Who pushed that?

Code authored by AI now makes up 27% of all production code, up from 22% just last quarter, and most analysts expect that number to cross 40% within 18 months. The question regulators will start asking is not how much of the codebase was written by AI. It is who committed it, with whose credentials, and whether there is a record of that decision that would survive an audit.

The credential in the config

When an AI coding agent commits and pushes code to a remote repository, it needs credentials to do so. In most teams those credentials are a PAT token sitting in a local git config, an environment variable, or tucked into a shell profile that nobody has reviewed since 2022. The agent authenticates with that token, makes the push, and the audit log records the commit as belonging to whoever owns the token.

In regulated SaaS this is uncomfortable. Not because the code is wrong (it might be perfectly fine), but because the governance trail is broken. The audit log says "committed by sarah.jenkins@company.com." It does not say whether Sarah was at her desk, whether an agent running unattended made the push on her behalf, or whether anyone reviewed what went in. That distinction matters to a compliance team. It matters even more to a board trying to understand AI risk.

A push that leaves a paper trail

The fix is not complicated, but it is architectural. Git push operations should route through a controlled layer, not through local credentials on a developer's machine. PAT tokens belong in Secrets Manager, not in environment variables. The developer authenticates via SSO and holds a session token that expires. Every commit through that layer is logged, with the session, the files changed, the lines added and removed, the branch, and the timestamp. The credential never touches the filesystem. The audit log is permanent.

This is the difference between a team that uses AI to write code and a team that has built the infrastructure to deliver it safely. The audit trail is not a compliance exercise, it is the thing that lets the board distinguish between "AI helped us ship faster" and "AI shipped something we cannot explain." Scail's AI Risk Value Index maps exactly this gap in the execution and governance layer, where most organisations are still running on trust rather than evidence.

What boards need to see now

Most businesses are already using AI to write and commit code. Very few have an audit trail that distinguishes commits made by AI from commits made by humans, or that shows what credentials authorised each push.

The Scail AI Risk & Value Scorecard gives leaders a clear view across the eight dimensions of AI capability, from strategy and risk through to execution and value realisation. It is not a snapshot. It is a running picture of where AI delivery is controlled, where credentials are governed, and where the organisation is exposed.

AI is no longer just a technology concern. It is a delivery concern, a governance concern, a compliance concern, and a board concern.

The winners will not be the businesses shipping the most AI code. They will be the businesses that know exactly what their AI shipped, and can prove it.

Read more about our AI Risk & Value Scorecard.