Skip to main content

Documentation Index

Fetch the complete documentation index at: https://www.aidonow.com/llms.txt

Use this file to discover all available pages before exploring further.

Executive Summary

The proliferation of AI-assisted software development has surfaced a consequential policy question for engineering organizations: to what degree should code artifacts generated with AI assistance be attributed, labeled, or otherwise distinguished from human-authored code. This paper presents a structured evaluation of the arguments for and against disclosure, examines five disclosure levels across key dimensions including legal risk, maintainability, and review quality, and provides a practical framework for organizations designing AI attribution policy. The central finding is that the binary framing of “label versus do not label” is analytically insufficient. Attribution policy should be designed against specific organizational goals — review quality, legal compliance, maintenance context, or regulatory readiness — because different goals require different disclosure mechanisms. The most broadly applicable approach combines commit-level attribution with design documentation, while avoiding code-level comments that introduce stigma and maintenance overhead without proportionate benefit.

Key Findings

  • Attribution policy goals are not interchangeable. Disclosure mechanisms optimized for legal compliance differ structurally from those optimized for review quality. Organizations that adopt a single policy without specifying the goal it serves will find it inadequate for multiple stakeholder groups simultaneously.
  • Code-level AI labels create measurable review bias without improving defect detection rates. Attribution in code comments changes reviewer behavior (increased scrutiny of labeled code) without a corresponding improvement in defect catch rates when robust test suites are present.
  • The definition of “AI-generated code” is operationally ambiguous. Attribution policy must specify a threshold for what level of AI assistance triggers disclosure, ranging from line-level autocomplete to multi-agent system design, or it will be inconsistently applied.
  • Commit-level attribution via the Co-Authored-By convention provides audit trail benefits with minimal stigma risk. This mechanism records AI involvement in the version history without making individual functions or files identifiable as AI-generated in the working code.
  • Validation quality is a more reliable correctness signal than authorship. A codebase section with 85%+ test coverage and passing verification represents a stronger quality guarantee than authorship attribution provides, regardless of whether a human or AI generated it.
  • Regulatory trends suggest AI disclosure requirements may become mandatory in safety-critical domains. Organizations in medical device, financial systems, and safety-critical infrastructure development should establish audit-ready attribution practices now rather than retrofit them in response to regulation.

1. The Attribution Policy Problem

Engineering organizations adopting AI-assisted development encounter a question that existing software development norms do not answer: when AI systems generate substantial portions of production code, what disclosure obligations — formal or informal — apply? The question is not abstract. Consider the following representative scenario: a multi-agent workflow produces 2,364 lines of AWS client factory code over three days. The commit history records Co-Authored-By attribution. The code has 39 passing tests and has operated in production without defects. The architecture was derived from a constraint analysis of an Architecture Decision Record. Six months later, a maintainer discovers a missing optimization — credential caching for STS assume-role calls, omitted because AI systems lack the production experience that reveals 200–500ms latency penalties from assume-role invocations. The question the maintainer faces is: was the omission an intentional design decision, or a capability boundary of the AI system that generated the code? Attribution policy exists to answer questions like this one. Designing policy without specifying which questions it must answer produces policy that satisfies no stakeholder group adequately.

2. Arguments Supporting AI Code Attribution

2.1 Code Review Quality and Failure Mode Awareness

The argument from review quality holds that code reviewers apply different mental models to different failure mode profiles. AI-generated code exhibits failure patterns that differ from human-authored code: humans produce typographic errors and forgotten edge cases; AI systems produce hallucinated API members, invented error variants, and plausible-but-incorrect assumption chains. A representative example from production code review: 
// AI hallucinated this error variant
pub enum CrmError {
    CrossCapsuleAccess,  // Never actually thrown anywhere
    InvalidTenantId,     // Checked for, but never occurs
}
A reviewer spent 30 minutes tracing the origin of CrossCapsuleAccess before determining it was a hallucinated variant with no corresponding throw site. Attribution that signaled AI generation might have prompted the reviewer to specifically audit error variant provenance, potentially reducing this investigation time. The counter-argument — that reviewers should verify every error variant regardless of authorship — is valid but sets an unrealistic standard for review practice. In practice, review depth is calibrated to perceived risk, and perceived risk is influenced by author credibility signals.

