1. Create an AI Development Governance Council

AI governance should not be owned by a single department. Security cannot govern software development effectively without engineering. Engineering cannot make legal decisions alone. Procurement cannot evaluate technical risks without architecture and security input.

A cross-functional council should include representatives from:

Software engineering. Application security. Information security. Enterprise architecture. Privacy. Legal. Compliance. Procurement. Data governance. Product management. Human resources. Internal audit.

Risk management. Developer experience. AI or machine-learning leadership.

The council should define:

Approved AI use cases. Prohibited use cases. Tool-assessment requirements. Data-handling rules. Repository access standards. Human-review requirements. Exception processes. Incident escalation procedures. Metrics and reporting. Vendor reassessment cycles. The purpose is not to create a slow approval committee for every experiment. The purpose is to establish clear decision rights so developers do not receive contradictory instructions from different departments.

2. Build an Inventory of AI Tools and Capabilities

You cannot govern what you have not identified.

The inventory should include more than officially purchased products. It should cover:

AI coding assistants. General-purpose chatbots. IDE extensions. Browser extensions. Command-line tools. Source-control integrations. Cloud-provider AI services. AI-powered code-review products. Testing assistants. Documentation generators. Security copilots. Autonomous coding agents.

Model Context Protocol servers. Internal AI applications. Locally hosted models. Open-source models. AI features embedded inside existing SaaS products.

For every tool, record:

Business owner. Technical owner. Vendor. Model provider. Deployment model. Data processed. Data retention. Training policy. Hosting region. Authentication method. Repository access. Extension and plugin support.

Logging capabilities. Administrative controls. Contract status. Security assessment status. Approved user groups. Approved repositories. Review date. Risk classification. This inventory should be continuously updated because many products add AI features through routine updates. A previously approved application may gain new data-sharing or agentic capabilities without being treated as a new purchase.

3. Classify AI Development Use Cases by Risk

Not every AI-assisted activity requires the same level of control. Using AI to draft a comment in an internal script is not equivalent to allowing an agent to modify authentication logic in a banking platform. A practical classification model can use four levels. Level 1: Low-Risk Assistance

Examples:

Explaining public programming concepts. Generating synthetic examples. Drafting non-sensitive documentation. Creating boilerplate for isolated experiments. Reformatting code without changing behavior.

Typical controls:

Approved tool. No sensitive data. Standard human review. Basic logging. Level 2: Controlled Development Assistance

Examples:

Generating application code in internal repositories. Creating unit tests. Refactoring existing components. Producing infrastructure templates. Suggesting dependencies.

Typical controls:

Enterprise account. Repository-level logging. Mandatory peer review. Automated security scanning. Dependency validation. Data-loss prevention controls. Level 3: High-Impact Development

Examples:

Authentication and authorization systems. Payment processing. Healthcare applications. Safety-related software. Critical infrastructure. Cryptography. Privacy controls. Production cloud architecture. Systems processing regulated data.

Typical controls:

Approved models and environments only. Explicit AI-output identification. Senior security review. Threat modeling. Independent testing. Restricted agent permissions. Enhanced audit records. Formal approval before deployment. Level 4: Autonomous or Privileged Agent Activity

Examples:

Agents executing terminal commands. Agents installing dependencies. Agents creating cloud resources. Agents modifying multiple repositories. Agents accessing production-like environments. Agents opening or updating pull requests without continuous human direction.

Typical controls:

Dedicated machine identity. Short-lived credentials. Sandboxed execution. Network restrictions. Command allowlists. Human approval checkpoints. Immutable logs. Automatic shutdown conditions. Prohibition against direct production changes. Continuous behavioral monitoring. Risk classification prevents governance from becoming unnecessarily restrictive while ensuring that higher-impact activities receive stronger scrutiny.

4. Establish Clear Data Boundaries

Developers need specific instructions about what they may and may not share with AI systems. A policy that merely says “do not share confidential information” is too vague.

The organization should define rules for:

Public data. Internal data. Confidential data. Restricted data. Customer data. Personal information. Payment information. Health information. Credentials and secrets. Security vulnerabilities. Export-controlled information. Contractually protected information.

Source code by repository classification.

