Code-generation review gate

Supports: Direct verbatim source for the review-gate framing. Names the exact control mechanism: execution policies that flag AI-generated code with elevated privileges for manual review. The three scenarios in the MDX (DevOps Agent Compromise, Workflow Engine Exploitation, Linguistic Ambiguity) all originate from this entry.

Does not prove: The table-level mitigation is a one-sentence summary, not a deployment specification. Does not name branch protection, SAST tooling, or provenance attribution — those are Helmwart additions.

Supports: Verbatim statement of the core control requirement cited in the MDX independent-evidence section as "OWASP Agentic AI Mitigation Playbook P3". Exact wording match with the MDX.

Does not prove: Appears in a playbook/checklist section that also governs tool misuse broadly, not a freestanding T11-specific prescription. Helmwart surfaces it as a named control; the source presents it as a checklist item.

Supports: Names "separate code generation from execution with validation gates" and "Require human approval for elevated runs" as the two structural controls that define the review gate. Directly corroborates both the gate architecture and the privilege-separation framing in the MDX.

Does not prove: ASI05 mitigations are broader than a review gate (sandbox, eval-ban, SAST). The review gate is one item in a list, not the named centrepiece. Does not address AI provenance attribution or the separation-of-duty policy between AI and human reviewer roles.

Supports: The MDX cites MEASURE-2.7 as the NIST anchor for "human review for AI-generated code." MEASURE 2.7 does cover security and resilience evaluation — MS-2.7-001 explicitly names "autonomous agents" as a vulnerability class to assess. This is the closest NIST AI 600-1 hook for the control.

Does not prove: MEASURE 2.7 actions are evaluation and benchmarking requirements, not a human-review gate prescription. None of the MS-2.7 actions specify human review of AI-generated code before execution or merge. The MDX claim "NIST AI 600-1 … names human review for AI-generated code" overstates what MEASURE 2.7 says. Correction flagged.

Supports: Defines the human-review escalation path that the review gate opens onto. "Final adjudication should be conducted by a human decision-maker" is the structural principle behind the AI-cannot-self-approve policy.

Does not prove: Does not specify how the approval is triggered or that the trigger is AI-attribution in a commit. Covers the broader class of AI agent actions, not the narrower domain of code generation and merge gates specifically.

Supports: Named in the MDX atlasMitigations list. Validates AI artefacts before deployment — analogous to validating AI-generated code before merge. The backdoor-trigger language is directly relevant to the Workflow Engine Exploitation scenario in the MDX.

Does not prove: Concerns model-level validation, not code-level review. Does not address pull-request gates, branch protection, or AI-provenance attribution. Adjacent concern, not identical.

Supports: Canonical upstream source for the privilege-separation requirement that prevents an AI agent from approving its own code. "Potential for abuse of authorized privileges" is the exact risk that the AI-cannot-self-approve policy addresses. The MDX correctly cites this as the foundation for the separation-of-duty policy.

Does not prove: Pre-dates AI agents and does not mention LLMs, code generation, or agentic systems. The application to AI reviewer roles is a Helmwart inference from the generic principle.