April 24, 2026 · 8 min read

Governing AI Code Review: How Aira Stops Copilot Chaos

GitHub Copilot writes 12 comments on a PR. Three contradict each other. One suggests removing a security check. Nobody knows which to trust. Sound familiar?

The Problem: AI Agents Without Governance

Enterprises are rolling out AI-assisted code review at scale. Copilot, CodeRabbit, Sourcery, custom LLM agents — they all generate PR comments, suggest refactors, and flag issues. The problem isn't the AI. It's the lack of governance around it.

When an AI agent posts a comment on a PR, there's no audit trail of why it said what it said. There's no policy that says "this agent is allowed to suggest refactors but not security changes." There's no mechanism to check whether two models agree before a comment goes live. And there's no cryptographic proof that the comment wasn't tampered with after the fact.

The result: PR threads flooded with contradictory AI opinions, developers losing trust in the tooling, and security teams unable to prove what happened when something goes wrong.

Step 1: Set the Rules

Before any AI agent touches a PR, define what it's allowed to do. Aira's policy engine gives you four modes — use them together or separately:

Deterministic Rules (<1μs)

Hard boundaries. No LLM involved, no latency, no ambiguity.

# Rule: AI agents cannot suggest removing security checks
{
  "name": "Block security removals",
  "mode": "rules",
  "conditions": [{
    "field": "details",
    "operator": "contains",
    "value": "remove security"
  }],
  "decision": "deny"
}

# Rule: PR comments on critical repos require human approval
{
  "name": "Critical repo gate",
  "mode": "rules",
  "conditions": [{
    "field": "details",
    "operator": "contains",
    "value": "repo:payments-service"
  }],
  "decision": "require_approval"
}

Rules fire in under a microsecond. No model call, no cost. If the condition matches, the action is blocked or held — instantly.

AI Policies (~2s)

When rules are too rigid, write the policy in plain English. Aira sends it to a trusted LLM (you pick which one) and gets a decision with reasoning.

# AI policy evaluated by Claude Sonnet 4.6
{
  "name": "Code review quality gate",
  "mode": "ai",
  "ai_prompt": "Block any AI-generated code review comment that
    suggests removing error handling, weakening authentication,
    disabling logging, or bypassing security middleware.
    Allow style suggestions, performance improvements,
    and documentation additions.",
  "ai_models": ["claude-sonnet-4-6"]
}

# Result:
{
  "decision": "deny",
  "confidence": 0.97,
  "reasoning": "The suggested change removes the rate-limiting
    middleware on the /api/payments endpoint. This weakens
    authentication controls and should be blocked per policy."
}

The AI policy doesn't just match patterns — it understands the intent. "Remove the rate limiter for better performance" would pass a regex check but Claude catches the security implication.

Multi-Model Consensus (~5s)

For high-stakes decisions, don't trust a single model. Aira sends the same action to multiple models and scores their agreement.

# Consensus: 3 models vote on whether this PR comment is safe
{
  "name": "PR comment consensus",
  "mode": "consensus",
  "ai_prompt": "Should this AI-generated PR comment be posted?
    Evaluate for: accuracy, security implications,
    code quality impact, and potential for confusion.",
  "ai_models": [
    "claude-sonnet-4-6",
    "gpt-5.2",
    "gemini-3.1-pro"
  ]
}

# Result:
{
  "consensus": "REVIEW",
  "disagreement": "33%",
  "votes": [
    { "model": "claude-sonnet-4-6", "decision": "DENY",
      "reasoning": "Removes security middleware" },
    { "model": "gpt-5.2", "decision": "REVIEW",
      "reasoning": "Performance gain but security tradeoff" },
    { "model": "gemini-3.1-pro", "decision": "APPROVE",
      "reasoning": "Valid optimization" }
  ]
}

33% disagreement. One model wants to approve, one wants to deny, one says review. Aira holds the action for human review — no single model gets the final word. The scoring is deterministic: pure vote counting, no embeddings, no black-box aggregation.

Content Scanning (<5ms)

Before any AI output is posted, scan it for sensitive data. Aira's scanner runs NER (Microsoft Presidio) + 27 regex patterns in-process.

