With over 100M repos, manually reviewing (even if the flagging for review is automated) is likely just not practical. I suspect that once they are aware (the automated flagging) they are then legally on the hook for as long as it takes to perform the review.
That still comes down to when they are considered "aware". If I emailed GitHub and told them the "microsoft" org was run by people in Iran, would they then be "aware" and need to shutdown the "microsoft" org? If you consider automated flagging to be a tip-off that needs to be investigated, then you aren't "aware" until it is investigated.
I don't think 100 million repos matters. What matters is how many automated tip-offs they need to investigate. It would have taken two minutes of investigation to find out this repo wasn't from a sanctioned country. If it takes two minutes to review a case, a team of five people could review over a thousand cases in an eight hour day. I work for a tech company that has a team of people that reviews uploaded content for copyright violations, it can be done.
Remember that the sanctions are for commercial use, primarily paid accounts. These sanction violation aren't happening at the rate of something like YouTube copyright violations. I wouldn't be surprised if it was less than ten a day.
