AI Deployment Manager
Owns post-sale success: rollout strategy, executive alignment, adoption metrics, renewal, and expansion. Partners with your admins and champions to drive organizational change.
Enterprise Deployment Playbook
Three-Phase Onboarding for AI-Native Engineering
A structured rollout plan for enterprise customers adopting Cursor at scale. Build governance first, prove ROI with a focused pilot, then expand into advanced workflows across the organization.
Program Overview
Each phase has clear owners, exit criteria, and Cursor resources aligned to your rollout stage. Your AI Deployment Manager (ADM) orchestrates the program end-to-end; your Solutions Architect joins for hands-on technical configuration, workflow design, and architecture reviews.
Solutions Architect
Embedded technical partner for SSO/SCIM integration, environment configuration, workflow enablement, CI/CD alignment, and architecture reviews as you scale beyond the pilot.
Phase 1 — Foundation
Governance, identity, guardrails, pilot selection, and cost controls.
View phase →Phase 2 — Prove ROI
Measure pilot outcomes against selected use cases and baseline metrics.
View phase →Phase 3 — Expand
Advanced workflows, platform integrations, and org-wide standardization.
View phase →Establish admin team Org admins, team admins, security liaison, finance owner
Automate identity SSO + SCIM for joiner/mover/leaver
Set guardrails Privacy Mode, model access, spend limits
Select pilot 15–50 developers across 2–3 high-value use cases
Governance & Operating Model ADM-led
Define who owns Cursor day-to-day before opening access to developers.
- Identify Organization Admin(s) with authority over org-wide SSO, SCIM, and pooled usage settings
- Assign Team Admin(s) per business unit with dashboard, member, and team-policy access
- Document RACI: Identity (IT), Security (InfoSec), Finance (billing groups), Engineering (champions)
- Review Enterprise documentation and Trust Center with security stakeholders
- If multiple teams: configure Organizations with org-level SSO and Organization Groups (e.g. Engineering, Contractors, Pilot Users)
- Select pilot use cases with engineering leads (see pilot criteria below)
SSO & SCIM Critical Solutions Architect
Automated provisioning is the foundation of enterprise governance. Without SCIM, offboarding depends on manual dashboard actions — a common compliance gap.
Recommended order
SSO first → verify domain → enable SCIM → map IdP groups → configure spend limits per group → deploy MDM policies.
SSO (SAML 2.0)
- Configure SAML SSO in the Cursor dashboard (SSO guide) with Okta, Azure AD, Google Workspace, or OneLogin
- Verify all corporate email domains; configure multi-domain if needed
- Enforce SSO for all team members — disable password-based authentication
- For multi-team deployments: prefer org-level SSO through Organizations for a single login model
SCIM 2.0 Provisioning (Enterprise)
- Complete SSO verification, then start SCIM wizard at Active Directory Management
- In your IdP: create SCIM app, paste Cursor endpoint + token, enable user and push group provisioning
- Assign only intended populations to the SCIM app — new hires gain access automatically; departures are deprovisioned in real time
- Audit existing dashboard members not in IdP groups; remove manually or deprovision via IdP
IdP Group Mapping
Directory groups sync from your IdP to Cursor as read-only. Use them to govern access cohorts and spend.
| IdP Group (example) | Cursor mapping | Purpose |
|---|---|---|
cursor-pilot-engineering |
SCIM app assignment + Directory Group | Phase 2 pilot cohort; elevated spend limit if needed |
cursor-all-engineering |
SCIM app assignment | Broader rollout in Phase 3 |
cursor-contractors |
Directory Group with lower spend cap | Contractor governance via Organization Group |
cursor-platform-admins |
Manual Admin role in dashboard* | Admin access — SCIM does not sync roles today |
*Role mapping from IdP is not supported via SCIM; assign Admin / Unpaid Admin roles in the Cursor dashboard. Users in multiple groups receive the highest applicable spend limit (most permissive wins).
Enterprise marketplace: SCIM can scope distribution and gate plugin access by IdP group. See Enterprise plan comparison.
Security Guardrails Solutions Architect
- Enforce Privacy Mode org-wide (zero data retention with AI providers)
- Configure Model Access Restrictions — allow Composer 2.5 by default; restrict premium frontier models until governance is mature
- Set Agent Sandbox Mode, auto-run, browser, and network controls per security policy
- Establish Repository Blocklist for sensitive repos
- Deploy Team Rules and optional Hooks for audit logging (MDM or server-side distribution on Enterprise)
- Configure allowed extensions via admin portal or MDM
AllowedExtensionspolicy - Set Allowed Team IDs via MDM to prevent personal-account usage on corporate devices
- Disable BYOK if required; restrict Cloud Agents and CLI access to approved users
- Enable Audit Logs and SIEM streaming for authentication and admin actions
- Review network requirements: proxy, IP allowlisting, PrivateLink / Cloudflare Tunnel if needed
Plan Enablement & Cost Controls ADM-led
Align stakeholders on how Enterprise billing works before the pilot consumes usage.
