.

Current State

AI coding assistants are in active but uncoordinated use across MOJ. Teams have adopted tools independently — primarily GitHub Copilot — with limited central oversight of configuration, data handling, or security posture. There is no agreed approved list, no standard configuration baseline, and no structured approach to evaluating value.

This creates risk: tools may be configured in ways that expose MOJ code or data, usage cannot be audited, and MOJ has limited leverage in commercial negotiations. It also means MOJ is not capturing the full potential benefit — teams may be missing tools better suited to their workflows, and there is no shared learning.

This strategy moves MOJ from ad-hoc adoption to a managed portfolio capability.

Strategic Objectives

  1. Establish an approved portfolio — Define and maintain a list of AI coding tools approved for use with MOJ code and data, assessed against consistent security, legal, and technical criteria.
  2. Set a security and data baseline — Ensure all approved tools are configured to prevent unauthorised training on MOJ data and to meet data protection requirements.
  3. Enable team choice within guardrails — Give delivery teams the autonomy to choose the tool best suited to their context, without requiring central approval for each individual decision.
  4. Measure and demonstrate value — Establish baselines and track the impact of AI coding tools on delivery speed, code quality, and engineering effort.
  5. Maintain commercial and technical optionality — Avoid lock-in to any single vendor or model, and preserve the ability to adapt the portfolio as the market evolves.

Guiding Principles

Security over speed — Where there is a trade-off between moving quickly and managing risk, MOJ will prioritise security and data protection. Tools that cannot meet the security baseline will not be approved, regardless of capability.

Team autonomy within defined guardrails — Delivery teams are trusted to choose the right tool for their context. Central control is limited to what genuinely needs to be consistent. Everything else is delegated to teams.

Evidence over preference — Portfolio decisions are based on evidence of value: delivery outcomes, code quality, security, and cost. Tools that do not demonstrate value will be removed; tools that do will be scaled.

Optionality over lock-in — MOJ will not standardise on a single tool or model where genuine choice exists. Maintaining flexibility across vendors and models is a strategic priority.

Augment, don't replace — AI coding tools support engineers; they do not substitute for engineering judgement. Engineers remain accountable for the quality and safety of the code they produce.

Portfolio Approach

MOJ will move from a piecemeal, tool-by-tool approach to a deliberate portfolio strategy. The market is not stable: AI coding assistants are evolving rapidly, no single tool dominates across all use cases, and different tools excel at different jobs. Standardising on one product now would create lock-in without providing better outcomes.

The portfolio approach:

  • Maintains optionality across tools and models rather than relying on a single vendor
  • Enables teams to choose the tool best suited to their workflow and context
  • Preserves commercial and technical leverage as the market matures
  • Allows usage to be scaled up or down based on evidence of value

This document aligns with:

  • MOJ's strategic commitment to secure, coherent, and outcome-focused digital delivery
  • Existing Justice AI Unit direction on model optionality and controlled adoption
  • Published MOJ AI coding guidance and standards, including the MOJ AI Coding Standards

Initial portfolio

The initial list of AI coding assistants approved for use with MOJ code and data includes:

Tool Status
GitHub Copilot Available
Codex Available (via existing enterprise agreement)
Claude Code Available (via Azure Foundry)
Cursor Available
AWS Kiro Available

What engineers and product teams can and should do

Delivery teams have the autonomy to choose the AI coding tool that best fits their context. This is a deliberate policy choice, not a gap in governance. Teams are expected to use that autonomy actively and responsibly. It would be preferable if choices were made at product team level, not by specific engineers, to avoid fragmentation and ensure consistency within teams, but it is not mandated.

Choose the right tool for your context

Select from the approved portfolio the tool that best fits your team's workflow, stack, and delivery type. Consider:

  • The nature of the work — repository-scale engineering, rapid prototyping, UI generation, or data pipelines
  • Developer experience and integration with existing tooling
  • Speed, quality, and the overhead of switching or mixing tools

Use the OCTO standard prompt baseline

All users of AI coding agents must use the OCTO AI Coding Assistant standards. These prompts are pre-configured to ensure alignment with OCTO standards, policies, and guidelines. They are not optional.

Using the standard baseline means your AI agent will:

  • Operate within approved security and data handling boundaries
  • Produce output consistent with MOJ coding standards and practices
  • Avoid patterns or outputs that conflict with departmental policy

Reference: MOJ AI Coding Standards

Apply good engineering judgement

AI tools augment engineering; they do not replace it. Teams should:

  • Review, test, and take ownership of all AI-generated code before merging
  • Apply the same security, accessibility, and quality standards as any other code
  • Raise concerns about tool behaviour or unexpected outputs with OCTO

Feed back on what works

Teams are in the best position to evaluate tools in practice. Share feedback with OCTO on tool performance, limitations, and emerging use cases so the portfolio can be actively managed.

