← FIELD NOTES
AI GOVERNANCE

AI Governance for Engineering: Policy vs Method

By Luis Goncalves·7 min read·Jun 30, 2026

AI governance for engineering teams: ~90% use AI coding tools but only 32% govern them. Why a Copilot policy isn't a method — and what closes the real gap.

AI governance for an engineering team is not a procurement decision plus a Confluence page — it is a method. Roughly 90% of engineering leaders say their teams use AI coding tools, but only 32% have any formal governance (Cortex 2026). A policy tells engineers to be careful. A method tells them what to do, in what order, with what artifacts.

If you are a CTO searching "AI governance software development," you have probably already bought the enterprise tier and written the policy. Here is why that is not enough — and what actually closes the gap.

Why ~90% of teams use AI but only 32% govern it

The adoption numbers are settled. About 90% of engineering leaders report their teams using AI coding assistants (Cortex 2026); 84% of developers use or plan to use AI tools (Stack Overflow 2025). The governance numbers are not. Of the 80% of organizations using AI in operations, only 14% have enterprise-level AI governance (Pacific AI 2025). ModelOp's 2025 survey found 75% of firms have AI usage policies but only 36% have formal governance.

The distance between those two sets of numbers is where the cost lives. AI-generated code introduced security flaws in 45% of tasks across more than 100 models tested — 72% for Java specifically (Veracode 2025). Teams with heavy AI adoption see 23.5% more production incidents per pull request (Cortex 2026). And 80% of developers already bypass their organization's AI code-security policies (Snyk 2025) — which tells you something important. The policy exists. It is being ignored, at scale, and nobody is watching.

A Copilot policy is a procurement decision plus a Confluence page

When a CTO says "we have governance," what the organization usually has is a procurement decision and a paragraph on a Confluence page. The procurement decision names the approved tools. The paragraph reminds engineers to review AI output carefully. Neither one addresses what happens between an engineer's prompt and the merge button — which is the only place governance can actually operate.

This is not because organizations don't care. It is because AI-assisted work runs at a velocity the existing governance was never designed for. A reviewer takes about as long to read 100 lines of AI-generated code as 100 lines of human code — but the AI lines arrived four to ten times faster, and the reviewer is quietly deciding to trust intent rather than verify origin. Static analysis catches what it was trained to catch; it does not catch the failure modes AI specifically introduces. A policy written for human-pace engineering governs a world that no longer exists.

The uncomfortable version: a policy produces a clean answer on a vendor questionnaire while changing nothing about how code is actually produced. That is unstructured AI adoption wearing the costume of governance. The failure mode it permits is vibe coding at organizational scale — prompting toward "looks about right" with no specification, no architecture, no verification — and it does not stop being vibe coding because a PDF disapproves of it.

What a method provides that a policy can't

A method is not a longer policy. It is a coherent set of practices — what people do every day, in what order, with what artifacts, against what standard. CRAFT Method structures that into five practices: Curate, Refine, Architect, Fortify, Test. But the reason a method beats a policy is not the acronym. It is four properties a policy structurally cannot deliver.

PropertyA policy gives youA method gives you
Shared language"Be careful with AI output"A named failure — "that's a Curate gap, the AGENTS.md never surfaced the pattern" — fixed in minutes, not a 40-minute call to the architect
Defensible position"Our engineers are careful"A documented practice and maturity level you can show a regulator or an insurer
Learning curveNew hires imitate whoever sits nearestNew hires learn the method; 100 hires over five years become 100 consistent practitioners
Measurement"Are we doing AI well?" stays a feelingA diagnostic score, a maturity archetype, and the specific weak practices to fix first

Those four — language, defensibility, a learning curve, measurement — are what an organization gets from a method and cannot buy from a tool or assert in a policy. Tools support the method; the method is what produces the properties.

Governance is measured in artifacts, not meetings

"Governance isn't a checkpoint anymore; it's a circuit breaker built into the pipeline," says DV Lamba, CTO of OneTrust (Starcio 2026). The test of whether AI output is governed is not whether a meeting happened. It is whether the output is traceable to a specification, whether patterns are enforced automatically instead of by reviewer goodwill, and whether compliance hooks are built into the pipeline rather than promised in a document.

That distinction is about to get expensive. The EU AI Act's high-risk obligations become enforceable on 2 August 2026, and Article 12 automatic logging is architectural — it records the invoking user, model version, inputs, outputs, reviewer, and disposition. You cannot retrofit it into a 90-day sprint, and you cannot satisfy it with a policy paragraph. Separately, since 1 January 2026, general-liability insurers (via Verisk's CG 40 47 and CG 40 48 endorsements) can broadly exclude generative-AI claims — and underwriters now ask for evidence of governance before they renew. "Our engineers are careful" is not evidence. A maturity assessment with documented practices is.

How to know where your org actually stands

The METR randomized study is the reason measurement beats instinct: experienced developers were 19% slower with AI tools while reporting they were 20% faster — a 39-point gap between feeling and fact (METR 2025). Without a method, "are we governing AI well?" is answered by that same broken instinct. With one, it has a number. Structured AI practices also show up in the hard metrics — time-to-tenth-PR for new hires dropped from 91 days without AI to 49 days with daily, disciplined use (DX 2025).

Start by measuring, not by writing another policy. The Free Scorecard is 25 questions and five minutes, covering the Curate practice, and returns your starting archetype — from Ad-Hoc Org to AI-Native Org. The full 125-question Enterprise Diagnostic scores all five practices and tells you which sub-practices are weakest and what to fix first; the AI engineering maturity model explains the five archetypes behind the score. CRAFT Method was not designed in a boardroom — it was forged building FIKR Space, a production software ecosystem built solo with AI over eleven months. Every claim has receipts.

Scrum structured agile. CRAFT Method structures AI-native development. Your team is already using AI to write code. The only open question is whether they are doing it with a method, or without one.

Frequently asked questions

What is AI governance for software development?

AI governance for software development is the set of applied practices — not just written policies — that control how AI coding tools are used, what gets reviewed, and how output is verified before it ships. Only 32% of organizations that use AI have any formal governance (Cortex 2026), and a policy alone does not qualify: 80% of developers bypass AI code-security policies (Snyk 2025). Real governance is enforced in the pipeline, not asserted in a document.

Isn't a Copilot or Cursor policy enough to govern AI coding?

No. A tool policy names the approved tools and reminds engineers to be careful. It says nothing about what happens between the prompt and the merge — where the 45% security-flaw rate (Veracode 2025) and the 23.5% increase in incidents per PR (Cortex 2026) actually originate. A policy is a procurement decision plus a Confluence page; governance is a method with practices, artifacts, and measurement.

What's the difference between an AI coding policy and a method?

A policy is a static document that states rules. A method is a coherent set of practices performed every day, in order, with artifacts — AGENTS.md files, ADRs, specifications, quality gates — and a maturity model to measure against. A policy gives you a defensible-sounding sentence; a method gives you shared language, a defensible position, a learning curve for new hires, and a measurement system.

How do I start governing AI coding tools?

Start by measuring where you are, not by writing another policy. Take the Free Scorecard to get your archetype, then run the full diagnostic to find your weakest practices. Governance follows from practice — Curate, Refine, Architect, Fortify, Test — not the other way around.

Your team is already using AI to write code. With a method, or without one?

Get your free score