Companion to AI Didn’t Break Accountability. It Exposed the Gap. — that essay covers the why. This is the what. Three shifts to fix the accountability gap.

Traceability by design. Every AI-assisted change should carry provenance as a commit property, a git trailer or CI annotation recording the tool, the context, and whether the output was accepted as-is or modified. Tag at commit time, make it queryable, build from there. If you can’t answer “was this AI-generated, by what, and who accepted it?” within minutes of an incident, you’ve found your first gap.

Ownership as a two-sided contract. The developer owns intent, they accepted the suggestion, they clicked merge. The organization owns the environment, which tools it provides, what review standards it enforces, what quality gates it builds or doesn’t. When a CI pipeline treats AI-generated and human-written code identically, that’s an organizational decision. When review checklists don’t account for AI-specific failure modes (contextual bugs, architectural misfit, missed constraints), that’s a process gap, not an individual one. Both sides have to be explicit.

Governance in the development path, not after it. Governance checkpoints belong where decisions happen, at commit, in CI/CD, in code review. Not in a policy document nobody reads. This means trust layers, a generated utility function doesn’t need the same scrutiny as a generated authentication handler. Risk-based gates, applied automatically, with measurable signals.

The Tooling Is Closer Than You Think

What i find encouraging is that the building blocks for most of this already exist. They’re just not being assembled with governance in mind.

What to look for in governance tooling. Not every quality or security tool can extend to governance. The ones that can share specific characteristics: they sit in the code path natively (not bolted on after), they observe actual code at scale (not survey-reported adoption), they can surface AI-attribution signals and patterns associated with generated code, and they have a progression story from quality to security and to governance using the same underlying data.

The gap isn’t tooling. It’s integration and intent. Connecting provenance metadata to quality gates to ownership records: that’s the missing layer.

Governance control plane architecture — development decisions flow through provenance, policy gates, trust layers, ownership, and audit trail before reaching production

The Governance Control Plane

What ties this together is a control plane for engineering governance — a layer that tracks decision lineage across humans and AI, enforces policy before code ships, and makes ownership observable. Without it, accountability is retrospective. With it, accountability becomes a system property.

Where to start: Run a provenance test on a recent PR. Get legal, CISO, and platform engineering in a room to make the ownership decision explicitly. Assign the mandate to one team. Instrument your pipeline with basic AI-origin tags. Four moves, all achievable in weeks.