Standards & Guidelines
This section contains the formal production standards (PRD-STD series) that govern AI-assisted development practices, agent skills catalogs, and AI-powered product behavior within the AEEF framework. Each standard follows RFC 2119 language conventions and includes clear requirements, implementation guidance, and compliance criteria.
Overview
The PRD-STD series establishes the minimum quality, security, and governance requirements for organizations using AI coding assistants, operating multi-agent workflows, and shipping AI-powered product features in production. With 92% of US developers now using AI tools daily and AI co-authored code showing 1.7x more issues and 2.74x higher vulnerability rates, these seventeen standards exist to ensure that velocity gains do not come at the expense of quality, safety, security, or maintainability.
The PRD-STD series defines AEEF core controls. Country-specific sovereign requirements and sector regulator obligations are handled through Pillar 2 regional/country profiles and overlays. Adoption of PRD-STD controls alone does not constitute sovereign or regulator certification.
For teams that need immediate execution guidance, start with the Apply-Ready Rollout Kit. It includes a 30/60/90-day rollout plan, copy-paste prompts, and role ownership mapping for all seventeen standards.
For a working reference codebase that enforces all 16 PRD-STDs with CI/CD pipelines, monitoring, drift detection, and incident response automation, see the Production Reference Implementation.
If you need a visual adoption sequence (tutorials -> Level 1 -> Level 2 -> Level 3), use Production Rollout Paths.
All standards in this series use RFC 2119 keywords:
- MUST / SHALL -- Absolute requirements. Non-compliance requires immediate remediation.
- MUST NOT / SHALL NOT -- Absolute prohibitions.
- SHOULD / RECOMMENDED -- Expected practices. Deviations require documented justification.
- SHOULD NOT -- Practices that are discouraged but not prohibited.
- MAY / OPTIONAL -- Truly discretionary practices.
How to Use This Section (Normative vs Practical)
This section is primarily the normative source for production controls.
- Use individual PRD-STD pages to define policy, compliance criteria, and audit evidence expectations.
- Use Apply-Ready Rollout Kit for execution sequencing, role ownership, and rollout planning.
- Use Production Tutorials & Starter Guides for hands-on implementation walkthroughs.
- Use Reference Implementations when you need runnable repos or apply paths.
Page Types in Production
- Standards (
PRD-STD-*) -- normative requirements and control definitions - Tutorials & Starter Guides -- hands-on implementation walkthroughs
- Best Practices -- practical recommendations and operating patterns
- Tool Guides -- tool-specific setup and integration instructions
- Rollout Paths -- adoption sequencing by maturity and organizational context
Standards Index
| Standard ID | Title | Status | Compliance Level | Description |
|---|---|---|---|---|
| PRD-STD-001 | Prompt Engineering Standards | Active | Level 2 | Defines requirements for prompt structure, context management, constraint specification, version control, and prompt library standards for production development environments. |
| PRD-STD-002 | Code Review Standards | Active | Level 1 | Establishes mandatory code review processes for AI-generated code, including reviewer qualifications, review checklists, approval thresholds, and escalation criteria. |
| PRD-STD-003 | Testing Requirements | Active | Level 2 | Specifies testing requirements for AI-generated code, including unit test coverage minimums (80%), integration testing, behavioral validation, regression testing, and mutation testing. |
| PRD-STD-004 | Security Scanning | Active | Level 1 | Mandates security scanning for AI-generated code, including SAST, DAST, dependency scanning, and vulnerability remediation SLAs (Critical: 24h, High: 7d, Medium: 30d, Low: 90d). |
| PRD-STD-005 | Documentation Requirements | Active | Level 3 | Defines documentation requirements for AI-assisted development, including code comments for AI-generated sections, architecture decisions, prompt documentation, and knowledge preservation. |
| PRD-STD-006 | Technical Debt Management | Active | Level 3 | Establishes criteria for identifying, tracking, prioritizing, and remediating technical debt introduced by AI-generated code, including debt budget limits and remediation timelines. |
| PRD-STD-007 | Performance & Quality Gates | Active | Level 2 | Defines the quality gates that AI-assisted development outputs must pass before deployment, including build, test, security, performance, and deployment gates. |
| PRD-STD-008 | Dependency & License Compliance | Active | Level 1 | Specifies requirements for managing dependencies introduced by AI-generated code, including license compatibility, vulnerability monitoring, and supply chain security. |
| PRD-STD-009 | Autonomous & Multi-Agent Governance | Active | Level 2 | Defines governance controls for autonomous and multi-agent AI workflows, including agent contracts, handoff controls, traceability, and human-approval safeguards. |
