Governing AI in Your CI/CD Pipeline: Risks and Real Controls

AI in your CI/CD pipeline cuts two ways. It writes code faster, and it ships insecure code faster. The fix isn't to ban it. It's to put governance gates inside the pipeline so AI-generated code, AI build tools, and AI agents can't push anything to production that a human and a scanner haven't checked. This guide covers the new risks, the controls that catch them, and the standards (NIST SSDF, SLSA, OWASP CI/CD Top 10) you can map every control to.
If you run engineering, security, or governance, the question isn't whether AI is in your pipeline. It's already there. The question is whether your pipeline can tell good AI output from dangerous AI output before it reaches users.
What does "AI in the CI/CD pipeline" actually mean?
Three distinct things, and they carry different risks. People mix them up, which is how controls get missed.
| What it is | Example | Main risk |
|---|---|---|
| AI-generated code entering the pipeline | A developer commits code from Copilot, Cursor, or Claude | Insecure code, leaked secrets, hallucinated dependencies |
| AI tools inside the build/test/deploy chain | An AI test generator, an AI code reviewer, an LLM that triages CI failures | Poisoned tooling, prompt injection, false confidence |
| AI agents acting in the pipeline | An agent that opens PRs, merges, or deploys autonomously | Unreviewed changes reaching production |
The first one is where most teams are today. The third one is where the sharpest risk is heading. Govern all three the same way: nothing AI touches gets a free pass to production.
How risky is AI-generated code, really?
Risky enough that you can't treat it like human code that happens to be typed faster.
Veracode's 2025 GenAI Code Security Report tested over 100 large language models across 80 coding tasks in four languages. 45% of the AI-generated samples failed security tests. The pass rate was worst in Java at 29%. For cross-site scripting, the models produced insecure code 86% of the time. For log injection, 88% of the time. (Veracode, September 2025)
So roughly half the security-sensitive code AI writes has a flaw in it. Now pair that with volume. AI lets a team commit far more code, far faster. More flawed code, shipped quicker, through pipelines that were tuned for human review speeds. That's the squeeze.
The honest read: AI coding assistants are a real productivity gain and a real security liability at the same time. Both things are true. The pipeline is where you reconcile them.
What new attack surface does AI add to the pipeline?
The classic CI/CD risks haven't gone anywhere. AI just gives attackers more ways in and defenders more to watch.
Start with the risks that already exist. The OWASP Top 10 CI/CD Security Risks name the patterns every pipeline owner should know:
- CICD-SEC-1 Insufficient Flow Control Mechanisms (code reaching production without review or approval gates)
- CICD-SEC-3 Dependency Chain Abuse (malicious or typo-squatted packages pulled into the build)
- CICD-SEC-4 Poisoned Pipeline Execution (attacker injects commands into the build config)
- CICD-SEC-6 Insufficient Credential Hygiene (secrets exposed in logs or config)
- CICD-SEC-9 Improper Artifact Integrity Validation (no proof the artifact is the one you built)
AI sharpens several of these. A few specifics worth naming:
Hallucinated dependencies. AI assistants sometimes recommend packages that don't exist. Attackers register those package names and wait. When a developer pastes the AI's suggestion and the build resolves it, the build pulls attacker-controlled code. This bends CICD-SEC-3 straight into your pipeline.
Prompt injection into AI build tools. If an LLM reads your PR description, commit messages, or issue text to triage a failure or review code, those inputs are untrusted. A crafted comment can steer the tool. An AI reviewer that can be talked into approving bad code is worse than no reviewer, because it gives false confidence.
Secrets in AI-generated config. AI-written pipeline files and Dockerfiles regularly hardcode credentials or weaken permissions, feeding CICD-SEC-6 and CICD-SEC-7.
And the supply chain risk is not theoretical. In March 2025, the widely used GitHub Action tj-actions/changed-files was compromised, affecting over 23,000 repositories. Attackers altered version tags to point at a malicious commit that dumped CI/CD secrets into build logs (CISA, CVE-2025-30066). No AI involved in that one. The point: your pipeline already trusts a long chain of third-party code, and AI tooling lengthens that chain.
Which standards should govern AI in the pipeline?
Three, and they stack. Don't invent your own framework when these exist and map cleanly to pipeline stages.
NIST SSDF (SP 800-218). The Secure Software Development Framework. Four practice groups: Prepare the Organization, Protect the Software, Produce Well-Secured Software, Respond to Vulnerabilities. It's outcome-based, not tool-prescriptive, so it survives whatever tooling you swap in (NIST, SP 800-218). NIST also published SP 800-218A, a profile that adds practices specific to generative AI and foundation models on top of the SSDF (NIST, SP 800-218A). If you build or fine-tune models, that profile is your starting map.
SLSA (Supply-chain Levels for Software Artifacts). An OpenSSF framework for build integrity and provenance. Levels run 0 to 3. Level 1 means you generate provenance describing how an artifact was built. Level 2 adds a signed provenance from a hosted build platform. Level 3 requires hardened, isolated builds that resist tampering (SLSA framework, OpenSSF). SLSA is how you answer "is this artifact really the one we built, from the source we think?" That question matters more, not less, when AI agents can trigger builds.
OWASP Top 10 CI/CD Security Risks. The threat model for the pipeline itself (OWASP). Use it as a checklist for what an attacker would try.