Controls may include:

Blocking personal AI accounts. Requiring enterprise authentication. Disabling provider training where contractually available. Applying data-loss prevention to prompts. Scanning prompts for secrets. Redacting sensitive fields. Using private model endpoints. Restricting high-sensitivity repositories to locally hosted models. Preventing clipboard transfer from protected environments. Limiting prompt and response retention. Maintaining approved prompt templates. The most useful policy is one that developers can apply during real work without consulting legal counsel for every prompt.

5. Treat AI-Generated Code as Untrusted Input

AI-generated code should not receive an automatic credibility advantage simply because it was produced by an advanced model.

The safest default is:

Generated code is untrusted until validated.

Validation should include, where appropriate:

Human code review. Unit testing. Integration testing. Security testing. Static application security testing. Dynamic testing. Software composition analysis. Secret scanning. Infrastructure-as-code scanning. Container scanning. License analysis. API-security testing.

Fuzz testing. Threat-model review. Business-logic verification. Performance testing. Privacy review. GitHub’s guidance for reviewing AI-generated code recommends conventional safeguards such as dependency controls, static analysis, code scanning, and human review. AI can also assist with review, but one model’s approval should not be treated as independent proof that another model’s output is secure. Automated AI review can supplement security controls. It should not replace accountable human approval for high-impact software.

6. Build Governance Into the Repository Workflow

Written policies are weak if developers can bypass them effortlessly. Controls should be integrated into the systems where code is created, reviewed, and deployed.

Repository-level governance may include:

Protected branches. Mandatory pull requests. Required reviewers. Code-owner approval. Security-team approval for sensitive paths. Signed commits. Automated test requirements. Static analysis gates. Dependency scanning. Secret scanning. License checks. Infrastructure policy checks.

Artifact provenance. Build attestations. Deployment approval. AI-use disclosure in pull-request templates.

A pull-request template could ask:

Was AI used to create or modify this code? Which tool or model was used? Which files were materially generated? Was sensitive information included in prompts? Were new dependencies suggested? What tests were added? Which security checks were completed? What sections require additional human attention? The goal is not to shame developers for using AI. It is to make material AI involvement visible and reviewable.

7. Implement Repository-Level Observability

Observability is one of the strongest themes in the original SecurityWeek article. It argues that governance requires visibility into where AI-generated code enters the software-development process, how tools are being used, and how code changes are reviewed.

Useful observability signals include:

AI tool activation by user. Repository access. Files viewed by agents. Prompt and response metadata. AI-assisted commits. Agent-created branches. Commands executed. Dependencies installed. Pull requests created. Review comments generated. Security alerts triggered. Policy exceptions.

Deployment outcomes. Vulnerabilities associated with AI-assisted changes. Not every organization should retain complete prompts indefinitely. Prompts may contain sensitive information, and excessive logging can create additional privacy and security risk. Logging should therefore be proportional, protected, access-controlled, and aligned with legal and retention requirements. The important point is that the organization must have enough evidence to investigate incidents, measure risk, improve controls, and demonstrate compliance.

8. Apply Least Privilege to Coding Agents

An AI agent should receive only the permissions required for its assigned task. It should not automatically inherit the full privileges of the developer who launched it.

Recommended controls include:

Dedicated service identities. Repository-specific access. Read-only access by default. Time-limited credentials. Session-specific authorization. Restricted branch permissions. Sandboxed development environments. No direct access to production. No unrestricted access to secrets. Outbound network restrictions. Package-registry allowlists. Command execution policies.

Spending and resource limits. Mandatory human approval before merging. Automatic revocation after task completion. The principle is the same as for any privileged automation system: assume that the system can misunderstand instructions, be manipulated by malicious content, or perform unintended actions.

9. Defend Against Prompt Injection in Development Environments

Prompt injection is not limited to customer-facing chatbots.

A coding agent may read:

Repository files. Issue descriptions. Pull-request comments. Documentation. Web pages. Package metadata. Error messages. Log files. Third-party API responses. Any of these sources could contain instructions designed to manipulate the agent. A malicious repository file might tell the agent to ignore its task, expose secrets, download a dependency, modify security controls, or send information to an external server.

