Linux Kernel Community: AI assistance is acceptable, but accountability is non-negotiable

Guest blog post by Dr. Ibrahim Haddad

The Linux kernel community recently published guidance on using AI coding assistants in contributions. The message is pragmatic: the Linux kernel community acknowledges AI assistance and clarifies that it does not change expectations for review, licensing compatibility, and human accountability. AI agents must not add Signed-off-by. Only a human can certify the Developer Certificate of Origin (DCO), ensure GPL-2.0-only compatibility, correct SPDX identifiers, and take responsibility for the submission. The Linux kernel community and maintainers deserve real credit for putting this clear guidance in writing, providing a lighthouse for other projects and enterprises navigating the same shift.

The Linux kernel is one of the most mature technical communities in open source, and its guidance is far from ideological. It is grounded in practicality and has implications far beyond the Linux kernel. Let’s explore that.

Accountability and DCO

The kernel’s contribution model is strict about accountability and review, because those norms are how the project scales. Open source projects widely use the DCO as a contributor attestation mechanism: the signer asserts they have the right to contribute the code and that the contribution complies with the project’s licensing requirements.

AI assistance does not change that premise. Why should it? In fact, the Linux kernel guidelines make accountability even more explicit by introducing a formal Assisted‑by tag.

Assisted-by: AGENT_NAME:MODEL_VERSION [TOOL1] [TOOL2]

The Assisted-by tag identifies the AI agent/model and any specialized analysis tools used (basic development tools should not be listed). This new tag creates transparency for maintainers and reviewers and helps calibrate scrutiny without framing AI use as inherently suspect. In enterprise settings, you may choose to make equivalent disclosure mandatory to support auditability.

What the Linux kernel community is effectively saying is this: AI can help you write code, but it cannot assume responsibility for it. There is no such thing as “the model did it” in a project with legal and compliance obligations.

Enterprise Implications

Most enterprises are already using AI code assistance in one form or another. My keynote at the Open Source Business Conference 2025 in Seoul, S. Korea, covered that topic and urged enterprises to take a position, communicate it, and assume a holistic approach to address license compliance in light of the rapid adoption of generative AI technologies.

Given that most enterprises already use Copilot-, ChatGPT-, or Claude-like tools in their developers’ daily workflows, the adoption has moved at a much faster rate than governance. The Linux kernel’s guidance is a useful signal: if you use AI assistance, you still own review, licensing compatibility, and evidence of due diligence. AI changes the workflow, but it does not erase compliance obligations.

In many enterprises, the implicit assumption has been that AI‑assisted code is “just code” reviewed like any other change. That assumption is partially true. The Linux kernel guidelines point to exactly where the enterprise assumption breaks down.

AI assistance introduces new ambiguity around code provenance:

• Was the code generated from scratch or influenced by training data?
• Did it reproduce recognizable open source snippets?
  • If so, under what license was it originally released?
  • Is that license compatible with the distribution model?

None of these questions is new. What is new, in this context, is how easily they can surface and how confidently developers may rely on AI‑generated output without visibility into its origins. The Linux kernel community’s response is not to ban AI, but to require more explicit responsibility. Enterprises should take note and follow suit.

The approach adopted by the Linux kernel community does not resolve provenance uncertainty inside AI models. Instead, it ensures there is always a human accountable for review, licensing compatibility, and disclosure of AI assistance in the contribution workflow. If we translate that into enterprise terms, this leads us to a simple principle: AI assistance does not override your existing compliance obligations. If your enterprise already requires that licenses of combined code are compatible, that third‑party code is declared and tracked, and that you fulfill license obligations before or at distribution, then AI-assisted code must meet the same bar.

The OSPO Role

For OSPO leaders, the Linux kernel policy is useful because it is clear. It demonstrates how a large, legal‑sensitive open source ecosystem adapts to AI without rewriting its foundations.