Understand your Enterprise entitlements
- Pooled usage — shared committed budget across the contract period, not fixed per-user caps
- Billing Groups — departmental chargebacks and spend reporting
- Directory Group spend limits — per-user caps by IdP cohort (highest limit wins across groups)
- Dynamic Spend Limits — team-wide limits that scale with headcount
- Spend Alerts — email notifications at configurable thresholds (non-blocking)
- Review committed pooled usage pool with finance; set contract-level expectations
- Configure team default per-user spend cap (strict baseline); relax via Directory Groups for pilot cohort
- Set spend alerts at 50%, 75%, and 90% of monthly run-rate
- Create Billing Groups aligned to cost centers for pilot teams
- Assign finance owner to review Analytics Dashboard weekly during pilot
Model selection & cost education
On Enterprise, model usage is charged at API rates. Educate admins and pilot champions on model tradeoffs before developers self-select expensive defaults.
| Model tier | Best for | Cost profile |
|---|---|---|
| Composer 2.5 Standard | Long-horizon agentic tasks, multi-file edits, terminal ops — default for cost-conscious scale | $0.50/M input · $2.50/M output — optimized cost per token |
| Composer 2.5 Fast (default in product) | Interactive sessions needing low latency at frontier-class speed | $3/M input · $15/M output — lower than comparable fast tiers of other frontier models |
| Third-party frontier models | Specialized reasoning where Composer is insufficient | Significantly higher per-task cost — use Model Access Restrictions to gate |
Why standardize on Composer 2.5
Cursor's agentic model is tuned for tool use, file edits, and sustained coding tasks inside the editor. For org-wide rollout, Composer 2.5 Standard delivers strong long-horizon performance at a fraction of frontier model cost — making pooled usage predictable as you scale from dozens to thousands of developers. Recommend Composer 2.5 Standard as the default for batch and agent workflows; reserve Fast for latency-sensitive interactive work and premium models for exceptions.
Pilot Group Selection ADM-led
Select a cohort that can prove value quickly and provide structured feedback.
Selection criteria
- 2–3 squads (15–50 developers) with executive sponsor
- Mix of senior ICs and tech leads who can model best practices
- Repos representative of broader org (language, monorepo, legacy)
- Measurable baseline: cycle time, PR throughput, incident rate
- Internal champions willing to co-facilitate enablement
Recommended initial use cases
- Feature development in familiar codebases
- Test generation and refactoring
- Code review assistance and PR descriptions
- Onboarding to unfamiliar services
- Documentation and runbook updates
- Create IdP group
cursor-pilot-*and assign pilot members via SCIM - Map pilot group to Cursor Directory Group with appropriate spend limit
- Identify 2–3 champions; schedule Phase 1 admin + champion enablement session with ADM
- Solutions Architect runs hands-on environment setup workshop with platform team
- Define success metrics and baseline measurements (carried into Phase 2)
Phase 1 Timeline
Week 1
Kickoff with ADM · Admin team identified · Security review · SSO configuration begins
Week 2
SSO enforced · SCIM live · IdP groups mapped · Guardrails configured · Solutions Architect integration session
Week 3
Cost controls + billing groups · Model education · Pilot cohort provisioned · Champion training
Week 4
Pilot go-live · Exit review: identity automated, guardrails active, baselines captured
Phase 1 exit criteria
SSO enforced, SCIM provisioning verified with test joiner/leaver, Directory Groups mapped, spend limits and alerts configured, Privacy Mode and model restrictions enforced, pilot cohort active with documented baselines — ready to measure ROI in Phase 2.
Execute use cases Structured workflows, not ad-hoc experimentation
Measure outcomes Quantitative + qualitative ROI evidence
Iterate playbooks Document what works per team and stack
Executive readout Business case for Phase 3 expansion
Pilot Operating Rhythm ADM-led
- Weekly pilot standup: ADM + champions + team leads (30 min)
- Bi-weekly office hours with Solutions Architect for workflow blockers
- Shared feedback channel (Slack/Teams) for tips, friction, and wins
- Mid-pilot survey at week 7: productivity, quality, model satisfaction
- Track spend vs. budget weekly via Billing Groups and spend alerts
Use Case Execution Solutions Architect
Work from the use cases selected in Phase 1. Each should have a defined workflow, owner, and metric.
| Use case | Cursor capabilities | ROI signal |
|---|---|---|
| Feature delivery | Agent mode, Composer 2.5, project rules, @-mentions | Cycle time, story points delivered, time-to-PR |
| Test & refactor | Agent + terminal, multi-file edits | Test coverage delta, defect escape rate |
| Code review | Inline edit, Bugbot (if enabled), PR integration | Review turnaround, rework rate |
| Onboarding / exploration | Codebase chat, docs generation | Time-to-first-PR for new hires |
| Incident response | Agent with repo context, runbook rules | MTTR, mean time to root cause |
- Solutions Architect facilitates workflow design sessions per use case (not generic demos)
- Publish team-level Rules and shared
.cursorconventions in pilot repos - Standardize on Composer 2.5 Standard for agent workflows; track cost per use case
- Capture before/after anecdotes with timestamps for executive narrative
Measurement & Analytics
Leverage Enterprise-only instrumentation to connect usage to engineering outcomes.