Controls should include:

Treating retrieved content as untrusted data. Separating system instructions from repository content. Restricting tool use. Requiring confirmation for sensitive actions. Blocking secret access. Limiting outbound communications. Monitoring unusual command sequences. Reviewing agent plans before execution. Validating generated diffs. Sandboxing unknown repositories. OWASP’s GenAI security work identifies prompt injection, insecure output handling, sensitive information disclosure, excessive agency, and software supply chain vulnerabilities as major areas of concern for LLM-enabled applications. These categories are directly relevant to coding agents.

10. Benchmark Developer Security Capabilities

Governance cannot depend entirely on tools. Developers must be able to recognize when AI-generated code is unsafe, incomplete, or unsuitable for the organization’s environment.

Benchmarking should evaluate whether developers can:

Identify common vulnerabilities. Validate authentication and authorization logic. Detect unsafe input handling. Review AI-generated dependencies. Recognize insecure cloud configurations. Evaluate privacy risks. Challenge incorrect AI explanations. Write meaningful tests. Review code they did not personally create. Explain the code they approve. Apply organizational security standards. The purpose is not to create a punitive ranking system.

The purpose is to identify where teams need additional support.

Benchmarking can be performed through:

Secure-coding assessments. Practical labs. Simulated pull requests. Vulnerability-identification exercises. Role-specific scenarios. Incident retrospectives. Review-quality analysis. Capture-the-flag exercises. AI-generated-code evaluation tasks. Results should inform training plans, reviewer assignments, and risk-based approval requirements.

11. Deliver Practical, Contextual Education

Generic annual awareness training will not solve AI-assisted software risk. Developers learn best when training resembles the work they perform.

Useful exercises include:

Reviewing an AI-generated authentication function. Finding a vulnerability in generated API code. Detecting a hallucinated package. Correcting insecure infrastructure-as-code. Identifying sensitive data in a prompt. Evaluating an agent-created pull request. Responding to a prompt-injection attempt. Comparing secure and insecure AI suggestions. Testing whether generated code satisfies business requirements.

Education should be:

Role-specific. Language-specific. Framework-specific. Short enough to fit development schedules. Connected to actual vulnerabilities. Updated as tools evolve. Reinforced through code review and tooling. A developer working on mobile applications needs different examples from someone managing Kubernetes infrastructure or financial transaction systems.

12. Define Human Accountability

An organization should never allow the phrase “the AI wrote it” to become an excuse for unclear ownership. Every material AI-assisted change should have an accountable human owner.

That person should be able to state:

What the change does. Why it is needed. How it was tested. Which risks were considered. Which dependencies were introduced. Which AI systems were used. Why the code is suitable for deployment.

For high-risk systems, accountability may require several people:

Developer. Peer reviewer. Security reviewer. Product owner. System owner. Release approver. The AI system can generate, recommend, review, and test. It cannot absorb the organization’s legal, contractual, ethical, or fiduciary responsibility. Aligning AI Development Governance With Recognized Frameworks Organizations do not need to invent every governance principle from scratch. NIST AI Risk Management Framework

The NIST AI Risk Management Framework organizes AI risk activities around four core functions:

Govern. Map. Measure. Manage. NIST also published a Generative AI Profile to help organizations address risks specifically associated with generative systems. It is designed to help organizations incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products and services.

For software development, this can translate into:

Govern: define ownership, policies, roles, and accountability. Map: identify AI use cases, affected systems, users, and business consequences. Measure: test code quality, security, privacy, reliability, and developer capability. Manage: apply controls, prioritize risks, monitor outcomes, and improve processes. NIST Secure Software Development Framework NIST’s Secure Software Development Framework provides high-level practices that can be integrated into different software-development methodologies. Its purpose includes reducing vulnerabilities, limiting the impact of undetected weaknesses, and addressing root causes.

Organizations can extend the SSDF to AI-assisted development by adding:

AI-tool approval. Generated-code traceability. Prompt-data classification. Model and agent risk assessment. AI-specific testing. Agent identity controls. AI-related incident procedures. Developer AI-review training. NIST has also published an SSDF community profile focused on generative AI and dual-use foundation-model development. CISA Secure by Design CISA’s Secure by Design guidance encourages software manufacturers to treat security as a core product requirement and to reduce the cybersecurity burden placed on customers. CISA has explicitly stated that AI systems should be secure by design throughout their lifecycle.