2.2 Maintenance Context and Design Intent Preservation

Attribution enables future maintainers to frame debugging and refactoring strategy appropriately. Consider the following annotated code: 
// Generated by Claude Sonnet 4.5 analyzing ADR-0010
// Pattern: Scope-based client factory for multi-tenant isolation
impl AwsClientFactory {
    pub fn capsule_dynamodb(&self, capsule: &Capsule) -> CapsuleClient<DynamoDbClient> {
        // AI discovered this pattern from architecture constraints
        CapsuleClient::new(self.config.clone(), capsule.clone())
    }
}
The annotation conveys that the pattern was not manually specified but derived from constraint analysis of ADR-0010. A maintainer who encounters this code without the annotation may refactor the pattern without consulting the ADR, losing the constraint-based derivation that justifies its structure. The legal framework governing AI-generated code ownership remains unsettled across jurisdictions. Current platform terms from major providers (e.g., GitHub Copilot’s terms asserting user ownership of generated output) may be superseded by regulatory action, litigation outcomes, or evolving interpretations of training data provenance. Organizations that maintain explicit attribution records are better positioned to respond to licensing inquiries, training data disputes, or disclosure requirements should the legal landscape change. Establishing attribution practices before they are required is less operationally disruptive than retrofitting them in response to external mandate.

2.4 Regulatory Readiness in Safety-Critical Domains

Regulatory discussions in medical device software, financial systems, and safety-critical infrastructure are beginning to address AI disclosure requirements. The relevant questions regulators are likely to ask include:
  • Was diagnostic or control logic generated by an AI system?
  • What human validation was applied to AI-generated safety-critical components?
  • Is there an audit trail establishing the provenance of risk-bearing code?
Organizations in these domains should consider whether their current attribution practices would satisfy a regulatory inquiry, and adjust policy accordingly.

3. Arguments Against AI Code Attribution

3.1 Authorship Is Not a Valid Quality Signal When Validation Is Present

The fundamental engineering objection to AI code attribution is that authorship is not the appropriate basis for quality assessment. Code quality is determined by correctness, test coverage, adherence to specifications, and maintainability — none of which are functions of authorship. The following comparison illustrates this point:
CharacteristicWeek 5: Human-Designed FeatureWeek 6: AI-Designed Client Factory
Design originHuman architectAI constraint analysis from ADR
ImplementationAI-assisted following human designAI multi-agent workflow
Test results30 commits, cascading errors, 24-hour debug sessionZero production defects
Production incidentsMultipleNone
The Week 5 failure originated from a flawed human design that AI faithfully implemented. The Week 6 success originated from AI design reviewed and approved by a human. Neither attribution label would have improved the outcome. The design quality was the determinant, not the authorship.

3.2 Attribution Creates Two-Tier Review Standards

If AI-generated code receives elevated review scrutiny by convention, organizations create a structural inequity: developers who use AI assistance face higher review burdens than developers who do not, for code of equivalent quality. This dynamic produces a set of predictable behavioral responses:
  1. Developers stop disclosing AI assistance to avoid elevated scrutiny
  2. Co-Authored-By attribution is suppressed
  3. Organizational visibility into AI tool adoption decreases
  4. The transparency objective that motivated attribution policy is undermined
The policy intended to increase transparency produces decreased transparency as a second-order effect.

