Approved AI coding assistants list
Demonstrate that the organization maintains a current, approved list of AI coding assistants and enforces restrictions on unapproved tools within the development environment.
Description
What this control does
This control establishes and maintains an organization-approved list of AI coding assistants (such as GitHub Copilot, Amazon CodeWhisperer, or Tabnine) that developers are authorized to use for software development activities. The list defines which tools have been vetted for security, data handling, licensing compliance, and integration with the organization's development pipeline. Maintaining this list prevents the introduction of unapproved AI tools that may exfiltrate proprietary code, introduce insecure code patterns, or violate intellectual property policies.
Control objective
What auditing this proves
Demonstrate that the organization maintains a current, approved list of AI coding assistants and enforces restrictions on unapproved tools within the development environment.
Associated risks
Risks this control addresses
- Exfiltration of proprietary source code or trade secrets to third-party AI service providers without adequate contractual protections or data residency controls
- Introduction of insecure, vulnerable, or license-incompatible code suggestions from unvetted AI models into production applications
- Shadow IT proliferation where developers use personal or free-tier AI coding tools that bypass organizational security monitoring and logging
- Intellectual property contamination where AI assistants trained on public repositories suggest code that violates licensing requirements or introduces legal liability
- Lack of accountability and audit trails when unapproved AI tools generate code without logging or attribution mechanisms
- Data leakage through AI assistant telemetry, prompt history, or cloud-based processing of sensitive code fragments to vendors with unclear data retention policies
- Inconsistent code quality and security posture when developers use disparate AI tools with varying capabilities for vulnerability detection and secure coding patterns
Testing procedure
How an auditor verifies this control
- Obtain the current approved AI coding assistants list from IT Security, DevSecOps, or Development Standards documentation repositories.
- Verify the list includes tool names, approved versions, licensing tier (enterprise vs. personal), vendor name, approval date, and designated tool owner or sponsor.
- Review the approval criteria documentation to confirm tools are evaluated for security, data handling, IP protection, contractual terms, and integration requirements before approval.
- Sample 15-20 developer workstations and CI/CD pipeline configurations to identify installed or integrated AI coding assistant tools through IDE plugin inventories, browser extension scans, and package manifests.
- Cross-reference discovered tools against the approved list to identify any unapproved AI coding assistants in active use.
- Interview 5-8 developers and engineering managers to assess awareness of the approved tools list, restrictions on unapproved tools, and processes for requesting new tool evaluations.
- Examine endpoint detection and response (EDR) or software asset management (SAM) logs for evidence of monitoring and alerting on installation of unapproved AI coding tools.
- Review change control or exception records from the past 12 months to verify that any deviations from the approved list were formally documented, risk-assessed, and time-limited.
Where this control is tested