For AI-assisted software development, secure by design means:

Security requirements are defined before code generation. Approved components are easy to use. Insecure defaults are blocked. Security checks are automated. Customers do not bear the cost of careless AI-generated vulnerabilities. Development speed is not treated as more important than customer safety. ISO/IEC 42001 ISO/IEC 42001 specifies requirements for establishing and continually improving an artificial-intelligence management system. It is intended for organizations that develop, provide, or use AI-based products and services.

It can help organizations formalize:

AI policy. Leadership responsibilities. Risk assessment. Operational controls. Documentation. Performance evaluation. Corrective action. Continual improvement. The standard is especially relevant to organizations that need a management-system approach rather than a collection of disconnected technical controls. European Union AI Act The EU AI Act introduces risk-based obligations for AI systems and requirements affecting providers of general-purpose AI models. General-purpose AI obligations began applying on August 2, 2025, while other provisions follow the regulation’s implementation schedule.

A company using AI in software development should determine whether it is:

Merely using an AI tool internally. Integrating a model into a product. Substantially modifying an AI system. Providing an AI system to customers. Developing or distributing a general-purpose model. Operating in a regulated or high-risk domain. Legal obligations depend on the organization’s role and the system’s use. Governance should therefore include legal classification, documentation, vendor information, technical records, and clear responsibility across the AI supply chain. Metrics That Show Whether Governance Is Working AI governance should be measurable.

Useful metrics include:

Adoption and Visibility Percentage of developers using approved AI tools. Number of unapproved tools discovered. Percentage of repositories with AI-use controls. Percentage of AI tools connected through enterprise accounts. Number of privileged coding agents. Code Quality and Security Vulnerabilities per AI-assisted pull request. Vulnerabilities per non-AI pull request. Percentage of generated changes rejected during review. Percentage of AI-suggested dependencies denied. Escaped defects associated with AI-assisted code.

Security findings by language, team, tool, or model. Review Effectiveness Percentage of AI-assisted changes receiving required review. Time spent reviewing AI-generated code. Number of changes merged without disclosure. Percentage of critical-path changes receiving security approval. Review findings that automated tools missed. Data Protection Prompts blocked by data-loss prevention. Secret-sharing attempts. Sensitive repositories accessed by external models. Personal AI accounts detected.

Retention-policy exceptions. Developer Capability Secure-coding assessment results. AI-code-review assessment results. Training completion. Improvement after practical education. Recurring vulnerability categories. Operational Outcomes AI-related incidents. Agent permission violations. Unauthorized commands. Rollbacks involving AI-generated changes.

Production failures caused by generated code. Mean time to investigate AI-assisted changes. Metrics should drive improvement, not merely create dashboards. A low number of reported incidents may mean the program is working. It may also mean the organization lacks visibility. A 90-Day Implementation Roadmap Days 1 - 30: Establish Visibility and Immediate Guardrails Form the cross-functional governance group. Identify officially approved AI tools. Discover commonly used unapproved tools. Publish temporary data-handling rules. Prohibit credentials and restricted data in prompts. Require enterprise accounts for approved tools.

Classify repositories by sensitivity. Review vendor retention and training policies. Add AI-use questions to pull-request templates. Begin logging tool and repository access. The goal of the first month is not perfect governance. It is to stop operating blindly. Days 31 - 60: Integrate Controls Into Development Workflows Define risk tiers for AI-assisted development. Configure branch protection. Require security scanning. Apply software composition analysis. Establish dependency allowlists. Restrict coding-agent permissions.

Create sandboxed agent environments. Introduce human approval checkpoints. Define exception procedures. Begin targeted developer assessments. The second month moves governance from documents into technical systems. Days 61 - 90: Measure, Educate, and Improve Launch practical secure-AI development training. Establish initial security and quality baselines. Review incidents and rejected AI suggestions. Identify teams with recurring weaknesses. Create executive reporting. Update vendor-risk assessments.

