Altive — Governance for AI-Assisted Software Development

The AI Secure SDLC

Six governed stages, from prompt to production.

This is the VO-TECH-002 flow. Every stage has a purpose, a set of activities and a gate. Code only advances when the gate passes, and every gate emits audit evidence, so the whole path from prompt to production is traceable and examiner-ready by design.

VO-TECH-002
  • AI session
  • Security control
  • Development
  • Production-ready
  • Governance gate
  • Audit evidence
  1. 01

    Pre-Session Setup

    Stage 1 of 6

    Before any AI tool is opened: approve the tool, classify the data, confirm the developer is trained.

    • TOOL-APPROVALTool approval — only approved tools, scoped to a risk tier.
    • DATA-CLASSData classification — declare sensitivity: PII, proprietary, regulated.
    • DEV-CERTDeveloper certification — current AI-secure-development training.
  3. 02

    AI-Assisted Development Session

    Stage 2 of 6

    The live coding session: keep prompts clean, review what the AI returns, log the session.

    • PROMPT-HYGIENEPrompt & context hygiene — no secrets, PII or regulated data in prompts, including auto-injected files.
    • OUTPUT-REVIEWOutput review — developer must be able to explain all AI output before using it.
    • ANOMALY-DETECTAnomaly detection — stop and raise an incident on leakage or hallucinated dependencies.
    • SESSION-LOGSession logging — tamper-evident, with a session reference ID.
  5. 03

    Pre-Commit Security

    Stage 3 of 6

    The developer's own gate: fast local checks before code enters version control.

    • SECRET-SCANSecret scanning — a detected secret blocks the commit; rotate the credential.
    • PRE-COMMIT-SASTPre-commit SAST — fast scan for vulnerability classes common in AI output.
    • AI-ANNOTATEAI contribution annotation — tag the commit: how much was AI-generated, which tool, which session.
    • HOOK-INTEGRITYHook integrity — bypass is detectable and re-checked server-side in Stage 5.
  7. 04

    Code Review & Attribution

    Stage 4 of 6

    The human accountability gate: a named person takes ownership of the AI-assisted code.

    • PR-METADATAPR metadata — AI level, risk tier, data classification, plain-language explanation.
    • TIERED-REVIEWTiered reviewers — T1 two independent senior reviewers, T2 two, T3 one.
    • REVIEW-ATTESTReview attestation — reviewer accepts accountability as if they wrote it.
    • MERGE-CONTROLMerge controls — no direct commits to protected branches; annotation preserved through merge.
  9. 05

    CI/CD Security Pipeline

    Stage 5 of 6

    The automated enforcement layer: blocking gates that produce signed evidence.

    • G1·G2Secret scan + full SAST.
    • G3·G4SCA + container/IaC — no critical CVEs, no prohibited licences, no insecure infra config.
    • G5DAST — T1/T2, isolated environment.
    • G6Artifact signing — short-lived keys, SLSA Level 2 provenance.
    • G7Provenance verification — every commit's AI annotation validated against the approved registry.
    • SCANNER-GOVScanner governance — pinned approved scanners, time-boxed approved suppressions.
  11. 06

    Pre-Production & Release

    Stage 6 of 6

    The final human gate: a named person attests the artefact is fit for production.

    • READINESSReadiness checklist — a points-based Production Readiness Checklist, verified and signed.
    • CHANGE-APPROVALChange approval — CAB review by tier; CISO sign-off for a new AI-generated T1 component.
    • POST-DEPLOYPost-deploy verification — smoke tests, monitoring review, a 24-hour observation window for T1.

Across every stage

The flow does not stand alone.

Four concerns run across all six stages, binding them into one governed, measurable system.

Incident response

Runs across all stages. Leakage, hallucinated dependencies or gate bypass trigger a logged incident, not a quiet workaround.

Evidence register

Every artefact from EV-001 to EV-017 is recorded in one register, building a continuous prompt-to-production audit trail.

Pipeline KPIs

The flow is measured: gate pass rates, time-to-remediate and coverage, so governance is observable rather than assumed.

OWASP LLM Top 10

Stage controls are mapped to the OWASP LLM Top 10, keeping common AI-assisted coding risks explicitly in scope.

Evidence register

EV-001EV-017

One continuous register links every artefact the stages emit into a single prompt-to-production audit trail.

Risk tiers

  • T1Critical
  • T2High
  • T3Medium
  • T4Low

Controls scale with risk: the higher the tier, the more reviewers, checks and observation the change attracts.

See the flow running in your own pipeline.

The VO-TECH-002 flow is the public shape of the standard. Putting it into your delivery, mapped to your risk tiers and obligations, is what an Altive engagement does. Start with a conversation.

Book a conversationSee the framework

Supports alignment with DORA, GDPR / FADP, ISO 42001 / 27001, NIST AI RMF and the OWASP LLM Top 10. Altive supports alignment with these frameworks and standards. We do not certify, audit or issue certifications, and we make no guarantee of compliance.