Here's the simple mapping engineering and governance leaders can share:
| Pipeline stage | Control | Maps to |
|---|---|---|
| Commit | Secret scanning, SAST on every PR including AI-authored | SSDF PW, OWASP CICD-SEC-6 |
| Code review | Human approval required; AI review advisory only | OWASP CICD-SEC-1 |
| Dependencies | Pin versions, verify packages exist, SCA scan, SBOM | OWASP CICD-SEC-3, SSDF PS |
| Build | Pinned action/image digests, isolated build, provenance | SLSA L2-L3, OWASP CICD-SEC-4 |
| Artifact | Sign artifacts, verify signature before deploy | SLSA, OWASP CICD-SEC-9 |
| Deploy | Approval gate; agents cannot self-deploy to prod | OWASP CICD-SEC-1 |
| Everywhere | Full logging of who and what triggered each step | OWASP CICD-SEC-10 |
What controls actually stop bad AI code reaching production?
Concrete gates, ordered by where they sit in the pipeline. None of this is exotic. Most teams already own the tools and just haven't pointed them at AI output specifically.
At commit. Run secret scanning and static analysis (SAST) on every change, with no exception for AI-authored code. Block on high-severity findings. This is your front line against that 45% failure rate. Treat AI commits as untrusted input, because that's what they are.
At review. Keep a human approval gate. An AI reviewer can summarise a diff or flag obvious issues, fine, but it does not get merge authority. Branch protection that requires a human approval closes CICD-SEC-1. The moment an agent can approve its own PR, you've lost the gate.
On dependencies. Pin versions. Verify that every package an AI suggested actually exists and is the real one before it enters a lockfile. Run software composition analysis (SCA) and generate a software bill of materials (SBOM) so you know what's in the build. This is the direct counter to hallucinated dependencies.
In the build. Pin third-party GitHub Actions and base images to a full commit digest, not a floating tag. The tj-actions incident worked precisely because tags can be moved under you. Isolate the build environment. Generate provenance (SLSA Level 2 and up) so you can prove what produced each artifact.
At the artifact. Sign artifacts. Verify the signature before anything deploys. An unsigned or mismatched artifact never reaches production.
At deploy. Require an explicit approval for production. Autonomous agents can prepare, test, and stage. They do not push the final button to prod on their own. Log every trigger, human or machine, so you have an audit trail.
One opinion, stated plainly: the single most valuable control here is the human approval gate before merge and before prod deploy. Scanners catch known patterns. The gate catches the unknown ones, and it's the control AI pressure quietly erodes first. Defend it.
Why does this matter for compliance, not just security?
Because regulators are starting to ask how your software gets built, and AI-built software draws more scrutiny.
Under the EU AI Act, providers of high-risk AI systems face obligations covering risk management, data governance, technical documentation, and record-keeping (Articles 9 to 17). The headline enforcement date for high-risk systems is 2 August 2026, though a Digital Omnibus agreement reached in May 2026 proposes pushing the main high-risk deadline to December 2027, pending formal adoption (artificialintelligenceact.eu implementation timeline). Either way, "we can show how this system was built and tested" stops being optional.
A governed pipeline produces that evidence as a by-product. Provenance, SBOMs, signed artifacts, logged approvals, scan results. That's the documentation trail an auditor wants, generated automatically rather than reconstructed in a panic before a deadline. Governance built into the pipeline is cheaper than governance bolted on after.
Frequently asked questions
Should we ban AI coding tools to reduce risk?
No. A ban pushes usage underground and forfeits the productivity gain. The workable answer is to assume AI is in the pipeline and put scanning and approval gates around it, so insecure output gets caught before it ships.
Is AI-generated code less secure than human code?
The evidence says yes, at a meaningful rate. Veracode's 2025 study found 45% of AI-generated samples failed security tests, and the firm reported AI-generated code carrying higher vulnerability density than human-written code (Veracode, 2025). The risk compounds because AI lets teams ship more code, faster.
Can an AI agent be allowed to deploy to production?
It can prepare, test, and stage a deployment. The final push to production should stay behind a human approval gate, in line with OWASP CICD-SEC-1 on flow control. An agent that can self-approve and self-deploy has no gate left to fail safe.
Where do we start if our pipeline has no AI-specific controls?
Two moves first. Turn on secret scanning and SAST for every commit including AI-authored, and require human approval before merge and before prod deploy. Those two close the widest gaps. Then add dependency verification, artifact signing, and provenance against SLSA.
The bottom line
AI in the CI/CD pipeline is a productivity multiplier wired to a risk multiplier. The same speed that ships features ships flaws, and roughly half of AI-written security-sensitive code carries one. You don't fix that by trusting the AI more or banning it outright. You fix it by treating every AI contribution, code, tooling, or agent, as untrusted input that has to clear the same gates as anything else: scan at commit, human approval before merge, verified dependencies, signed artifacts, provenance on the build, and no autonomous push to production.
Map those gates to NIST SSDF, SLSA, and the OWASP CI/CD Top 10, and you get two wins at once. A pipeline that catches dangerous AI output, and an audit trail that proves it. The teams that build this now will look prepared when the regulators and the breach reports arrive. The teams that don't will be explaining, after the fact, how a hallucinated package or an unreviewed agent commit got all the way to their users.
That conversation is much worse than the gate.
Related reading
- Security blindspots in AI-assisted coding
- AI development security governance
- AI supply chain security and model poisoning risk
- Testing playbooks for AI validation
For hands-on help, see VerityAI's software and web development.

Sotiris Spyrou
Sotiris Spyrou is the founder of VerityAI, a Responsible AI advisory for boards and AI-deploying businesses. With 27 years across agencies, global in-house roles, and the C-suite, he advises leaders on AI governance and risk, and on answer-engine visibility engineered without the dark patterns the rest of the industry is getting penalised for. He is the author of TRANSFORM, AI Moats, and Ethical AI.
Founder at VerityAI
Areas of Expertise: