Generated Artefact Promotion Governance

2. Summary

Generated Artefact Promotion Governance requires that any artefact generated by an AI agent — code, configuration, data transformations, reports, models, prompts, policies, or any other output — passes through a formally defined, auditable promotion pipeline before it is used in a production environment or relied upon for operational decisions. Promotion is the process by which an artefact moves from a lower-trust environment (development, staging, sandbox) to a higher-trust environment (production, customer-facing, regulatory-reporting). AG-077 prevents the direct injection of AI-generated artefacts into production without validation, review, and approval — a risk that scales with the volume and velocity at which AI agents can generate outputs. Without promotion governance, AI-generated code reaches production without review, AI-generated configurations modify live systems without validation, and AI-generated reports inform decisions without verification.

3. Example

Scenario A — AI-Generated Code Deployed Directly to Production: An enterprise deploys a code-generation agent to accelerate software development. Developers request code from the agent and, under time pressure, copy generated functions directly into production repositories without review. Over 4 months, the agent generates 12,000 lines of code across 47 microservices. No promotion gate exists — the generated code follows the same (minimal) review process as human-written code, and developers routinely self-approve. A security audit discovers that 23 of the generated functions contain SQL injection vulnerabilities because the agent's training data included patterns that were secure in their original context but insecure in the organisation's architecture. The remediation requires reviewing all 12,000 lines, patching 47 services, and conducting a data breach investigation for the 3 services that were externally accessible.

What went wrong: No distinct promotion gate existed for AI-generated artefacts. Generated code was treated identically to human-written code, but without the contextual security awareness that human developers bring. The volume of generated code overwhelmed the existing review process. No automated quality gate (static analysis, security scanning, architecture conformance) was applied specifically to generated artefacts before they entered the codebase. Consequence: 23 exploitable vulnerabilities in production, data breach investigation, mandatory security remediation across 47 services, estimated remediation cost of £280,000, regulatory notification obligation.

Scenario B — AI-Generated Configuration Applied Without Staging: A DevOps agent generates infrastructure-as-code configurations to optimise cloud resource allocation. The generated configuration reduces costs by 35% in testing. An operator applies the configuration directly to production without passing it through the staging environment. The generated configuration removes a network security group rule that the agent assessed as "redundant" based on traffic analysis, but which was actually a compensating control for a known vulnerability. The removal exposes 3 internal services to the public internet for 6 hours before monitoring detects the anomaly.

What went wrong: The generated configuration bypassed the staging environment. The agent's assessment of the security group rule was based on traffic patterns (the rule rarely blocked traffic) rather than security intent (the rule existed as a compensating control). No promotion gate required security review of configuration changes that modify network access rules. Consequence: 6-hour exposure of internal services to the public internet, mandatory incident investigation, potential data exposure, regulatory notification assessment required.

Scenario C — AI-Generated Report Used for Regulatory Filing Without Verification: A compliance agent generates a quarterly regulatory report by aggregating data from multiple internal systems. The agent produces a polished PDF that matches the required format. A compliance officer, trusting the agent's output, submits the report to the regulator without independent verification. The report contains a material misstatement — the agent double-counted transactions from two systems that share a common data source, overstating transaction volumes by 28%. The regulator identifies the discrepancy during a cross-firm analysis 9 months later.

What went wrong: The AI-generated report was promoted directly from generation to regulatory submission without an independent verification step. No promotion gate required reconciliation of the generated report against independent data sources. The report's professional appearance created unjustified confidence in its accuracy. Consequence: Regulatory finding for inaccurate reporting, requirement to restate 3 quarters of filings, supervisory review of the firm's reporting controls, reputational damage with the regulator.

4. Requirement Statement

Scope: This dimension applies to all AI agents that generate artefacts intended for use outside the agent's own runtime context. This includes but is not limited to: source code, configuration files, infrastructure-as-code templates, data transformation scripts, analytical reports, risk assessments, compliance documentation, customer communications, policy documents, model weights or parameters, prompt templates, decision rules, and any other output that influences systems, processes, or decisions beyond the agent that created it. The scope covers artefacts that are used by humans (reports, documents), artefacts that are consumed by other systems (code, configurations), and artefacts that are consumed by other agents (prompts, policies, decision rules). An artefact is "generated" if an AI agent created it, substantially modified it, or selected it from alternatives. The scope does not cover ephemeral agent outputs that are consumed and discarded within a single interaction (e.g., a conversational response that is read and not retained). The test is whether the artefact persists beyond the interaction and influences production systems, operational decisions, or external communications.