Analytics Dashboard
Team usage metrics, active users, model distribution, spend trends.
Conversation Insights
Understand work types — feature work vs. debugging vs. exploration (Enterprise).
AI Code Tracking API
Per-commit AI usage metrics for correlation with velocity and quality.
Cursor Blame
AI vs. human attribution in git blame for compliance and quality review.
- Establish baseline vs. pilot comparison window (minimum 4 weeks post go-live)
- Define 3–5 KPIs with finance and engineering leadership sign-off
- Export Analytics API / AI Code Tracking data into your BI tool if applicable
- Calculate cost per developer and cost per use case; compare Composer 2.5 vs. frontier model spend
- Document qualitative wins: engineer quotes, incident saves, accelerated migrations
ROI Framework
ROI = (Engineering time saved × loaded cost) + quality gains − Cursor investment
Pair hard metrics (cycle time, PR throughput) with cost efficiency from Composer 2.5. ADM prepares executive summary; Solutions Architect validates technical claims.
- Quantify hours saved per use case (survey + workflow sampling)
- Map usage spend to Billing Groups for departmental ROI
- Identify top 3 repeatable workflows to scale in Phase 3
- Executive readout with ADM: recommendation to expand, adjust guardrails, or refine pilot
Phase 2 exit criteria
Documented ROI against agreed KPIs, validated playbooks for each pilot use case, champion network established, expansion cohort and budget approved by leadership.
Scale rollout IdP-driven expansion beyond pilot groups
Advanced workflows Cloud Agents, MCP, CI/CD, Bugbot
Platform standards Org-wide rules, marketplaces, service accounts
Continuous governance Ongoing optimization of cost and controls
Org-Wide Rollout ADM-led
- Expand SCIM app assignment to
cursor-all-engineering(or phased BU groups) - Use Organization Groups for cross-team cohorts (contractors, regions, platform)
- Roll out playbooks from Phase 2 via champion-led enablement sessions
- Tiered enablement: self-serve basics → squad workshops → SA-led advanced tracks
- Quarterly business reviews with ADM: adoption, spend, expansion opportunities
Advanced Use Cases Solutions Architect
Cloud Agents & Slack
Async agent workflows in Slack; restrict creation to approved groups via Enterprise controls.
MCP Integrations
Trusted MCP servers for internal APIs, ticketing (Linear), and custom tooling with admin governance.
Bugbot
Automated bug detection and fixing in GitHub PRs — integrate into review workflow.
Cursor CLI
Agent access in CI/CD and headless pipelines; restrict to platform-approved users.
Service Accounts
Non-human accounts for automated workflows and integrations.
Hooks & Compliance
Custom security workflows, server-side hook distribution, SIEM correlation with audit logs.
- Solutions Architect leads architecture review for Cloud Agents + internal system access
- Establish approved MCP server catalog with security review process
- Pilot Bugbot on high-churn repos; measure defect detection rate
- Evaluate Cursor CLI for platform engineering workflows (scaffolding, migrations)
- Configure team marketplaces (admin-only edits on Enterprise) for approved plugins
Long-Term Governance
- Review model access policy quarterly — expand frontier models only where ROI justifies cost
- Optimize Composer 2.5 Standard as default; monitor Fast vs. Standard usage mix
- Reconcile pooled usage burn rate against contract; adjust Dynamic Spend Limits
- Annual security reassessment: Privacy Mode, hooks, audit logs, extension policies
- Maintain joiner/mover/leaver automation via SCIM — audit quarterly
Maturity Model
| Maturity | Characteristics | Cursor support |
|---|---|---|
| Foundational | SSO/SCIM, Privacy Mode, pilot complete | ADM + documentation |
| Operational | Org-wide rollout, billing groups, playbooks | ADM + champion network |
| Advanced | Cloud Agents, MCP, CI/CD integration, Bugbot | Solutions Architect embedded |
| Optimized | AI-native SDLC, measurable ROI at scale, continuous improvement | ADM QBRs + SA architecture partnership |
Phase 3 exit criteria
Majority of target engineering population provisioned via SCIM, advanced workflows operational with governance, repeatable playbooks published internally, and ongoing ADM-led success rhythm established.
Resources & Documentation
Official Cursor references for your admin and platform teams.