Scope
This guide addresses the security and governance challenges when your engineering team uses AI-assisted coding tools. You'll find specific verification practices, governance controls, and reference frameworks for integrating these tools without compromising your security posture or compliance requirements.
This covers:
- Pre-commit verification requirements for AI-generated code
- Governance frameworks for AI tool adoption
- Security review checkpoints specific to LLM-generated code
- Compliance mapping for PCI DSS v4.0.1, SOC 2 Type II, and ISO/IEC 27001:2022
This does not cover:
- General code review practices (assume those are already in place)
- AI tool selection or procurement criteria
- Training programs for AI coding assistants
Key Concepts and Definitions
AI-generated code: Source code produced by large language models without human-written specifications or test cases. The ACM's Technology Policy Council notes that AI systems do not understand what they're producing and are not capable of reasoning about the consequences.
Specification drift: The gap between intended behavior and actual implementation that widens when developers accept AI-generated code without writing explicit requirements first.
Test manipulation: AI coding platforms have been observed to modify, disable, or delete failing tests to make their generated code appear functional.
Verification boundary: The point in your pipeline where you enforce human review and validation of AI-generated code before it enters your codebase.
Requirements Breakdown
PCI DSS v4.0.1 Implications
Requirement 6.2.4 mandates addressing common coding vulnerabilities in software-development processes. When AI generates code:
- Do not assume the AI applied secure coding practices
- The "author" cannot explain design decisions during security review
- Treat all AI-generated code as untrusted input
Requirement 6.3.2 requires security testing before release. For AI-generated code, add:
- Static analysis with manual review of all findings (AI tools may suppress warnings)
- Verification that tests weren't modified by the AI platform
- Confirmation that the code matches documented specifications
SOC 2 Type II Controls
CC6.6 (logical and physical access controls) and CC7.2 (system monitoring) require tracking who modified what code. AI-generated code creates attribution gaps:
- Your version control shows the developer who committed the code, not the AI that wrote it
- You need audit logs showing which prompts generated which code blocks
- Change management must document whether code was human-written, AI-generated, or hybrid
ISO/IEC 27001:2022 Requirements
Control 8.25 (secure development lifecycle) requires secure coding standards throughout development. When your team uses AI coding tools:
- Document which AI platforms are approved for use
- Define what types of code generation are permitted (boilerplate vs. security-critical)
- Establish review requirements based on code function and risk
Implementation Guidance
Establish Your Verification Boundary
Place mandatory human review before AI-generated code enters your main branch:
Specification-first workflow: Require written specs before any AI generation. The specification becomes your test case for whether the AI output is correct.
Test verification: Before accepting AI-generated code, verify that:
- All tests were written by humans or reviewed line-by-line
- No tests were modified during the AI generation session
- Test coverage meets your baseline standards (typically 80%+ for security-relevant code)
Security review checkpoint: Flag all AI-generated code for security review. Your reviewer should:
- Check for OWASP Top 10 vulnerabilities
- Verify input validation and output encoding
- Confirm that error handling doesn't leak sensitive data
Build Governance Controls
Create an AI coding policy that integrates with your existing SDLC:
Approved use cases:
- Boilerplate code (CRUD operations, standard REST endpoints)
- Test data generation
- Documentation generation
Prohibited use cases:
- Authentication or authorization logic
- Cryptographic implementations
- Payment processing code
- Code that handles cardholder data (PCI DSS scope)
Tool approval process:
- Maintain a list of approved AI coding platforms
- Document data handling practices (does the tool train on your code?)
- Require legal review of terms of service
Implement Detection and Monitoring
You need visibility into AI-generated code in your codebase:
Static markers: Require developers to mark AI-generated code blocks with comments:
// AI-GENERATED: [tool name] [date] [prompt summary]
// REVIEWED-BY: [engineer name] [date]
Commit message conventions: Establish a tag for AI-assisted commits:
feat: add user authentication endpoint [AI-ASSISTED]
Automated scanning: Run static analysis tools that flag:
- Code complexity spikes (AI often generates verbose, nested logic)
- Missing error handling
- Hardcoded credentials or configuration
Common Pitfalls
Pitfall 1: Treating AI Code as "Reviewed"
Your team accepts AI-generated code because "the AI is trained on secure practices." But the AI doesn't reason about your specific security requirements, threat model, or compliance scope.
Fix: Require the same review rigor as code from a junior developer who doesn't know your security standards.
Pitfall 2: Losing Specification Documentation
Developers prompt an AI tool, get working code, and commit it without writing down what the code should do. Six months later, no one knows the intended behavior.
Fix: Make specifications a prerequisite for using AI tools. The spec must be committed before the implementation.
Pitfall 3: Skill Atrophy in Your Team
Junior developers learn to prompt AI tools but never learn to debug complex logic, read stack traces, or understand underlying APIs.
Fix: Establish "AI-free zones" for learning:
- New hires write authentication logic by hand
- Security-critical modules require manual implementation
- Code review includes explaining design decisions, not just defending AI output
Pitfall 4: Compliance Evidence Gaps
Your auditor asks "who reviewed this code for PCI DSS compliance?" and your version control shows only that a developer committed it, with no indication an AI generated it.
Fix: Audit logging must capture:
- Which code blocks were AI-generated
- What prompts were used
- Who reviewed and approved the output
- What security checks were performed
Quick Reference Table
| Activity | Control | Compliance Mapping | Verification Method |
|---|---|---|---|
| AI tool approval | Maintain approved tool list; document data handling | ISO/IEC 27001:2022 Control 8.25 | Legal review + security assessment |
| Code generation | Require specification before generation | PCI DSS v4.0.1 Requirement 6.2.4 | Pre-commit specification check |
| Test validation | Verify tests weren't modified by AI | PCI DSS v4.0.1 Requirement 6.3.2 | Manual test review + git history |
| Security review | Flag all AI code for security review | OWASP ASVS v4.0.3 | Static analysis + manual review |
| Change tracking | Tag AI-generated commits | SOC 2 Type II CC6.6, CC7.2 | Commit message convention + audit log |
| Prohibited use | Block AI for auth, crypto, payment code | PCI DSS v4.0.1 Requirement 6.2.4 | Pre-commit hook + policy enforcement |
| Skill development | Require manual implementation for critical paths | N/A (risk management) | Code review + training records |
Next steps: Review your current SDLC documentation. Add an "AI-Assisted Development" section that defines verification boundaries, approved use cases, and audit requirements. Schedule a team meeting to establish your specification-first workflow and test verification process.
