The enterprise AI control that is still missing: code provenance

Praveen Posted on May 31 The enterprise AI control that is still missing: code provenance # opensource # showdev # discuss # news Enterprise AI governance keeps getting framed as a policy problem. Write acceptable-use rules. Turn on SSO. Add RBAC. Review risky PRs more carefully. That is all useful, but it still misses the one thing auditors, security teams, and incident responders actually need when AI-generated code reaches production: provenance. Not “did someone use AI.” Not “did the vendor log usage.” Provenance. When a critical bug lands in production, the question is not theoretical. Someone has to answer: What was generated? What was asked? Which model produced it? Which file did it land in? Who accepted it? Was it reviewed? Can we trace that decision later? Git blame does not answer those questions. Vendor audit logs usually do not either. In most enterprise setups, you end up with three separate blind spots: A commit history that shows authorship, not generation. A Copilot-style usage log that only covers one tool. A pile of PR comments and comments in code that rely on human discipline. That is not an audit trail. It is a loose collection of hints. The missing control is code provenance. LineageLens is built around that gap. It records the prompt, the model, the tool, the target file, the inserted code, and whether the edit was accepted or rejected. It does that in a self-hosted way, so the provenance stays inside your infrastructure instead of becoming another SaaS data trail. This is also where most generic logging strategies break down. Datadog and Splunk are excellent when you already know what to instrument. They are not purpose-built for AI provenance. If you want them to solve this problem, you have to build custom instrumentation, define your own schema, and keep that instrumentation working across multiple coding tools as their protocols change. That is why I do not think the enterprise answer is “use your observability stack.” Observability tell