Bridging the Governance Gap in the Age of AI-Generated Software
Most enterprise engineering leaders are about to walk into a conversation they have not prepared for, and the people who will run that conversation are sitting in compliance, not engineering.
The question that starts it is simple. When a model generates a meaningful share of your production code, who owns what it did? I am not asking philosophically. I am asking operationally, the way a compliance officer at a firm managing half a trillion dollars in assets would ask it the morning after a production incident traced back to AI-generated code. Who approved it, who validated it, who can stand up under examination and attest to the logic it contains. Most organizations do not have a name and an answer. They have a gap.
And the gap is widening fast. Deloitte’s 2026 outlook projects 30 to 35 percent productivity gains across the development lifecycle from AI tooling, and many of the engineering shops I work inside are already past 40 percent AI-generated output on active projects. So for every ten lines going into production, four were written by a model, reviewed by an engineer under sprint pressure, and waved through a process built for a world where engineers wrote everything themselves. That same Deloitte work names the way through, almost in passing. The teams capturing the real gains are the ones who rebuild their operating model around AI rather than bolting it onto the old one. The model is not the differentiator anymore. The operating model around it is.
So let me be concrete about that operating model, because diagnosis without a build is just anxiety.
The Crisis of the Legacy Model
The mistake most organizations make is treating AI-generated code as an engineering problem, which buries it inside one team that cannot see compliance, risk, or audit. It is a cross-functional problem, and it needs a cross-functional owner. That owner is an AI-DLC Center of Excellence with a real charter, a named lead, and standing seats for engineering, security, compliance, risk, and architecture. Not a committee that meets quarterly and produces slides. A working body with the authority to set the standard the whole enterprise runs on.
The Hub and Spoke Architecture
The first real decision is not what the Center of Excellence does, it is how it owns, and there are two ways to get it wrong.
Centralize everything and the CoE becomes the single owner of every review, every attestation, every model decision. The control story is clean and a regulator gets one name and one answer, but the CoE turns into a bottleneck the moment AI output scales past a handful of teams, and delivery slows to the speed of one overloaded function. In a shop already past 40 percent AI output, you cannot afford to trade that much velocity for control.
Federate everything and each product team owns its own AI code governance, close to the domain and genuinely fast. But now thirty teams write thirty versions of what a review certifies, the audit trail fragments, the standards drift, and when the regulator asks the enterprise question you have thirty different answers, which is the same as having none.
The model that holds in a regulated environment is neither extreme. It is hub and spoke. The AI-DLC Center of Excellence owns the floor, the things a regulator examines across the whole enterprise, and the product teams own the execution, the things that need domain judgment and speed. Central sets the standard, federated does the work, and the CoE audits rather than operates. If you have heard me talk about running a business, this is the same principle, you set direction and review the exceptions, you do not operate every decision yourself.
That one distinction tells you exactly what to pull in and what to push out.
- Centralize the non-negotiables: The context-capture standard, so every AI-generated commit carries its prompt and human judgment.
- The attestation standard: Ensuring an engineer’s review certifies specific, bounded logic.
- The risk-tiering taxonomy: Differentiating between routine endpoints and high-stakes algorithms.
- The model registry: Tracking model versions as production dependencies.
Centralize the non-negotiables. Four things live in one place, owned by the CoE, identical across every team, because these are precisely what a regulator examines enterprise-wide. The context-capture standard, so every AI-generated commit carries its prompt, its architectural constraints, its business requirements, and the human judgment that shaped the ask, logged automatically in the pipeline as the audit trail. The attestation standard, so an engineer’s review certifies something specific and bounded rather than a blanket endorsement of whatever the model produced. The risk-tiering taxonomy, so a routine CRUD endpoint and a trading algorithm are never held to the same depth of review. And the model registry, so the model version is tracked as a production dependency and a model upgrade runs through the same change control as any other release, because behavior can shift even when not a single line of code changed.
Federate the judgment. The actual review, the tier a given system falls into, the domain validation, and the day-to-day enforcement live with the product teams, each carrying an embedded governance lead, a spoke, accountable to their delivery org and dotted-line to the CoE.
The Questions That Decide Your Model
Before you pick, get honest answers to these, because they decide the org chart for you.
- Who is the single named owner accountable when the regulator asks?
- What must be identical across every team, and what genuinely needs local judgment?
- Who can grant an exception, and at what risk tier does that authority move to the CoE?
- How does the CoE stay an auditor and avoid sliding into operator?
- How do you fund the spokes with real local ownership?
The 90-Day Buildout
You do not need a year and a consulting army to start. In the first thirty days, charter the CoE, name the owner, seat the five functions, and decide your federation model, then pick one high-risk system and run a tabletop against a real compliance scenario, the morning-after-the-incident drill, to find out where your current answer falls apart. In the next thirty, turn what broke into the first version of your context and attestation standards and wire context logging into that one pipeline as the pilot. In the final thirty, stand up the model registry for the pilot and take the results to your risk committee, so the posture has executive air cover before you scale it across the estate. That is a single quarter, and at the end of it you have a working governance model on one real system and a credible plan to extend it, which is a completely different place to stand than a deck that says you take AI risk seriously.
Why This Cannot Wait
The SEC, the OCC, and the Federal Reserve are all still shaping their AI guidance for financial services, and none of it has landed with binding force. That quiet is exactly why most organizations are not moving. The quiet will not hold. The first high-profile incident involving AI-generated code inside a regulated institution, a trading anomaly or a fraud model failure that makes the news, will compress the timeline overnight, and the firms that stood up the Center of Excellence before the incident will be in a completely different conversation than the ones who waited for the rules to tell them what to build. The ones who build ahead carry the cost of building. The ones who wait carry the cost of the incident, plus building under pressure, plus having been caught unprepared.
None of this is complicated. Treat AI-generated code as a different category of artifact than human-written code, give it a cross-functional owner, decide early what you centralize and what you federate, and prove the model on one system before you are forced to build it across all of them under a regulator’s clock.
So let me hand it to you. If a regulator walked into your shop tomorrow and asked who owned the logic in your last AI-generated release, would your Center of Excellence have the answer, or would you still be standing one up after the fact? Build it now, on your timeline, while it is still cheap.
Keep Growing.
Gunjan