3.3 The Attribution Boundary Problem

Establishing a coherent attribution policy requires defining a threshold for what level of AI involvement triggers disclosure. This threshold problem has no clean resolution:
Tool: GitHub Copilot suggests next line
// I type: "let client = "
// Copilot suggests: "factory.capsule_dynamodb(&capsule);"
// I press Tab
Question: Is this AI-generated? Or is it like an IDE refactoring suggestion?Precedent: We do not label “written with IntelliJ autocomplete.”
Tool: Copilot generates entire function from comment
// Validate capsule isolation boundaries
pub fn validate_pk(&self, pk: &str) -> Result<()> {
    // ... 15 lines of AI-generated validation logic
}
Question: Do I label the function? The file? The commit?Grey area: I wrote the signature and docstring. AI filled in implementation.
Workflow:
  • Evaluator (AI) analyzes ADR, proposes architecture
  • I review, approve design
  • Builder (AI) implements 2,364 lines
  • Verifier (AI) writes 39 tests
  • I review, request changes
  • Builder fixes issues
  • I merge
Question: Who authored this? Me? Claude? “Co-authored”?My commit message:
feat(aws-runtime): add scope-based client factory

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Is this sufficient disclosure?
Original code: Written by me, 600 lines of client creation boilerplateAI migration: Refactored to use new factory patternQuestion:
  • Original authorship: Human (me)
  • Refactoring: AI
  • git blame now shows: AI as last editor
  • Should it say “AI refactor of human code”?
The mess: git history shows author, but refactor changed everything.
Any attribution policy that does not specify threshold criteria for each of these scenarios will be applied inconsistently across the organization, producing audit trails with uneven reliability.

4. The Disclosure Spectrum: A Comparative Framework

Rather than a binary choice between disclosure and non-disclosure, organizations should select a disclosure level from a spectrum based on the specific objective the policy serves.
Approach: Treat AI-generated code as your own.Pros:
  • No stigma
  • Code judged on merit
  • No “what counts as AI” debates
Cons:
  • Loses attribution
  • May violate team policy
  • Hides collaboration context
When to use: Autocomplete-level assistance
The following table maps disclosure levels to organizational objectives:
ObjectiveRecommended LevelRationale
Legal audit trailLevel 1 (Commit)git history is auditable and durable
Maintenance context for AI-discovered patternsLevel 2 (Documentation)ADRs capture design rationale without cluttering code
Regulatory compliance (safety-critical)Level 3–4Visible, auditable, isolated
Reviewer bias eliminationLevel 0–1Code should be evaluated on merit
Organizational AI usage trackingLevel 1 (Commit)Aggregate analysis of Co-Authored-By frequency
Experimental feature isolationLevel 4Clear separation for unvalidated AI exploration
Applying Level 3 or Level 4 disclosure to production code that has been thoroughly validated imposes maintenance overhead and stigma cost without providing a corresponding quality benefit. Reserve visible code-level attribution for contexts where regulatory requirements mandate it or where code has not yet been subject to verification.
The following practice reflects the balance of considerations presented above and is appropriate for most engineering organizations at current AI adoption levels. 5.1 Commit-Level Attribution Every commit incorporating substantial AI assistance should include: 
feat(domain): add feature description

[Detailed explanation of what changed and why]

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This practice records AI involvement in the durable version history without marking individual code artifacts and without creating the review bias that code-level labels introduce. 5.2 Design Documentation for AI-Discovered Patterns When AI analysis derives an architectural pattern from constraint analysis rather than manual specification, the design documentation should record this: 
## Implementation Strategy

Used multi-agent AI workflow to implement this design:
- Evaluator analyzed ADR-0010 constraints
- Builder generated scope-based client types
- Verifier confirmed isolation enforcement

The client API design emerged from constraint analysis,
not manual specification.
This context is valuable for maintainers who need to understand why a pattern takes the form it does. It belongs in design documentation rather than code comments because design rationale ages better in documentation than inline, and because it does not create per-commit stigma in code review workflows.
When introducing commit-level attribution practice to an existing engineering team, begin with a specific definition of what constitutes “substantial AI assistance” to avoid inconsistent application. A practical threshold: any session in which AI generated more than 50 lines of code that were merged without complete human rewriting. This threshold is adjustable; the important property is that it is documented and consistently applied.
5.3 Review Process Independent of Attribution The review process applied to AI-generated code should be determined by the validation coverage of the code, not by its authorship. The appropriate standard is:
  1. Implement the feature (Builder role)
  2. Apply the same review scrutiny as would be applied to code from an unfamiliar contributor (high scrutiny, not assumed competence)
  3. Require test coverage meeting the organizational standard before merge
  4. Verify that AI did not hallucinate requirements or introduce unspecified behavior
The reviewer does not require knowledge of authorship to perform this function. The validation standard is the same regardless. 5.4 What to Avoid Code-level attribution markers in production codebases should not be used in the general case: 
// AI-generated - review carefully

#[ai_generated]
pub fn validate_pk() { }

src/
  manual/     # Human code
  ai/         # AI code (don't mix!)
These practices introduce maintenance overhead, create review bias, and impose architectural constraints that do not serve engineering quality goals. The exception is safety-critical domains with explicit regulatory requirements for AI code disclosure.

6. Forward-Looking Considerations

6.1 The Reliability Inversion Current discourse assumes that AI-generated code requires elevated scrutiny relative to human-authored code. This assumption rests on the present capability level of AI systems. As AI reliability improves — producing lower defect rates, more consistent adherence to specifications, and superior edge case coverage — the scrutiny differential may invert. Organizations should design attribution policies that can accommodate this inversion without requiring structural redesign. 6.2 The Normalization Trajectory The trajectory of tool assistance in software development follows a consistent normalization pattern. IDE autocomplete, compiler optimization, and code formatters were each subjects of disclosure discussion at adoption. None are disclosed today. AI-assisted development is likely to follow the same normalization trajectory within a five-year horizon. Attribution policies designed for the current transitional period should be reviewed regularly as normalization advances. 6.3 The Validation Standard as the Durable Signal Regardless of attribution policy evolution, the durable quality signal is validation coverage: test suite completeness, verification against requirements, and human review of logic. Organizations that focus policy effort on improving validation quality will achieve better outcomes than organizations that focus primarily on attribution mechanics. Attribution records are historical metadata. Validation results are present-tense quality evidence.

7. Recommendations

Recommendation 1: Define the objective before designing attribution policy. Specify whether the policy is intended to serve legal compliance, maintenance context, review quality, or regulatory readiness. Design the disclosure level to serve that objective, not attribution as an end in itself. Recommendation 2: Adopt commit-level attribution (Level 1) as the organizational baseline. The Co-Authored-By convention provides an auditable record of AI involvement without code-level stigma. It is the minimum viable attribution practice for any organization using AI assistance at scale. Recommendation 3: Supplement commit attribution with design documentation for architecturally significant AI-generated patterns. When AI analysis discovers or derives a pattern from constraint analysis, record this in Architecture Decision Records or equivalent design documentation. This context serves maintenance goals that commit history alone does not satisfy. Recommendation 4: Do not apply code-level attribution labels to production code absent regulatory requirement. Code-level labels create review bias, maintenance overhead, and architectural noise without providing quality benefits that validation coverage does not already provide more reliably. Recommendation 5: Establish validation standards independent of authorship. Test coverage requirements, verification procedures, and review standards should be defined as functions of code risk level, not of authorship. Apply the same validation standard to AI-generated and human-generated code of equivalent criticality. Recommendation 6: Conduct a regulatory readiness assessment for safety-critical domains. Organizations developing medical device software, financial systems, or safety-critical infrastructure should assess current attribution practices against plausible future disclosure requirements and close gaps proactively.
These are personal experiences and opinions from personal projects. This paper does not constitute legal advice, employer policy, or industry standards. Requirements may differ significantly in regulated industries. Consult legal counsel for jurisdiction-specific compliance guidance.
All content represents personal learning from personal projects. Code examples are sanitized and generalized. No proprietary information is shared. Opinions are my own and do not reflect my employer’s views.