GitHub has publicly acknowledged that roughly 1% of the time, a Copilot suggestion longer than about 150 characters matches code from its training set closely enough to be flagged — a figure GitHub itself disclosed and that has since been cited repeatedly in litigation filings and press coverage. That admission sits at the center of Doe v. GitHub, Inc., a class action filed in November 2022 against GitHub, Microsoft, and OpenAI alleging Copilot reproduces GPL-licensed code without attribution or license compliance. The district court dismissed most of the core copyright and DMCA §1202(b) claims in January 2024, but the breach-of-contract and open-source license-violation claims survived, and by early 2026 the case was before the Ninth Circuit on interlocutory appeal, with oral arguments heard in February 2026 over whether DMCA §1202(b) can reach AI outputs that aren't exact copies. No settlement exists — the litigation is ongoing. Whatever the appellate panel decides, the underlying mechanism isn't going away: large language models trained on public repositories can memorize and regurgitate rare, distinctive snippets verbatim, and every AI coding assistant built on that pattern inherits the same exposure. This piece looks at where that risk actually lives in your codebase, how one vendor has already tried to engineer around it, and what a mitigation program looks like in practice.
Why do AI coding assistants reproduce licensed code at all?
AI coding assistants reproduce licensed code because the underlying models are trained to predict the statistically likely next token, and for rare or highly distinctive code — a niche algorithm implementation, an unusual utility function, a snippet that appears in only a handful of repositories — the "likely" completion can be closer to memorization than generalization. Research on LLM memorization broadly shows that duplication and rarity in training data are the strongest predictors of verbatim regurgitation: the more unique a snippet is, the more likely a large enough model reproduces it near-exactly rather than paraphrasing it. GitHub's own 1%-of-long-suggestions figure is the clearest vendor-side acknowledgment that this isn't hypothetical. Common code — a standard for-loop, a typical error handler — gets generalized away because it's seen millions of times with minor variation. Distinctive code, ironically the code most likely to carry a specific license header in its original repository, is exactly the kind a model is statistically most likely to output close to verbatim.
What is Doe v. GitHub actually alleging, and where does it stand?
Doe v. GitHub alleges that Copilot was trained on and reproduces GPL-licensed and other open-source code while stripping the attribution, license notices, and copyleft terms the original licenses require — turning licensed code into apparently unencumbered suggestions. The plaintiffs' core copyright infringement claims and the DMCA §1202(b) claims (which cover removal of copyright management information) were dismissed by the district court in a January 2024 order, but Judge Tigar allowed the breach-of-contract and open-source license-violation claims to proceed, and later certified the DMCA question for interlocutory appeal. By 2026 the case was in front of the Ninth Circuit, with the appellate question narrowly focused on whether §1202(b) requires the output to be identical to trigger liability. There is no verdict, no settlement, and no damages figure to cite — only a live legal question about whether "the suggestion looks like my code but isn't byte-identical" is enough to establish a violation. That ambiguity is itself the risk: engineering teams can't wait for case law to resolve before deciding whether to trust unreviewed AI suggestions in shipped products.
How has at least one vendor tried to engineer around this?
Amazon built a direct technical mitigation into CodeWhisperer (now folded into Amazon Q Developer): a reference tracker that flags suggestions resembling training-data snippets and annotates them with the source repository URL, file path, and license before a developer accepts them. AWS's own documentation describes the feature logging accepted matches for later review and letting organizations configure policies that automatically filter out suggestions matching specific licenses — copyleft licenses like GPL or AGPL being the obvious candidates to block outright. This is notable because it's a vendor conceding, in shipped product design rather than a legal brief, that unattributed reproduction of training-set code is a real enough risk to warrant runtime detection. It also demonstrates the shape of a workable mitigation: the problem isn't solved by banning AI assistants, it's solved by treating every suggestion as an unreviewed third-party contribution until its provenance is checked — the same discipline already applied to a pip install or a Maven dependency.
Is license leakage the only risk, or is there a security angle too?
License leakage isn't the only risk — the same memorization mechanism that reproduces a GPL function can just as easily reproduce a hardcoded credential, an insecure cryptographic pattern, or a vulnerable code idiom that was common in the training corpus at the time it was scraped. If a model was trained on public repositories that included example code with hardcoded API keys or outdated crypto calls (both far from rare on public GitHub), a suggestion trained on that pattern can hand a developer the same anti-pattern with no license header to signal "this came from somewhere else." The license problem and the security problem share a root cause and, usefully, share a remediation path: both require tooling that treats AI-suggested code as an unverified external input needing scanning before it lands in a commit, not as first-party code the author wrote from scratch.
What does a practical mitigation program look like?
A practical mitigation program treats every AI-suggested block of code the way a mature org already treats a new open-source dependency: identify what it is, classify its risk, and gate it before merge — not after. That means running license detection and SPDX classification across the codebase continuously (not just at dependency-add time, since AI suggestions don't show up in a package.json diff the way a new import does), enforcing an allow/deny/require-review policy so a suggestion carrying strong-copyleft characteristics gets flagged the same way a new GPL-3.0 dependency would, and generating attribution artifacts automatically rather than relying on developers to remember which snippet came from where. Safeguard's license compliance capability applies exactly this model: it detects licenses from package metadata, SPDX identifiers, and full-text matching, classifies them by obligation tier from permissive through network-copyleft, and enforces policy-as-code gates at PR and CI time so a denied license — AI-suggested or hand-typed — blocks the merge rather than surfacing months later in a due-diligence review. Pairing that gate with basic secrets and pattern scanning on AI-touched diffs closes both halves of the problem the memorization mechanism creates.
How Safeguard Helps
Safeguard doesn't try to detect which lines of a commit came from an AI assistant — that's the wrong layer to solve this at, and no reliable signal exists for it. Instead, Safeguard applies the same license detection, SPDX classification, and policy enforcement to every line of code and every dependency regardless of who or what wrote it, so a copyleft snippet an AI assistant suggested is caught by the identical license-discrepancy and policy-gate logic that catches a mislabeled dependency. CI-time and PR-time enforcement blocks a denied license before merge, NOTICE and SPDX attribution generation removes the manual burden of tracking down where a snippet originated, and the same pipeline that runs secrets scanning and CWE-mapped SAST checks covers AI-touched code paths without requiring a separate "AI code review" workflow. The goal is a codebase where provenance is verified continuously, so the outcome of a Ninth Circuit appeal changes nothing about whether your product is already compliant.