Antenore Gatta

Antenore Gatta

A proud and busy Hacker, Father and Kyndrol.

ARIA: Governing AI Participation in Software Development

- 5 mins

As AI tools become increasingly integrated into development workflows, a critical question emerges: how do we establish clear boundaries for AI participation in our codebases? This question led me to create ARIA (Artificial Intelligence Regulation Interface & Agreements), an open-source framework that gives developers granular control over how AI interacts with their projects. Interestingly, this blog is actually the first project using ARIA to define AI participation policies – a case of “dogfooding” our own solution.

Why We Need AI Governance in Software Projects

Before diving into ARIA, let’s consider the problem. AI coding assistants can generate everything from documentation to complex algorithms. But this capability raises important questions:

  • Which parts of your codebase should AI be allowed to modify?
  • Who holds responsibility for AI-generated code?
  • How can teams maintain human oversight while leveraging AI capabilities?
  • How do we document where and how AI has participated?

Without clear governance, AI participation becomes an unregulated variable in your development process, potentially introducing risks to security, quality, and accountability.

Introducing ARIA: A Framework for AI Participation

ARIA provides a standardized way to define policies that govern how AI tools interact with your codebase. Think of it as .gitignore for AI participation - a standard approach to define boundaries.

Core Features

version: 1.0
model: collaborator

defaults:
  allow: ["suggest", "review", "read"]  # AI can suggest, review and read by default
  deny: ["modify", "generate", "commit"]  # Explicitly deny direct modifications
  require:
    - human_review
    - human_responsibility
    - tests
    
paths:
  # Blog content - more permissive for drafting
  'content/posts/**/*.md':
    allow: 
      - suggest
      - review
      - analyze
      - read
      - generate
    deny:
      - modify
      - commit
    require:
      - human_review
      - human_responsibility
      
  # Configuration files - more restrictive
  'config/**/*':
    allow:
      - suggest
      - review
      - analyze
      - read
    deny:
      - modify
      - generate
      - commit
    require:
      - human_review
      - human_responsibility

The policy above is a simplified version of what I’m using for this blog. It allows AI to suggest and generate draft content for blog posts, but prevents direct modification of configuration files, and requires human review for everything.

Policy Models to Fit Your Needs

ARIA offers several predefined policy models to help teams get started quickly:

  1. GUARDIAN: Maximum restriction - suitable for sensitive projects where AI participation must be minimal
  2. OBSERVER: AI can only analyze code without suggesting modifications
  3. ASSISTANT: AI can suggest changes but can’t implement them directly
  4. COLLABORATOR: AI can contribute to specific project areas with clear boundaries
  5. PARTNER: Maximum AI participation with defined human oversight

Each model provides a starting point that you can customize to fit your specific needs.

Implementing ARIA in Your Workflow

Getting started with ARIA is straightforward:

# Install ARIA
pip install aria-framework

# Initialize ARIA in your project
ariacli init

# Apply a template policy
ariacli template apply assistant

# Validate your policy
ariacli policy validate

Once you’ve defined your policy, you can generate IDE-specific rule files:

# Generate rules for Windsurf
ariacli ide rules --ide windsurf

# Generate rules for Cursor
ariacli ide rules --ide cursor

These rules help ensure your AI tools respect the boundaries you’ve defined.

Real-World Application: This Blog

This blog implements ARIA policies with a model focused on content collaboration. The policy allows AI to:

  • Generate draft content for posts (with human refinement)
  • Suggest improvements to existing content
  • Help with formatting and structure

But explicitly prevents AI from:

  • Publishing content without review
  • Modifying configuration files
  • Altering core site functions

By creating this clear framework, I maintain control over what appears on my blog while still leveraging AI assistance for drafting and refining ideas.

AWS Integration Considerations

For those of us working in AWS environments, ARIA’s policy approach should feel familiar. There are interesting parallels between ARIA’s policy structure and AWS IAM policies:

  • Both use a similar “allow/deny” model
  • Both support resource-specific permissions via path patterns
  • Both implement a “least privilege” approach by default

This makes ARIA particularly intuitive for AWS professionals who already understand IAM concepts and Service Control Policies (SCPs).

Key Benefits of ARIA

From my experience implementing ARIA on this blog and other projects, I’ve found several key benefits:

  1. Transparency: Clear documentation of where AI has participated
  2. Control: Granular permissions based on paths and file types
  3. Accountability: Explicit requirements for human review
  4. Consistency: Standardized approach across projects and teams
  5. Integration: Works with existing development workflows and tools

Getting Started with ARIA

If you’re interested in implementing ARIA in your own projects:

  1. Check out the GitHub repository
  2. Read the documentation
  3. Start with a template policy and customize to your needs
  4. Integrate with your CI/CD pipeline for policy validation

Conclusion

As AI continues to transform software development, tools like ARIA provide a balanced approach to maximizing benefits while maintaining human control and oversight. By establishing clear boundaries for AI participation, teams can leverage AI capabilities without compromising on governance, quality, or security.

How are you currently managing AI participation in your projects? Have you established formal policies, or is it currently an ad-hoc process? I’d be interested to hear your approaches in the comments.

Antenore Gatta

Antenore Gatta

A proud and busy Hacker, Father and Kyndrol

Post comment

Markdown is allowed, HTML is not. All comments are moderated.