4.1. A conforming system MUST define a promotion pipeline for each category of AI-generated artefact, specifying: the environments the artefact must pass through (e.g., sandbox, development, staging, production), the validation checks required at each promotion gate, the approval authority for each gate, and the maximum time an artefact may remain in any environment before re-validation is required.

4.2. A conforming system MUST enforce promotion gates at the infrastructure layer — AI-generated artefacts must be unable to reach production environments without passing through all required gates, regardless of the agent's or operator's intent.

4.3. A conforming system MUST apply automated quality checks at each promotion gate appropriate to the artefact type: static analysis and security scanning for code; schema validation and security review for configurations; data reconciliation and accuracy verification for reports; factual accuracy and compliance checks for documents.

4.4. A conforming system MUST maintain an immutable promotion record for each artefact, documenting: the generating agent, the generation timestamp, each promotion gate passed, the validation results at each gate, the approver at each gate, and the final deployment location.

4.5. A conforming system MUST require human approval at least at the final promotion gate before any AI-generated artefact enters a production environment or is used for regulatory reporting.

4.6. A conforming system MUST label all AI-generated artefacts with provenance metadata indicating: the generating agent's identity, the model version used, the generation timestamp, and the promotion status. This metadata must persist with the artefact through all environments.

4.7. A conforming system SHOULD implement differential validation for AI-generated artefacts versus human-created artefacts, applying additional checks that address known AI generation failure modes (e.g., hallucinated dependencies in code, plausible-but-incorrect calculations in reports, security-insecure patterns that pass superficial review).

4.8. A conforming system SHOULD implement automated rollback capability that can retract a promoted artefact from production and restore the previous version within a defined time window (target: 15 minutes for configuration artefacts, 60 minutes for code artefacts).

4.9. A conforming system SHOULD implement canary promotion for high-impact artefacts — deploying the artefact to a limited subset of production (e.g., 5% of traffic) before full promotion, with automated monitoring for anomalies during the canary period.

4.10. A conforming system MAY implement confidence scoring for generated artefacts, where the generating agent assigns a confidence level that influences the rigour of the promotion pipeline (e.g., low-confidence artefacts require additional review gates).

5. Rationale

Generated Artefact Promotion Governance addresses a risk that is unique to AI agent operations: the ability to generate production-quality-appearing artefacts at high volume and velocity without the contextual understanding that would prevent a human from making certain categories of error. An AI agent can generate thousands of lines of code, hundreds of configuration files, or dozens of reports in the time it takes a human to produce one. This velocity is the value proposition — but it is also the risk vector.

The fundamental problem is that AI-generated artefacts often pass superficial review. Generated code compiles and runs. Generated configurations are syntactically valid. Generated reports are well-formatted and internally consistent. The failures are subtle: the code uses an insecure pattern that is common in training data but inappropriate in the deployment context; the configuration optimises for a metric while inadvertently removing a security control; the report is internally consistent but based on double-counted data. These failure modes are difficult for human reviewers to catch, especially when the volume of generated artefacts overwhelms review capacity.

Promotion governance addresses this by establishing structural gates that artefacts must pass through before reaching production. The gates are not merely review steps — they are automated validation checks combined with human approval at critical transitions. The automation catches the categories of error that are detectable by tooling (security vulnerabilities, schema violations, data reconciliation failures). The human approval catches the categories of error that require contextual understanding (architectural appropriateness, business logic correctness, regulatory compliance).

The preventive nature of AG-077 is critical. Post-production detection of faulty AI-generated artefacts is significantly more expensive than pre-production detection. A SQL injection vulnerability caught in a security scan during staging costs hours to fix. The same vulnerability discovered in production after exploitation costs thousands in incident response, regulatory notification, and remediation. AG-077 shifts the cost curve by requiring detection before promotion.

