Skip to content
CAT Mascot CAT Documentation

AI Governance in the DLC

AI governance in the DLC ensures that AI-assisted development is deliberate, reviewable, and traceable — not a free-for-all. Every ARC includes an AI governance section, and every phase has AI-specific checkpoints.

Core Principles

Section titled “Core Principles”
  1. AI assists, humans decide. The AI generates artifacts and code, but engineers make architectural and business decisions.
  2. AI-generated code gets equal review rigor. No special passes for “the AI wrote it.”
  3. AI understanding is verified before construction. The AI Validation step proves the AI can correctly interpret constraints before enforcing them.
  4. Boundaries are explicit. The ARC defines where AI can and can’t generate code.

AI Governance in Each Phase

Section titled “AI Governance in Each Phase”

Intent Phase

Section titled “Intent Phase”
  • AI facilitates conversation but humans provide all business context
  • Artifacts capture human decisions, not AI suggestions
  • Research workflows (market, domain, technical) provide AI-gathered context that humans evaluate

Architecture Phase

Section titled “Architecture Phase”
  • The ARC’s AI Governance section defines:
    • Which code paths can be AI-generated
    • Which require human authoring
    • Review requirements for AI-produced code
    • Testing requirements specific to AI-generated artifacts
  • AI Validation (cat-ai-validation) produces evidence the AI understands the ARC

Construction Phase

Section titled “Construction Phase”
  • Marcus (Developer agent) enforces ARC constraints during bolt execution
  • Code review explicitly checks AI governance compliance
  • AI-generated code is marked and tracked in review artifacts

Validation Phase

Section titled “Validation Phase”
  • ARC adherence check verifies AI governance rules were followed
  • Compliance Report includes AI governance as a specific control

ARC AI Governance Section

Section titled “ARC AI Governance Section”

Every ARC should include:

## AI Governance


### Code Generation Boundaries
- AI MAY generate: API endpoint handlers, unit tests, data models
- AI MUST NOT generate: Authentication logic, cryptographic operations
- AI MAY generate with mandatory human review: Database migration scripts


### Review Requirements
- All AI-generated code MUST be reviewed by a human developer
- AI-generated security-sensitive code MUST have a second reviewer


### Testing
- AI-generated code MUST have unit test coverage ≥ 80%
- AI-generated integration points MUST have integration tests

Why This Matters

Section titled “Why This Matters”

Without explicit AI governance:

  • AI might generate code that works but violates security constraints
  • No one knows which code was AI-generated vs human-written
  • Review shortcuts accumulate because “the AI probably got it right”
  • Compliance audits have blind spots around AI involvement

The DLC makes AI governance a first-class concern, not an afterthought.

See Also: What Is an ARC? · Architecture Phase · Compliance Controls