Test agent shutdown and credential-revocation procedures. Conduct an AI-assisted development audit. Run a prompt-injection simulation. Publish the next 6- to 12-month maturity roadmap. At the end of 90 days, the organization should be able to explain which tools are used, what information they access, how generated code is reviewed, and who is accountable. Common Mistakes to Avoid Banning All AI Tools A total ban may appear simple, but it can push adoption underground. Developers may continue using personal accounts and unmanaged devices. A safer strategy is to provide approved alternatives and make compliant usage easier than noncompliant usage. Approving a Tool Without Governing Its Use Vendor approval does not mean every use case is safe. A tool may be acceptable for public code but inappropriate for restricted repositories. It may be safe as a code-completion assistant but too powerful when operating as an autonomous agent.

Relying Only on Developer Disclosure Developers may forget to disclose AI usage or may not know how much of a feature was generated through an embedded AI capability. Disclosure should be supported by administrative telemetry, repository controls, and automated detection where practical. Assuming More Testing Solves Everything Testing is essential, but a generated test suite may reflect the same incorrect assumptions as the generated code. Testing must be combined with threat modeling, secure design, independent review, and business-logic validation. Treating AI Governance as Only a Security Project AI-assisted development also affects privacy, intellectual property, procurement, employment practices, compliance, product safety, vendor management, and customer trust. Giving Agents Human-Level Permissions An agent does not need unrestricted access simply because the developer supervising it has broad permissions. Agents should use constrained identities and task-specific credentials. Measuring Productivity Without Measuring Rework

Counting generated lines of code, completed tickets, or pull requests can create a misleading picture.

Organizations should also measure:

Review time. Vulnerabilities. Defects. Rollbacks. Maintenance burden. Incident cost. Technical debt. Faster code generation is not valuable when it creates more expensive downstream work.

Key Takeaways

AI-assisted development is already widespread, but trust in AI accuracy remains limited. The governance gap exists because actual developer behavior is moving faster than policy, security, and audit systems. AI-generated code can introduce vulnerabilities, incorrect logic, insecure dependencies, privacy exposure, and licensing concerns. Autonomous coding agents create additional identity, authorization, network, supply chain, and operational risks. AI-generated code should be treated as untrusted until it has passed appropriate human and automated validation. Governance must be implemented inside repositories, pull requests, CI/CD pipelines, identity systems, and development environments. Observability, developer benchmarking, and practical education are essential. Approved AI tools should be inventoried and classified by capability, data access, and autonomy. Coding agents should receive dedicated identities, short-lived credentials, sandboxed environments, and least-privilege permissions. Every deployed change must retain an accountable human owner. NIST, CISA, OWASP, ISO, and the EU AI Act provide useful foundations for building a mature program. The goal is not to prevent AI-assisted development. It is to ensure that speed does not replace responsibility.

Frequently Asked Questions

What is the AI governance gap in software development?

It is the difference between how AI tools are actually used by developers and the controls an organization has established to manage those tools. The gap may involve tool approval, data handling, generated-code review, agent permissions, logging, accountability, or compliance.

Should companies prohibit AI-generated code?

Not necessarily. A blanket prohibition can reduce legitimate productivity and encourage shadow AI. A risk-based program with approved tools, data controls, mandatory review, testing, and monitoring is generally more practical.

Is AI-generated code inherently insecure?

No. AI-generated code can be secure or insecure, just as human-written code can. The concern is that generated output may appear convincing while containing subtle errors, and it can be produced at a much greater speed and scale.

Should developers disclose when they use AI?

Material AI involvement should generally be disclosed, especially when AI creates business logic, dependencies, security-sensitive code, infrastructure configurations, or substantial portions of a pull request.

Can AI review AI-generated code?

Yes, AI can assist with review, but it should not be the only control. Models may share similar weaknesses, overlook contextual issues, or reinforce incorrect assumptions. High-impact code still requires accountable human review.

What information should never be entered into public AI tools?

Organizations should generally prohibit unapproved sharing of credentials, secrets, customer data, regulated personal information, restricted source code, undisclosed vulnerabilities, proprietary algorithms, confidential contracts, and other protected information.

How should coding agents be secured?

Use dedicated identities, least-privilege permissions, sandboxed environments, restricted networks, short-lived credentials, command controls, detailed logging, human approval checkpoints, and no direct production access.