AG-077 intersects with AG-007 (Governance Configuration Control) because promotion pipelines are themselves governance configurations. It intersects with AG-029 (Credential Integrity Verification) because artefact signing during promotion relies on credential integrity. It intersects with AG-076 (Assurance Case Maintenance Governance) because promoted artefacts may invalidate existing assurance case claims.

6. Implementation Guidance

AG-077 requires organisations to build promotion pipelines that are proportionate to the risk of the generated artefact and enforceable at the infrastructure layer.

Recommended patterns:

• Environment isolation with gate enforcement. Implement physically or logically separate environments (sandbox, staging, production) with infrastructure-level controls preventing direct promotion. Generated artefacts are created in the sandbox. Promotion to staging requires automated validation gate passage. Promotion to production requires automated validation plus human approval. The agent cannot write directly to production repositories, production configuration stores, or production file systems. All promotion flows through the gate infrastructure. Use separate credentials for each environment to prevent bypass.
• Artefact-type-specific validation pipelines. Define different validation checks for different artefact types. For generated code: static analysis (complexity, style), security scanning (SAST, dependency vulnerability check, secret detection), unit test execution, integration test execution, and architecture conformance check. For generated configurations: schema validation, security policy compliance check, drift detection against baseline, and impact analysis showing what the configuration changes. For generated reports: source data reconciliation (regenerate key figures from independent queries), cross-reference validation, and format compliance. For generated documents: factual claim verification against source data, regulatory compliance check, and tone/content policy check. Target false-positive rates below 10% to maintain developer trust in the pipeline.
• Provenance chain with cryptographic signing. Sign each generated artefact at creation with the agent's identity and model version. At each promotion gate, append a signed attestation recording the validation results and approver. The production environment verifies the complete provenance chain before accepting the artefact. Any break in the chain — missing signatures, failed validations, skipped gates — prevents promotion. Use a separate signing key for each environment to prevent forgery.
• Promotion velocity controls. Implement rate limits on artefact promotion to prevent overwhelming review capacity. If an agent generates 500 configuration changes in one hour, the promotion pipeline should queue them for review at a rate that maintains review quality, not rubber-stamp them at generation speed. Set maximum promotion rates per artefact type (e.g., no more than 20 code changes per hour to production review, no more than 5 configuration changes per hour to production deployment).

Anti-patterns to avoid:

• Treating AI-generated artefacts identically to human-created artefacts. Existing code review processes were designed for the volume and error profile of human developers. AI agents generate at orders of magnitude higher volume with different error distributions. Applying the same review process without augmentation leads to either review bottlenecks or rubber-stamping. AI-generated artefacts need additional automated validation tailored to known AI failure modes.
• Promotion by copy-paste. If operators can copy an AI-generated artefact from a sandbox environment and paste it into a production system, the promotion pipeline is bypassed regardless of how well it is designed. Promotion must be enforced at the infrastructure layer — the production environment accepts artefacts only through the promotion pipeline, not through direct write access.
• Validation without rejection consequences. A promotion gate that identifies issues but allows promotion to continue with a warning is not a gate — it is a notification. Gates must block promotion when validation fails, requiring the issue to be resolved before the artefact can advance.
• Over-reliance on the generating agent's self-assessment. An agent that generates code and then assesses its own code for quality is a circular validation. Validation must be performed by independent tools and processes that are not influenced by the generating agent.
• Skipping staging for "low-risk" artefacts. Risk classification is itself error-prone when applied to AI-generated artefacts. An artefact classified as low-risk by the generating agent or by a human who did not fully review it may contain high-impact changes. At minimum, all artefacts should pass through automated validation, even if human review is reserved for higher-risk categories.

Industry Considerations

Financial Services. AI-generated trading algorithms, risk models, and regulatory reports require rigorous promotion pipelines. The FCA expects firms to validate models before production use (SS1/23), and AI-generated models inherit this requirement. Generated code that interfaces with payment systems must pass PCI DSS relevant security checks before promotion. Generated regulatory reports must be reconciled against source-of-truth data before submission. Retain promotion records for a minimum of 7 years aligned with MiFID II record-keeping requirements.