Enterprises need the same translation:

• from developer convenience to organizational accountability,
• from individual productivity gains to portfolio‑level risk management.

OSPOs play a critical role as enablers who ensure that innovation remains sustainable. Practically, their role is to help development teams within their organization address questions like:

• How do we detect reused or reproduced open source snippets in AI‑assisted code?
• How do we verify licenses when the origin is opaque?
• How do we scale review beyond individual pull requests?
• How do we demonstrate due diligence to legal, customers, and auditors?

None of these questions requires fear, slowing adoption, banning experimentation, or thwarting innovation. These questions require infrastructure. In the early 2000s, many organizations were improvising open source license compliance as they went (mine included). The title of my first-ever report in 2000 as a Researcher at Ericsson was “What is the GNU General Public License?” Fast forward 10 years, in 2010, during my second tenure at the Linux Foundation, I founded and launched the Open Compliance Program, which today is an umbrella effort that covers technical projects, training, a yearly event (Open Compliance Summit), and much more. In that sense, compliance became ‘boring” in the best way possible because we have built the infrastructure to make it repeatable (policies, processes, training, tooling, a community of practitioners, events, etc.).

Today, generative AI changes the compliance risk surface again, so that infrastructure now needs to evolve to address new provenance and disclosure challenges.

Snippet Risk

AI-assisted development can introduce code fragments without a declared dependency. When that happens, dependency-only Software Composition Analysis (SCA) may miss obligations that are triggered by copied or highly similar code rather than by linked libraries. For that reason, organizations should treat snippet-level risk as a first-class compliance concern and complement traditional SCA with targeted controls that surface similarity signals for human review.

AI tools do not only recommend libraries; they can generate fragments, sometimes small, sometimes substantial, that resemble existing open source implementations. Those fragments may never appear as imported dependencies, yet they can still carry licensing obligations. The practical response is not to rely on developer self-reporting of what an AI tool may have influenced, but to institutionalize repeatable checks that strengthen due diligence and produce auditable evidence. In practice, a robust approach typically includes the ability to:

• Identify high-similarity code fragments and map them to the upstream open source project.
• Surface potential license implications even when code enters the repository without a declared third‑party component.
• Document review outcomes and decisions (in most companies, the body that conducts these reviews is called the Open Source Review Board or Open Source Steering Committee).

This approach is analogous to the Linux kernel’s community model of pairing transparent disclosure with explicit human accountability, extended in enterprises through scalable evidence collection and review workflows.

Transparency and Speed

It is tempting and “easy” to frame ensuring license compliance as friction. The Linux kernel guidelines push back on that assumption. By clarifying expectations (AI is allowed, but responsibility is explicit), the project enables contributors to move faster without ambiguity. Enterprises can do the same. When developers know that AI assistance is permitted, responsibility and accountability remain with the team, and tooling exists to support scalable provenance checks and evidence collection, AI becomes an accelerant rather than a hidden liability.

The Linux kernel does not operate like a corporation. But its norms often foreshadow where enterprise practice eventually lands, especially on questions of responsibility and trust. The position of the Linux kernel community is neither radical nor conservative. It is clear and consistent: Humans remain accountable, transparency matters, and legal obligations do not disappear because tooling changes. For OSPO leaders and compliance teams, this is a design pattern to follow.

Practical Next Steps

AI is now an integral part of software development. The critical priority for an enterprise is now how to integrate it into its existing governance models. Such an integration requires visibility into licenses, snippets, and provenance at a large scale. SCA platforms with robust snippet detection and provenance analysis become an operational necessity to support developers and enable them to use AI-assisted coding tools, and give them the confidence without creating hidden liabilities.

The position of the Linux kernel community is clear: AI assistance is acceptable, but accountability is non-negotiable. Enterprises should adopt the same principle: allow the tools, require review and disclosure, and ensure compliance evidence scales with the adoption of AI.

Disclaimer

The views expressed in this post are those of the author alone. They do not reflect the views of any current or previous employer.