Back to Insights
AI Makes Code Cheap. It Makes Trust Expensive.
AI Governance Code Governance GuardSpine Work Provenance Enterprise

AI Makes Code Cheap. It Makes Trust Expensive.

The full picture: from vibe coding crisis to work provenance infrastructure.

Here is the thread: AI writes most of the code now, and code review cannot keep up. But code is just the beginning — AI is rewriting PDFs, spreadsheets, contracts, and slide decks too. I am a biologist, so I thought about it in risk tiers. That led me to a council of AI reviewers. That led me to CodeGuard. That led me to vision models and deterministic diffs for everything. That led me here: work provenance infrastructure.

The Economics Changed Before the Tools Did

In 2025, the cost of producing code dropped to near zero. A junior developer can now produce 500 lines of working code in the time it used to take to write 50.

The cost of reviewing that code did not drop at all. A senior engineer still needs the same 45 minutes to understand what 500 lines do. The bottleneck moved from production to verification.

I wrote about this in Vibe Coding Broke Code Review. When output velocity exceeds review capacity, you skip reviews or slow down. Neither is acceptable.

The Problem Is Not Code-Specific

A marketing team uses AI to generate 30 pieces of collateral a week. A legal team drafts contracts with AI assistance. A finance team builds models from AI-suggested formulas. Every output needs verification. Every one is produced faster than any human review process can absorb.

I called this Everything Is a Diff. Every AI-assisted change is a diff from the previous state. Diffs are governable if you have the right infrastructure.

Risk Tiers: The Biologist Instinct

I spent years in molecular biology before I wrote software. In the lab, you do not treat every experiment the same way. That instinct carried over. A Biologist Risk Model describes L0 through L4 tiering. The tier determines review depth, reviewer count, and evidence required.

Many Eyes Make All Bugs Shallow

All Bugs Are Shallow describes the council model: multiple AI reviewers, different models, all examining the same artifact independently. Three models with 85% accuracy and uncorrelated failure modes catch more than one model at 95%.

CodeGuard: From Theory to Production

CodeGuard is a GitHub Action. Every PR gets triaged, reviewed by multiple AI models, and sealed into an evidence bundle. 737 tests. Five risk tiers. But it only handles code.

Vision Models Change Everything

Vision Models and Deterministic Diffs extended the guard lane model to PDFs, spreadsheets, and images. That was the moment I realized we were not building a code review tool.

Work Provenance Infrastructure

The category claim: Work Provenance Infrastructure for the AI Office.

Every piece of work needs a chain of custody. Today, the market is fragmented:

Vanta/Secureframe verify you have a process. Not that any artifact was reviewed. GitHub manages workflow. A PR approval is a button click, not evidence. DocuSign captures signatures. Not the chain of custody. Purview tracks data movement. Not decision quality. Semgrep/Snyk scan for vulnerabilities. Scanning is not governance.

The GRC market grows from 9.2B (2024) to 27.7B (2033). The missing middle is semantic artifact governance.

The Architecture

FastAPI backend. 149 API endpoints. Four guard lanes. Evidence bundle spec v0.2.0 with offline verification. The trust layer is Apache 2.0. The convenience layer is paid. A trust layer that requires you to trust the vendor is not a trust layer.

The Thread, Complete

Vibe coding broke code review. Risk tiers make the problem tractable. A council makes it scalable. CodeGuard proves the model. Vision models extend it to everything. Work provenance infrastructure is the result.

Seven posts. One thread. A biologist who saw the immune system was missing and decided to build it.

Ready to close the trust gap? Book a 30-minute walkthrough. Already on GitHub? Install CodeGuard now.