The admin surface lives in Settings, under the hosted runner controls. The changelog ties this to the existing runner-groups documentation rather than introducing a parallel concept.
The catalogue becomes the policy
A standard-label allowlist is the kind of switch platform teams have been simulating with policy bots and merge-time YAML scans. None of those handle the failure mode that actually matters: a developer writes runs-on: ubuntu-latest and bypasses whatever hardened image the platform team has been investing in. Once the label is off at the org, the path of least resistance changes. Workflows have to name a runner that exists in the org's catalogue, which makes the catalogue itself the policy.
Rollback is shallow. The checkbox flips back, and ubuntu-latest resolves again. The toil cost lands earlier, in the catalogue. Every job that previously implied a default now has to declare a runner the platform team is willing to vouch for, and somebody has to keep that list alive.
Caveats in the release text
Two caveats sit in the post itself. The macOS controls are gated to Team and Enterprise plans, so smaller organizations do not see them. Network configurations are not supported for macOS runners at this time, per the changelog, which leaves macOS jobs out of the egress-controlled networking story that other hosted runners can join.
The release does not enumerate which other standard labels the toggle covers, and it does not name a default state for organizations that ignore the setting. The screenshot example names ubuntu-latest. The prose says "such as," and stops there. Treating anything beyond that as undocumented is the safer read until the docs catch up.
What lands on the platform team's plate
The work after this rolls out is the unglamorous part: an audit of every workflow that hard-codes ubuntu-latest, a migration plan to a named runner pool, and a deprecation window before the toggle flips. The lever now exists. The catalogue still has to be built.