One tool has 50 admin-controlled security settings deployable via MDM. Two tools have literally no documented MCP governance at all. One tool can’t even let admins disable telemetry.
I spent two weeks digging through every piece of public documentation across six agentic coding tools — not marketing pages, not whitepapers, but actual config files, API docs, privacy policies, and security certifications. What I found was a landscape where the distance between best-in-class and “we’ll figure it out later” is measured in light-years, not inches.
Here’s the full comparison, with exact setting names, specific gaps, and a clear answer to the question nobody’s asking: which tool would your security team actually approve?
The six contenders
GitHub Copilot — Microsoft’s flagship, 50+ million developers, the enterprise default.
Cursor — The developer darling, SOC 2 Type II certified, strong admin controls at Enterprise tier.
Claude Code — Anthropic’s terminal-native agent. The only tool with a real permission system.
Windsurf (Codeium) — The only tool offering true self-hosted deployment with GPU on your infrastructure.
Amazon Q Developer — AWS-native, IAM-deep, VPC-endpoint-ready. But with a telemetry problem.
Aider — Open source. Local. Zero telemetry by design. Zero enterprise management by design too.
Data retention: who keeps your code
This is the table that should make procurement teams pause.
GitHub Copilot’s Business and Enterprise plans don’t retain IDE prompts or suggestions. Great. But GitHub.com chat, mobile, and CLI retain them for 28 days — and individual plan users have their data used for training by default. Your developers might be on Pro plans sending code to a training pipeline right now and nobody in IT would know.
Cursor says it keeps data “as long as necessary.” That’s the entire retention policy. No specific duration. No deletion schedule. If your compliance team asks for a data retention SLA, Cursor can’t give you one.
Claude Code keeps consumer data for five years if you opt into training, 30 days if you opt out. Enterprise gets zero data retention. But the default for Claude API users has telemetry ON — Statsig analytics and Sentry error reporting enabled unless you set five separate environment variables to disable them.
Windsurf defaults to zero data retention for Teams and Enterprise. This is the gold standard — no opt-out required, it’s the default. The catch: one subprocessor, Bing API, has no zero-data-retention agreement. Your code snippets flow to Microsoft’s search API with no data handling guarantee.
Amazon Q stores Pro tier data in the region where your Q profile was created — for supported features. Some features always store in US east. The exact list of which features go where isn’t documented.
Aider has no server to retain anything. It’s a CLI tool that sends prompts directly to your chosen LLM API. The data lives and dies on your machine and the provider’s servers. That’s either perfect or terrifying depending on your threat model.
Admin controls: the gap between Claude Code and everyone else
I counted 50-plus managed settings in Claude Code that only admins can set. Here are the ones that matter:
allowManagedMcpServersOnly — blocks shadow MCP servers. No developer can add their own.
disableBypassPermissionsMode — prevents developers from turning off all permission checks.
allowedTools / deniedTools — whitelist or blocklist any tool by name. Bash(npm run *) allowed. Bash(rm *) denied.
disableAutoMode — prevents unsupervised agent execution.
These settings deploy via macOS MDM profiles, Windows Registry keys, or Linux config files at /etc/claude-code/managed-settings.json. Nobody else comes close.
Cursor has the next best story: repo whitelist/blocklist, model whitelist/blocklist, MCP server whitelist/blocklist. But these are Enterprise tier only. No MDM deployment. No per-tool permission rules.
GitHub Copilot has admin controls listed in its documentation — policy management, public code filters, content exclusion — but the actual docs.github.com pages that describe these settings return 404s. The documentation is literally inaccessible. I tried multiple URLs across different days. All dead links.
Amazon Q has the deepest infrastructure-level controls — IAM policies, SCPs, VPC endpoints — but the worst admin control over the application itself. Telemetry opt-out is per-user only. Admins cannot enforce it org-wide. There’s no .qignore equivalent for content exclusion.
Windsurf and Aider have essentially no centralized admin controls. Aider because it’s a local tool. Windsurf because its admin story is built around self-hosted deployment rather than policy enforcement.
MCP governance: 2 tools have it, 4 don’t
MCP is the protocol that lets AI agents call databases, CI/CD pipelines, and cloud APIs. Every tool supports it differently — or doesn’t support it at all — but only two tools let you govern it.
Claude Code offers managed MCP (managed-mcp.json), server allow/deny lists, and the nuclear option: allowManagedMcpServersOnly = true. When that’s set, only admin-defined servers exist. You can restrict by server name, by command path, or by URL.