Healthcare. AI-generated clinical decision support artefacts require validation against clinical evidence before promotion. Generated care pathway configurations must pass clinical safety review. Generated patient communications must pass health literacy and regulatory compliance checks. FDA pre-market review may apply to significant changes in AI-generated artefacts that function as medical device components.

Critical Infrastructure. AI-generated control system configurations must pass safety review before promotion to operational technology environments. The promotion pipeline must include simulation testing that verifies the configuration does not create unsafe operating conditions. IEC 61508 change management requirements apply to AI-generated artefacts that affect safety functions. Promotion to safety-critical systems should require independent safety assessment.

Maturity Model

Basic Implementation — The organisation has defined promotion pipelines for primary artefact types (code, configuration, reports). Automated validation includes basic quality checks (syntax validation, schema compliance). Human approval is required at the production gate. Provenance metadata is attached to artefacts. Promotion records are maintained. This level meets minimum mandatory requirements but may not address AI-specific failure modes (the automated checks are generic, not tailored to AI generation patterns).

Intermediate Implementation — Promotion pipelines include AI-specific validation checks tailored to known failure modes for each artefact type. Security scanning, architecture conformance, data reconciliation, and compliance checks are automated. Provenance chains are cryptographically signed. The production environment rejects artefacts without valid provenance chains. Canary promotion is used for high-impact artefacts. Promotion velocity controls prevent review overwhelm. The organisation tracks promotion rejection rates and uses them to improve agent generation quality — targeting a rejection rate below 15% as an indicator of agent calibration.

Advanced Implementation — All intermediate capabilities plus: the promotion pipeline is continuously improved using feedback from production incidents (any incident caused by a promoted artefact triggers a root-cause analysis of the promotion pipeline's failure to catch it). Machine learning-assisted review prioritises human attention on the artefacts most likely to contain issues. The promotion pipeline includes regression testing that verifies promoted artefacts do not degrade existing functionality. Automated rollback is tested monthly. The organisation can demonstrate that no AI-generated artefact has reached production without passing all required gates, verified by independent audit.

7. Evidence Requirements

Required artefacts:

• Promotion pipeline definitions. Documented, versioned definitions of the promotion pipeline for each artefact type, including: environments, validation checks at each gate, approval authorities, and maximum dwell times.
• Promotion records. For each promoted artefact: the generating agent identity, generation timestamp, provenance chain, validation results at each gate, approver identity at each gate, and final deployment location. Minimum retention: 7 years for regulated financial services; 5 years for other regulated sectors; 3 years otherwise.
• Validation tooling configuration. The configuration and version of automated validation tools (static analysers, security scanners, reconciliation tools) used at each promotion gate.
• Rejection records. Records of artefacts that were rejected at promotion gates, including: the reason for rejection, the action taken (remediation, discard), and the re-submission outcome if applicable.
• Provenance chain evidence. Cryptographic signatures or equivalent attestations demonstrating the artefact's journey through the promotion pipeline.

Retention requirements:

• Promotion records and provenance chains: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Evidence must exist as retained artefacts, not be reconstructable after the fact.

8. Test Specification

Testing AG-077 compliance requires verifying that promotion gates are enforceable, that validation is effective, and that bypass is not possible.

Test 8.1: Infrastructure-Level Gate Enforcement

• Stimulus: Attempt to deploy an AI-generated artefact directly to the production environment, bypassing the promotion pipeline (e.g., direct write to production repository, direct configuration push, direct file upload).
• Expected behaviour: The production environment rejects the artefact. The infrastructure prevents direct deployment without passage through the promotion pipeline.
• Pass criteria: No AI-generated artefact can reach production without passing through all defined promotion gates. The bypass attempt is logged and alerted.
• Fail criteria: The artefact reaches production without passing through the promotion pipeline, or the bypass attempt is not detected.

Test 8.2: Validation Gate Effectiveness

• Stimulus: Submit AI-generated artefacts with known defects through the promotion pipeline: code with a known security vulnerability (e.g., SQL injection), a configuration with a security policy violation, a report with a known data reconciliation error.
• Expected behaviour: The automated validation at the appropriate promotion gate detects each defect and blocks promotion.
• Pass criteria: All known defects are detected and promotion is blocked. The rejection record identifies the specific defect.
• Fail criteria: Any known defect passes through the promotion gate undetected.

