Why Is Code Provenance Non-Negotiable in the Age of AI?

As AI generates nearly half of all new code, knowing who—or what—is behind every commit has become the most critical question in software security. This article outlines why identity-based code provenance is the new cornerstone of the software supply chain.

How Much Code Is Being Written by AI?

The scale of AI-driven development is no longer a future prediction; it is a present-day reality. AI coding assistants are now a standard part of the developer workflow, generating a massive volume of code that is impossible to manually vet. 

According to recent industry reports, 41% of all code is now AI-generated or AI-assisted, with 82% of developers using AI tools weekly. Tech giants are leading the charge, with 25% of Google's code and 30% of Microsoft's code being written by AI.

What Is the New Attack Surface in an AI-First World?

This explosion in code volume creates a new, massive attack surface. Traditional security tools focus on scanning for vulnerabilities after the code is written. The new risk lies in the commit itself: the moment unverified, potentially malicious code enters the repository. 

The speed of AI makes manual code reviews for every line an impossibility. This is not a theoretical risk; software supply chain attacks are projected to cost organizations $60 billion in 2025. The average cost of a major supply chain attack, like SolarWinds, can be as high as 11% of a company's annual revenue.

Why Are SSH Keys and Git Insufficient for Modern Security?

The tools we use to manage code, cloud-based SaaS repos and SSH, were designed for a world of human developers and are fundamentally broken for the age of AI. 

They prove possession of a credential, not the identity of the committer. This creates a critical blind spot because:

• Git's Author Field is Unreliable: It can be easily spoofed.
• SSH Keys Prove Possession, Not Identity: A stolen key is indistinguishable from a legitimate developer.
• No Link to Corporate Identity: There is no native connection between a Git commit and a corporate identity provider like Okta or Azure AD.

What Is Code Provenance and Why Is It Now a Requirement?

In a world where you can't trust the origin of the code, you must be able to trust the identity of the committer. This is the principle of code provenance. It's not about stopping AI; it's about making it accountable. Every commit, whether written by a human or an AI, must be cryptographically signed and tied to a verified identity. 

This is the core principle behind security frameworks like SLSA (Supply-chain Levels for Software Artifacts), which is now a de facto requirement for selling software to the U.S. government under Executive Order 14028. SLSA's Source Track specifically requires verifiable proof of who authored a change, a requirement that traditional tools cannot meet.

How Can Organizations Secure the AI-Driven Supply Chain?

The only way to secure the AI-driven software supply chain is to shift the security perimeter from the network to the individual, the identity. By ensuring every commit is signed with a hardware-backed, phishing-resistant credential tied to a verified identity, organizations can embrace the speed of AI without sacrificing security. 

Learn more about Secure Code signing here or get a demo today to see how you can accelerate developer velocity while keeping your code base secure. 

Frequently Asked Questions

Q: What is code provenance? 

A: Code provenance is the verifiable, auditable history of where code came from. It answers the question of who wrote the code, when it was written, and how it has been modified. In the age of AI, it means having a cryptographic link between every commit and a verified human or machine identity.

Q: Why is SLSA important for software security? 

A: SLSA (Supply-chain Levels for Software Artifacts) is a security framework designed to prevent tampering and improve the integrity of the software supply chain. It is becoming a standard for compliance, particularly for organizations that work with the U.S. government, as it provides a clear roadmap for securing software from development to deployment.

Q: How does AI impact software supply chain security? 

A: AI accelerates code generation, which increases the volume of code and reduces the time available for manual review. This creates a larger attack surface for malicious code injection. Without strong identity and provenance controls, it becomes difficult to distinguish between legitimate, AI-assisted code and unauthorized or malicious commits.