Cursor provides MCP server whitelist/blocklist at Enterprise tier. Server name, URL, or command — all blockable. It’s not as granular as Claude Code’s system but it exists.
GitHub Copilot supports MCP but has zero documented governance. No admin controls for which servers connect. No allow/deny lists. Nothing. Developers can add any MCP server they find on npm and start piping internal data through it.
Windsurf’s MCP governance is undocumented. The feature may exist at some tier but I couldn’t find a single page, setting name, or policy reference.
Amazon Q doesn’t support MCP currently. That might change. For now it’s not applicable.
Aider has no MCP support. It’s a local tool that talks to LLM APIs directly.
Deployment: the self-hosted gap
Windsurf is the only commercial tool in this comparison that offers true self-hosted deployment. Docker Compose or Helm chart. GPU on your infrastructure. Private LLM endpoints via Bedrock or Vertex. No traffic ever leaves your firewall.
This matters for defense contractors. Financial services. Healthcare. Anyone with data sovereignty requirements that can’t be met by “we promise our SOC 2 report says we’re fine.”
Amazon Q offers VPC endpoints via AWS PrivateLink. Traffic stays within the AWS network. Regional data storage for some features. But it’s still AWS’s cloud — you can’t run it on-prem.
Claude Code and Cursor are cloud-only. Claude Code can route through Bedrock or Vertex for network-level isolation, but the models still run in someone else’s data center. Aider with a local LLM via Ollama is the only way to go fully air-gapped today.
Certifications: who has what
SOC 2 Type II is table stakes. Cursor has it. Windsurf has it. Claude Code inherits it from Anthropic. Amazon Q inherits it from AWS. GitHub Copilot inherits it from Microsoft.
FedRAMP High is where things get interesting. Windsurf has it — authorized via Palantir FedStart on AWS GovCloud. Amazon Q has it via AWS GovCloud. Nobody else is FedRAMP High authorized.
HIPAA compliance follows a similar split. Windsurf explicitly claims it. Amazon Q inherits it from AWS. Everyone else is vague or silent.
If you’re in a regulated industry, the list of tools with both FedRAMP and HIPAA starts and ends with Windsurf and Amazon Q.
The telemetry problem that nobody fixes
Amazon Q has the worst telemetry story of any tool I researched. Opt-out is per-user. There’s no admin setting to enforce it org-wide. If a developer doesn’t toggle the checkbox in their IDE preferences, their code interactions flow to AWS analytics. You cannot stop this centrally.
GitHub Copilot has a subtler version of the same problem. Business and Enterprise plans don’t use data for training. But individual plan users can connect to your org’s repos. Their data is used for training by default unless they opt out at github.com/settings/copilot/features. If a developer on a Free or Pro plan connects to your organization’s repositories through Copilot, that code could end up in a training pipeline.
Claude Code enables telemetry by default for Claude API users. Five separate environment variables control different parts of the telemetry pipeline. One variable, CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC, disables all of them — but it’s not documented prominently and it’s not set by default.
Who to pick
If you need maximum admin control and your developers work in terminals: Claude Code. The managed settings system, per-tool permission rules, and MCP governance are a generation ahead of everyone else. The gap isn’t close.
If you need data sovereignty and self-hosted deployment: Windsurf. It’s the only commercial option that runs on your GPU, behind your firewall, with your private LLM endpoints. You trade admin control granularity for deployment flexibility.
If you’re all-in on AWS and can accept the telemetry gap: Amazon Q Developer. The IAM integration, VPC endpoints, and SCPs give you infrastructure-level control that no other tool matches. Just budget time to manually check every developer’s telemetry settings.
If IP indemnity is non-negotiable: GitHub Copilot. Microsoft’s Copyright Commitment is the only indemnification offer in this space. But plan on filling the documentation gaps yourself — the admin policy pages are literally 404.
If you want zero telemetry and accept zero management: Aider. Open source, auditable, local. But your security team will have no visibility into what your developers are doing with it.
The uncomfortable truth is that no single tool checks every box. Claude Code has the best security architecture but no SSO. Windsurf has the best deployment flexibility but minimal admin controls. Amazon Q has the best cloud integration but can’t enforce telemetry centrally.
Pick your poison. But pick it consciously — because your developers are already using at least two of these tools, and your security team probably doesn’t know about either of them.