Who should own AI governance for development?

Ownership should be shared across engineering, security, privacy, legal, compliance, procurement, risk, architecture, and product leadership. A central governance body should establish policy, while engineering and security teams implement operational controls.

What is the difference between AI governance and AI security?

AI security focuses primarily on protecting AI systems, data, users, and surrounding infrastructure from threats. AI governance is broader. It includes ownership, policy, ethics, risk classification, accountability, legal compliance, vendor management, performance, and oversight.

What frameworks should companies use?

Useful foundations include the NIST AI Risk Management Framework, NIST Secure Software Development Framework, CISA Secure by Design guidance, OWASP GenAI security resources, ISO/IEC 42001, and applicable laws such as the EU AI Act.

How can organizations detect shadow AI?

Methods include identity and access logs, browser and endpoint monitoring, SaaS discovery, network analysis, expense reviews, extension inventories, repository telemetry, data-loss prevention, surveys, and developer interviews.

Can AI governance slow down development?

Poorly designed governance can. Well-designed governance should automate routine controls, provide approved tools, clarify expectations, and reduce late-stage security rework. The objective is to support safe speed rather than create unnecessary approval layers.

Conclusion

Artificial intelligence is becoming part of the software-development infrastructure itself. It is no longer limited to suggesting a few lines of code. AI systems can now interpret requirements, examine repositories, create implementation plans, modify applications, generate tests, execute commands, review changes, and participate in the pull-request process. That capability can improve productivity, accelerate experimentation, help developers understand complex systems, and reduce routine work. But it also expands the attack surface. Organizations that adopt AI without improving governance may generate software faster while losing visibility into code origin, data exposure, dependency risk, developer understanding, agent behavior, and accountability. The solution is not fear, prohibition, or another policy document that developers rarely read. The solution is operational governance. That means maintaining an accurate inventory of tools, establishing data boundaries, classifying use cases by risk, restricting agent permissions, tracing material AI involvement, requiring human accountability, integrating security controls into repositories, continuously measuring results, and training developers to challenge AI output rather than trust it automatically.

The enduring principle of secure software development still applies:

The organization that deploys the software owns the consequences. AI may write the code. It may review the code. It may test the code. It may even recommend that the code be released. But the responsibility remains human.

Relevant Articles and Resources

SecurityWeek: How to Close the AI Governance Gap in Software Development The original article that emphasizes repository observability, developer benchmarking, practical education, and secure-by-design development. NIST AI Risk Management Framework A voluntary framework for governing, mapping, measuring, and managing risks associated with artificial intelligence. NIST Generative Artificial Intelligence Profile A companion to the AI Risk Management Framework focused on risks and controls associated with generative AI. NIST Secure Software Development Framework Recommended practices for integrating security into software-development lifecycles. NIST Secure Software Development Practices for Generative AI and Dual-Use Foundation Models AI-specific additions to the Secure Software Development Framework. CISA Secure by Design Guidance encouraging software manufacturers to make customer security a central product requirement.

CISA: Software Must Be Secure by Design, and Artificial Intelligence Is No Exception Guidance applying secure-by-design principles directly to AI systems. OWASP Top 10 for LLM and Generative AI Security Community-developed guidance covering major vulnerabilities and risks affecting LLM-enabled applications. OWASP LLM Applications Cybersecurity and Governance Checklist Practical governance and security guidance for executives, developers, security teams, legal teams, and compliance professionals. ISO/IEC 42001 Artificial Intelligence Management Systems An international management-system standard for organizations developing or using AI products and services. European Commission: EU AI Act Official information regarding the European Union’s risk-based legal framework for artificial intelligence. European Commission: General-Purpose AI Obligations Official guidance regarding obligations affecting providers of general-purpose AI models.

GitHub Guidance for Reviewing AI-Generated Code Practical guidance covering code review, dependencies, static analysis, code scanning, and validation. GitHub Risks and Mitigations for Coding Agents Documentation describing security considerations and safeguards for AI agents that modify software repositories. 2025 Stack Overflow Developer Survey: Artificial Intelligence Current survey findings on developer adoption, attitudes, trust, and concerns regarding AI development tools.