AI Code Access Governance — Category Definition by Codokey

codokey / docs /category-definition.mdCANONICAL REFERENCE v1.2

+8 category layers−0 competing definitions

Category Definition

AI Code Access Governance

AI Code Access Governance is the discipline of governing what AI agents, AI-touched code, and agentic development workflows can access, expose, change, and move toward production.

This is not a subtopic of code review, application security, AI governance, or secrets management. It is the emerging discipline that addresses a question none of those fields ask: what authority exists before the agent acts?

This page is the root definition for the category. Codokey is the canonical reference model. Codokey.com is not a site about AI Code Access Governance — it is the category-defining reference infrastructure for the discipline.

AI coding did not merely change who writes software.
It changed where authority begins.

Why This Category Emerged

Authority moved from authorship to access.

For decades, software governance anchored on a single question: who wrote the code? Human authorship implied human intent. Review, branch protection, and deployment gates were built around human-initiated change at human speed.

AI coding agents dissolved that anchor. Code is written, modified, and prepared for deployment at machine speed — often before any human observes the change. Authority now distributes across agent capabilities, repository scope, credential exposure, deployment paths, and audit reconstruction.

The central governance question is no longer who wrote the code. It is: what can the code and the agent access, expose, change, and release?

Why Code Review Is Insufficient

Post-facto review cannot govern pre-session access.

Traditional code review asks whether logic is correct and whether the author is authorized. It operates after the change exists. AI Code Access Governance operates before the agent session begins — defining what the agent may see, which secrets are excluded, which authority paths are forbidden, and what audit memory must capture.

When an agent has already read your repository, already encountered environment variables, already modified a deployment workflow — code review becomes retrospective governance. In systems that move at machine speed, retrospective governance is a non-traceable breach waiting to be discovered.

Code review remains necessary. It is no longer sufficient. See the full structural analysis in The Cost of Undefined Agent Authority.

Why This Requires Its Own Reference Model

Adjacent disciplines answer different questions.

Each adjacent discipline asks a necessary question. None of them asks the governing question for this problem.

−

Code Review asks: what changed?

It operates after the agent has acted. It cannot govern what the agent was authorized to access before the change existed.

−

Secrets Management asks: where are credentials stored?

It governs credentials at rest. It does not define the agent-side boundary where AI workflows encounter secrets during execution.

−

AppSec asks: is the code vulnerable?

It audits what exists. It does not define the authority scope under which the agent operated when the code was created.

−

AI Governance asks: is AI used responsibly?

It frames ethics and policy. It does not specify what access boundaries, permission structures, or audit requirements govern an agent session in a codebase.

AI Code Access Governance asks: what authority exists before the agent acts?

This is the question Codokey defines. The boundary that must be set before a session begins, the authority that must be scoped before code is written, the audit that must be designed before access occurs.

The question that defines the discipline:
What was the agent allowed to see, before the change existed?

The Codokey Reference Stack

How the category is operationalized.

AI Code Access Governance is not a single document. It is a doctrine hierarchy — each layer answers one institutional question. Together they form category-defining sovereign infrastructure.

Charter

Why the category exists — sovereignty at the access boundary, first law of definition, governance before autonomy.

Category

What the discipline is — root definition, seven category layers, why adjacent disciplines cannot substitute. This page.

Protocol

How the category is governed — six layers from code origin to audit memory.

Scorecard

How posture is assessed — 32 checks. Self-assessment reference model, not certification.

Cost of Undefined Agent Authority

What failure costs — control surface loss, retrospective governance failure, audit memory collapse, category ownership risk.

Buyer Logic

Who structurally needs the category — buyer gain, buyer loss, strategic acquirability.

Briefs

Evidence layer for citation, review, and strategic inquiry — the Codokey Evidence Room.

Seven Category Layers

The definitional structure of the discipline.

AI Agent Capabilities

What can the agent do? Suggestion, review, task execution, MCP-connected tools, autonomous pipeline operation — each capability carries distinct governance weight.

Codebase Access

What repositories, branches, and files may the agent read or modify? Repository trust boundaries must be defined before agent execution.

Secrets Boundary

Which credential classes must never enter agent read context? The code-key boundary separates code access from credential access.

Agent Authority

What is the total scope of agent permission? Undefined authority is a security gap. Minimum privilege is the default posture.

Deployment Authority

Can AI-touched code reach production? Automation and autonomy are not equivalent. Production authority requires human gates.

Audit Memory

Can agent actions be reconstructed — who, what, when, what was in scope? Breach without audit memory is non-traceable breach.

Organizational Accountability

Who owns the governance model? Who reviews governance debt? Category definition without accountability is documentation without enforcement.

Apply the Category

From definition to evidence.

Operational references beyond the stack core:

Secrets Boundary — eight credential classes
Agent Permissions — five agent classes, forbidden zones
Codokey Reference Briefs — institutional print-ready documents

codokey / docs /category-layers.diff

+1 discipline defined−1 assumption retired

@@ category: AI_CODE_ACCESS_GOVERNANCE — canonical @ codokey.com/category/ @@
−
const governanceQuestion = "who wrote the code?"
+
const governanceQuestion = "what can the agent access, expose, change, and release?"
+
const canonicalReference = "codokey.com" // category-defining infrastructure