# AI comment contains leaked credentials
"Great refactoring! I also noticed the API key
 sk_live_abc123def456 in the config — you might
 want to rotate that."

# Aira scan result:
{
  "decision": "deny",
  "hits": [
    { "name": "stripe_secret_key", "severity": "critical" }
  ]
}
# → Comment blocked. Credential never posted publicly.

Step 2: Route Through the Gateway

If your AI code review agent calls an LLM (Copilot, Claude, GPT), route it through Aira's gateway. Two lines of config, zero code change.

from aira import gateway_openai_kwargs

# Before: direct to OpenAI
client = openai.OpenAI(api_key="sk-...")

# After: through Aira gateway
client = openai.OpenAI(
    api_key="sk-...",
    **gateway_openai_kwargs(aira_api_key="aira_live_...")
)

# Every call is now:
# 1. Scanned for sensitive data (NER + regex)
# 2. Policy-checked against your rules
# 3. Receipted with Ed25519 signature
# Zero code change in the rest of your app.

The gateway works with any OpenAI-compatible provider — OpenAI, Anthropic, Google, Ollama, or your self-hosted models. If the agent sends source code containing API keys, PII, or credentials, the gateway blocks it before it reaches the LLM.

Step 3: Human Approval for High-Risk Actions

Not everything should be automated. When an AI agent wants to merge a PR, deploy to production, or post a security-related comment, Aira holds it for human review.

# Agent tries to auto-merge a PR
auth = aira.authorize(
    action_type="pr_merge",
    details="Auto-merge PR #1847 to main (payments-service)",
    agent_id="code-review-agent",
)

# Result: pending_approval
# → Approver gets a secure single-use link
# → Reviews the full context (PR diff, AI reasoning, policy match)
# → Approves or denies
# → Decision is Ed25519-signed into the receipt chain

The approval decision is cryptographically signed. You can prove that a specific person approved a specific action at a specific time — not from a log file, but from a mathematical signature.

Step 4: Prove Everything

Every action — authorized, denied, or failed — gets an Ed25519 receipt with an RFC 3161 timestamp. The receipt commits the policy decision, scan results, approval chain, and outcome.

# Verify any receipt — no Aira account needed
$ curl api.airaproof.com/api/v1/verify/action/<uuid>

{
  "valid": true,
  "algorithm": "Ed25519",
  "signer": "did:web:airaproof.com",
  "timestamp_authority": "freetsa.org",
  "scan_result": "clean",
  "policy_decision": "authorized",
  "human_approval": "approved by security-lead@acme.com"
}

Anyone can verify the receipt with OpenSSL and the public key from/.well-known/jwks.json. No Aira account, no SDK, no vendor dependency. This is what EU AI Act Article 12 means by "tamper-evident automatic event logging."

The Full Picture

Here's what the flow looks like for an AI code review agent:

  1. Agent registers with a W3C DID — verifiable identity
  2. Policies are set — rules for instant blocking, AI for nuanced decisions, consensus for high-stakes
  3. Agent calls aira.authorize() before posting a PR comment
  4. Content scanner checks for leaked credentials, PII, prompt injection
  5. Policy engine evaluates against your rules
  6. Consensus (optional) — multiple models vote
  7. Human approval (if triggered) — security lead reviews
  8. Agent acts — posts the comment / merges the PR
  9. Receipt minted — Ed25519 + RFC 3161, publicly verifiable
  10. Compliance bundle — maps to EU AI Act, ISO 42001, SOC 2

Why This Matters Now

EU AI Act Article 12 requires tamper-evident logging for AI systems by August 2026. Every enterprise running AI code review agents needs audit trails that regulators can independently verify. "We have logs" is not the same as "we have cryptographic proof signed by two independent keys with an RFC 3161 timestamp from a trusted authority."

The difference is the difference between a log file and evidence.

Get Started

Two options:

  • SDK integration: pip install aira-sdk — add authorize() and notarize() around your agent's actions
  • Gateway: change base_url and add one header — zero code change, every LLM call governed

Free tier: 100 ops/month. No credit card.

Start free → Try the demo Read the docs