AI-generated code subject to normal PR review
Demonstrate that AI-generated code is subject to mandatory peer review through the organization's pull request process before integration into protected branches.
Description
What this control does
This control requires that all source code generated by artificial intelligence tools (such as GitHub Copilot, ChatGPT, Amazon CodeWhisperer, or similar assistants) undergo the same peer review process as human-written code before merging into production branches. Developers must submit AI-generated code contributions through the standard pull request workflow, where designated reviewers examine logic, security vulnerabilities, licensing concerns, and adherence to coding standards. This ensures AI-assisted development does not bypass established quality gates that catch defects, injection flaws, hardcoded secrets, or insecure dependencies.
Control objective
What auditing this proves
Demonstrate that AI-generated code is subject to mandatory peer review through the organization's pull request process before integration into protected branches.
Associated risks
Risks this control addresses
- AI-generated code containing SQL injection, cross-site scripting, or other OWASP Top 10 vulnerabilities merges into production without human security review
- Hardcoded credentials, API keys, or tokens suggested by AI models are committed to repositories due to lack of oversight
- Licensing violations occur when AI-generated code incorporates copyleft or proprietary snippets without attribution or compliance review
- Logic errors or race conditions introduced by AI code generators propagate undetected into critical business functions
- Insecure dependencies or outdated libraries recommended by AI tools bypass supply chain security checks
- Developers over-trust AI suggestions and approve malicious or subtly flawed code patterns that evade automated scanning
- Regulatory non-compliance when AI-generated code handling sensitive data (PII, PHI, PCI) lacks manual validation of privacy controls
Testing procedure
How an auditor verifies this control
- Identify all source code repositories and version control systems in scope, documenting branch protection policies for production and staging branches
- Obtain exports of branch protection rules for main/master/production branches, verifying that pull request reviews are mandatory before merge
- Select a representative sample of 15-20 merged pull requests from the past 90 days across different teams and repositories
- Interview developers and review developer guidelines or acceptable use policies to confirm whether AI coding assistants are permitted and documented
- Examine commit metadata, pull request descriptions, and comments in the sample to identify cases where developers disclosed use of AI tools or where code patterns suggest AI generation
- For each identified AI-assisted pull request, verify that at least one human reviewer approved the change and that review comments address security, logic, or quality concerns
- Review pull request automation logs or GitHub Actions / GitLab CI / Bitbucket Pipelines configurations to confirm static analysis and security scanning tools run on all pull requests regardless of authorship method
- Test enforcement by attempting to push directly to a protected branch or create a pull request without required reviewers, confirming the system blocks or flags the action
Where this control is tested