Test 8.3: Provenance Chain Integrity

• Stimulus: Attempt to promote an artefact with a tampered provenance chain — modify the artefact after signing, remove a gate attestation, or forge an approval signature.
• Expected behaviour: The production environment detects the provenance chain violation and rejects the artefact.
• Pass criteria: No artefact with an invalid provenance chain is accepted into production.
• Fail criteria: An artefact with a tampered provenance chain is accepted into production.

Test 8.4: Human Approval at Final Gate

• Stimulus: Submit a fully validated AI-generated artefact to the final promotion gate. Verify that the pipeline requires human approval before production deployment.
• Expected behaviour: The artefact passes automated validation but awaits human approval. It does not enter production until a designated approver explicitly approves.
• Pass criteria: No artefact enters production without recorded human approval at the final gate.
• Fail criteria: An artefact auto-promotes to production after automated validation without human approval.

Test 8.5: Provenance Metadata Persistence

• Stimulus: Promote an AI-generated artefact through all gates to production. Examine the artefact in the production environment.
• Expected behaviour: The artefact retains its provenance metadata in the production environment: generating agent identity, model version, generation timestamp, and promotion status.
• Pass criteria: Provenance metadata is present and accurate in the production environment.
• Fail criteria: Provenance metadata is missing, incomplete, or inaccurate in the production environment.

Test 8.6: Promotion Record Completeness

• Stimulus: Request the promotion record for a production-deployed AI-generated artefact.
• Expected behaviour: The record contains: the generating agent, generation timestamp, each gate passed, validation results at each gate, approver at each gate, and deployment location.
• Pass criteria: All required fields are present and the record is immutable.
• Fail criteria: Any required field is missing, or the record can be modified after generation.

Test 8.7: Rollback Capability

• Stimulus: Trigger a rollback for a recently promoted artefact in production.
• Expected behaviour: The promoted artefact is retracted and the previous version is restored within the defined time window (SHOULD requirement: 15 minutes for configurations, 60 minutes for code).
• Pass criteria: The rollback completes within the target time window and the previous version is correctly restored.
• Fail criteria: The rollback fails, takes longer than the target window, or restores an incorrect version.

Conformance Scoring

• Score 0: No promotion governance exists — AI-generated artefacts can be deployed directly to production without validation or approval.
• Score 1: A promotion process exists but is advisory — operators can bypass gates. Validation is manual. Provenance tracking is incomplete.
• Score 2: Infrastructure-enforced promotion gates with automated validation, human approval at the final gate, provenance metadata, and immutable promotion records. All MUST requirements are met.
• Score 3: AI-specific differential validation, cryptographic provenance chains, canary promotion, automated rollback, continuous pipeline improvement from incident feedback, and independent audit verification. The promotion pipeline is a mature, hardened control.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9 (Risk Management System)	Supports compliance
EU AI Act	Article 15 (Accuracy, Robustness, Cybersecurity)	Direct requirement
EU AI Act	Article 52 (Transparency Obligations)	Supports compliance
SOX	Section 404 (Internal Controls Over Financial Reporting)	Direct requirement
FCA SYSC	6.1.1R (Systems and Controls)	Direct requirement
NIST AI RMF	GOVERN 1.4, MAP 2.3, MANAGE 2.2	Supports compliance
ISO 42001	Clause 8.2 (AI Risk Assessment), Clause 8.4 (Operation)	Supports compliance
DORA	Article 8 (ICT Systems, Protocols, and Tools)	Direct requirement
PCI DSS	Requirement 6 (Develop and Maintain Secure Systems)	Supports compliance

EU AI Act — Article 15 (Accuracy, Robustness, Cybersecurity)

Article 15 requires that high-risk AI systems achieve appropriate levels of accuracy, robustness, and cybersecurity. AI-generated artefacts that enter production without validation threaten all three properties. Generated code with security vulnerabilities undermines cybersecurity. Generated configurations that drift from validated baselines undermine robustness. Generated reports with data errors undermine accuracy. AG-077's promotion gates implement the pre-deployment validation that Article 15 requires for outputs that become part of or affect AI system operation.

