Yes, so Github has to take on the assumption that they are visiting relatives, not resident in Iran.
Or you get the alternate headline "Github facilitates Iran sanction evasion by allowing Iranian developers to mark themselves as 'visiting a relative'" and the associated charges.
There's nothing in the law that says that Github must block an entire company from accessing their company org because one member of that company logged into a separate account that happened to be a member of the company org. At most, the account that was accessed should be suspended.
