AI-Generated Code and Open-Source License Compliance
Establish controls to identify, track, and manage open-source license obligations and supply chain risks introduced by AI-generated code before it is committed to production systems.
Objective
Prevent AI-assisted development workflows from inadvertently introducing open-source license violations, copyleft obligations, or supply chain risks into production codebases.
Maturity Levels
Initial
AI-generated code is not reviewed for license implications; no policy covers its use in production.
Developing
A policy exists stating developers should not commit AI-generated code with license concerns, but enforcement is manual and inconsistent.
Defined
AI-generated code commits are scanned for license indicators using automated tooling; a review process applies to flagged code before merge.
Managed
License scanning results are tracked by project; developers are trained on common AI code generation license risks; scan results feed into the software composition analysis (SCA) workflow.
Optimizing
AI-generated code is labeled at commit time; license obligations are tracked from generation through production; legal review is automatically triggered for high-risk license detections.
Evidence Requirements
What an auditor or assessor would expect to see for this control.
- —AI-generated code policy document covering permissible use, review requirements, and license handling
- —SCA scan configuration showing AI-generated code is included in automated license scanning
- —Commit convention or PR template requiring AI assistance disclosure
- —Training records for development teams on AI code generation license risks
- —Legal review records for flagged code segments
Implementation Notes
Key steps
- Establish a policy that addresses AI-generated code specifically: who may use AI coding tools, what review is required before committing AI output, and how to handle uncertainty about code provenance.
- Integrate AI-generated code into your existing software composition analysis (SCA) workflow — if you scan for open-source licenses in production, AI-generated code should go through the same scan.
- Require developers to flag AI-assisted commits (e.g. via commit message convention or PR template); this creates an audit trail for license review.
- Train development teams on the specific license risks in AI-generated code: models may produce code with training data from GPL, LGPL, or other copyleft repositories.
- Define a legal review trigger: code segments above a defined length or with license scan matches should require legal sign-off before production merge.
Example Implementation
B2B SaaS company with 40-person engineering team actively using AI coding assistants
AI-Generated Code Policy — Engineering Handbook §7.3
All code generated or substantially assisted by AI coding tools (GitHub Copilot, Claude, ChatGPT, Cursor, etc.) must:
- Be flagged in the PR description using the tag
[AI-assisted] - Pass the standard SCA scan before merge — AI-generated code is not exempt
- If the scan flags a potential GPL or LGPL match on any segment >10 lines, require sign-off from Legal before merge
- Not include verbatim copied blocks >25 lines without a comment identifying the source and verifying license
Unacceptable: Committing AI output without review, using AI tools to generate code in security-sensitive modules without additional review, or omitting the [AI-assisted] tag to avoid review.
Resources: License risk guide in Engineering Wiki › AI Tooling › License Compliance