EU AI Act — Article 52 (Transparency Obligations)

Article 52 imposes transparency obligations for AI-generated content. AG-077's provenance metadata requirement — labelling all AI-generated artefacts with generating agent identity, model version, and generation timestamp — directly supports transparency obligations by ensuring that AI-generated artefacts are identifiable as such throughout their lifecycle.

SOX — Section 404 (Internal Controls Over Financial Reporting)

AI-generated financial reports, calculations, and configurations that affect financial reporting are within scope of Section 404 internal controls. The promotion pipeline with its validation gates and approval requirements implements the control activities required by COSO (Committee of Sponsoring Organizations) for reliable financial reporting. An auditor will ask: "How do you ensure that AI-generated outputs used in financial reporting are accurate?" The promotion record with reconciliation results provides the answer.

FCA SYSC — 6.1.1R (Systems and Controls)

The FCA expects firms to control the quality of AI outputs that affect regulated activities. Generated trading algorithms, risk calculations, and customer communications must pass through appropriate controls before use. The FCA's SS1/23 addresses model validation before production use — AI-generated artefacts that function as or modify models inherit this requirement.

DORA — Article 8 (ICT Systems, Protocols, and Tools)

DORA Article 8 requires financial entities to use ICT systems, protocols, and tools that are sound and resilient. AI-generated configurations and code that enter production without validation threaten the soundness and resilience of ICT systems. The promotion pipeline ensures that generated artefacts meet quality and security standards before deployment.

PCI DSS — Requirement 6 (Develop and Maintain Secure Systems)

Requirement 6 mandates secure development practices, including code review and change control. AI-generated code that accesses, processes, or transmits cardholder data must comply with PCI DSS secure development requirements. The promotion pipeline's security scanning gate directly supports Requirement 6.5 (address common coding vulnerabilities) and Requirement 6.4 (change control processes).

NIST AI RMF — GOVERN 1.4, MAP 2.3, MANAGE 2.2

GOVERN 1.4 addresses the governance of AI system outputs. MAP 2.3 addresses the mapping of AI system components to organizational processes. MANAGE 2.2 addresses risk mitigation through controls. AG-077 supports all three by governing the transition of AI outputs into operational use.

ISO 42001 — Clause 8.2, Clause 8.4

Clause 8.2 requires AI risk assessment, which should cover the risks of unvalidated AI-generated artefacts. Clause 8.4 requires controlled operation of AI systems, which includes controlling the artefacts those systems produce. AG-077 implements the operational controls for AI-generated outputs.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Variable — from single-service impact to organisation-wide depending on the artefact type and deployment scope

Consequence chain: When AI-generated artefacts bypass promotion governance and enter production unvalidated, the consequence depends on the artefact type and scope. Generated code with security vulnerabilities creates exploitable attack surfaces — a single SQL injection in an externally accessible service can lead to data breach, with consequences including regulatory notification (within 72 hours under GDPR), customer notification, remediation costs, and regulatory fines. Generated configurations that modify security controls can expose internal systems to external access, creating incident response costs and potential data exposure. Generated reports with inaccuracies can lead to incorrect business decisions, inaccurate regulatory filings (triggering restatement obligations and supervisory scrutiny), and flawed risk assessments. The velocity amplifies the impact: an agent that generates and promotes 500 artefacts per week without adequate validation can introduce errors at a rate that overwhelms detection and remediation capacity. The cumulative effect of many small errors in generated artefacts can create systemic quality degradation that is difficult to identify and expensive to remediate. In financial services, inaccurate generated reports submitted to regulators create compliance violations with firm-level consequences. In healthcare, inaccurate generated clinical artefacts can affect patient safety. In critical infrastructure, invalid generated configurations can create safety hazards.

Cross-references: AG-007 (Governance Configuration Control) — promotion pipelines are governance configurations requiring version control. AG-029 (Credential Integrity Verification) — artefact signing relies on credential integrity. AG-076 (Assurance Case Maintenance Governance) — promoted artefacts may invalidate assurance case claims, triggering review.