What OCTO will do to support

OCTO's role is to enable safe, consistent, and productive use of AI coding tools across MOJ — without creating unnecessary friction for delivery teams. Central control is limited to what genuinely needs to be consistent; everything else is delegated to teams.

Maintain the approved tool and model portfolio

OCTO will own the list of approved AI coding tools and model endpoints.

  • New tools are assessed through a defined onboarding process covering security, legal, commercial, and technical requirements
  • Only approved model endpoints may be used with MOJ code and data
  • Portfolio status is reviewed regularly as capability, risk, and market conditions change

Set and operate the security and data baseline

OCTO will define the mandatory configuration for all approved tools.

  • No training on MOJ code unless explicitly approved
  • No uncontrolled transfer of code, prompts, or metadata to non-approved services
  • Standard configuration for data protection, access control, logging, and retention

Manage identity, access, and licensing

OCTO will handle commercial agreements, onboarding, and distribution of licences to managed devices.

  • Role-based access to tools and model tiers
  • Integration with MOJ identity and endpoint management
  • Timely processes for joiners, movers, and leavers

Provide the standard prompt baseline

OCTO will publish and maintain the standard prompt baseline that all AI coding agent users must apply. These prompts embed OCTO standards, policies, and guidelines directly into how the tools operate.

  • Prompts are maintained in the MOJ AI Coding Standards repository
  • Reusable playbooks cover common engineering tasks including code generation, review, testing, and documentation
  • Teams should use these as a starting point and raise gaps or improvements with OCTO

Assure usage and respond to incidents

OCTO will operate central assurance so AI tool usage remains compliant and measurable.

  • Usage telemetry and periodic compliance checks
  • Audit trail requirements for regulated and high-risk contexts
  • Defined incident response process for misuse, data leakage, or policy breach

Evaluate tools and manage the portfolio

OCTO will continuously assess tools in the portfolio against consistent criteria and adjust the portfolio based on evidence.

All tools are evaluated against:

  • Developer productivity impact
  • Code quality and security outcomes
  • Integration with platform tooling and CI/CD pipelines
  • Cost per unit of value

Tools that do not demonstrate sustained value will be scaled back or removed from the portfolio. New tools that demonstrate clear benefit will be added through the onboarding process.

Success Metrics

OCTO will track the following metrics to assess whether the strategy is achieving its objectives. Baselines will be established through an initial audit in Q3 2026.

Metric Baseline (June 2026) Target (March 2027)
% of AI coding tool usage covered by approved portfolio Unknown 100%
% of approved tools with confirmed security baseline configuration 0% 100%
Engineer satisfaction with AI coding tooling (annual survey) Not measured ≥75% satisfied
Teams reporting measurable productivity improvement Not measured ≥50% of teams using tools
Number of confirmed data exposure incidents Unknown 0

Risks and Mitigations

Risk Likelihood Impact Mitigation
Teams continue using unapproved tools outside the portfolio High High Communicate approved list clearly; make onboarding friction low; reinforce via policy
Approved tools expose MOJ code or data through training or logging Medium High Mandatory security baseline; periodic compliance checks; incident response process
Over-dependence on a single vendor (e.g. GitHub Copilot) Medium Medium Active portfolio management; ensure multiple approved options; avoid exclusive commercial terms
AI-generated code introduces security vulnerabilities High High Standard prompt baseline; mandatory review before merge; security scanning in CI/CD pipelines
Portfolio becomes outdated as the market moves High Medium Regular review cadence; OCTO monitors market; fast-track process for new tools
Low adoption reduces value from investment Medium Medium Team autonomy; remove friction; track usage and satisfaction; share success stories

Roadmap

Phase 1: Foundations (June – September 2026)

  • Publish approved portfolio and security baseline
  • Complete audit of current AI tool usage across MOJ
  • Establish identity, access, and licensing management
  • Publish standard prompt baseline in MOJ AI Coding Standards
  • Establish baselines for all success metrics

Phase 2: Embed and assure (October 2026 – March 2027)

  • Onboard teams to approved portfolio with low-friction process
  • Run first portfolio review against evidence of value
  • Operate usage telemetry and compliance checks
  • Deliver first engineer satisfaction survey
  • Review and update approved portfolio based on market changes

Phase 3: Mature and optimise (April 2027 onwards)

  • Scale tools that demonstrate clear value; remove those that don't
  • Refine commercial agreements based on usage data
  • Publish case studies of AI coding impact across MOJ
  • Review strategy against target state; update as needed
Last reviewed: 12 June 2026Review status: ✓ Up to dateSource: View source on GitHub

Was this page useful?