| PRD-STD-010 | AI Product Safety & Trust Controls | Active | Level 2 | Defines mandatory safety, integrity, abuse-resistance, rollout containment, and trust incident controls for AI-powered product behavior. |
| PRD-STD-011 | Model & Data Governance | Active | Level 2 | Establishes requirements for data rights, lineage, evaluation integrity, model documentation, and reproducibility for production AI features. |
| PRD-STD-012 | Inference Reliability & Cost Controls | Active | Level 2 | Defines runtime SLO, resilience, observability, fallback, and unit-economics controls for production AI inference services. |
| PRD-STD-013 | Multi-Tenant AI Governance | Active | Level 2 | Establishes tenant data isolation, tenant-scoped safety policies, per-tenant audit trails, cost allocation, and SLA mapping for multi-tenant AI products. |
| PRD-STD-014 | AI Product Privacy & Data Rights | Active | Level 2 | Defines privacy-by-design requirements, DPIA processes, cross-border data transfer controls, retention/deletion policies, consent management, and automated decision-making rights for AI products. |
| PRD-STD-015 | Multilingual AI Quality & Safety | Active | Level 2 | Specifies multilingual evaluation standards, cross-language safety testing, dialect handling, multilingual bias and fairness, and language-specific prompt engineering requirements. |
| PRD-STD-016 | Channel-Specific AI Governance | Active | Level 2 | Defines channel governance framework, channel-specific safety and SLOs, platform compliance overlays, channel fallback, and multi-channel consistency requirements. |
| PRD-STD-017 | Agent Skills Catalog Governance | Active | Level 2 | Defines governance controls for skill catalogs, community skill attribution, skill approval, role/environment gating, and traceability for agent skill execution. |
Compliance Levels
Standards are assigned to compliance levels that correspond to the Maturity Model. This assignment determines the order in which organizations should adopt the standards:
Level 1 -- Foundation (Mandatory for all organizations)
These standards address the highest-risk areas and MUST be implemented first:
- PRD-STD-002: Code Review -- Every line of AI-generated code MUST be reviewed by a qualified human reviewer before merging. This is the single most impactful control against AI code quality issues.
- PRD-STD-004: Security Scanning -- AI-generated code MUST undergo automated security analysis. Given the 2.74x higher vulnerability rate, this is non-negotiable.
- PRD-STD-008: Dependency Compliance -- Dependencies introduced by AI tools MUST be checked for license compatibility and known vulnerabilities.
Level 2 -- Managed (Target within 12 months)
These standards provide comprehensive quality controls:
- PRD-STD-001: Prompt Engineering -- Structured prompting reduces the rate of defective AI outputs and improves consistency across teams.
- PRD-STD-003: Testing Requirements -- Rigorous testing catches the issues that code review alone misses.
- PRD-STD-007: Quality Gates -- Automated enforcement prevents non-compliant code from reaching production.
- PRD-STD-009: Autonomous & Multi-Agent Governance -- Agent orchestration controls keep role-specific autonomous workflows auditable and within policy boundaries.
- PRD-STD-010: AI Product Safety & Trust Controls -- AI feature behavior must meet safety and trust controls before and after release.
- PRD-STD-011: Model & Data Governance -- Production AI behavior requires auditable data/model lineage, rights, and evaluation integrity.
- PRD-STD-012: Inference Reliability & Cost Controls -- AI runtime must meet service objectives and sustainable unit-economics constraints.
- PRD-STD-013: Multi-Tenant AI Governance -- Multi-tenant AI products must enforce tenant isolation, scoped safety policies, and per-tenant auditability.
- PRD-STD-014: AI Product Privacy & Data Rights -- AI products must implement privacy-by-design, lawful data processing, and automated decision-making rights.
- PRD-STD-015: Multilingual AI Quality & Safety -- AI products serving multiple languages must meet parity, safety, and fairness standards across all supported languages.
- PRD-STD-016: Channel-Specific AI Governance -- AI products deployed across multiple channels must meet channel-specific safety, compliance, and consistency requirements.
- PRD-STD-017: Agent Skills Catalog Governance -- Reusable agent skills and community skill imports must be governed, attributed, and gated by role/environment before use in production-bound workflows.
Level 3 -- Optimized (Target within 24 weeks)
These standards ensure long-term sustainability:
- PRD-STD-005: Documentation -- Comprehensive documentation prevents knowledge erosion as AI-generated code accumulates.
- PRD-STD-006: Technical Debt -- Active debt management prevents the gradual degradation of codebases that rely heavily on AI generation.
Standard Structure
Every standard in the PRD-STD series follows a consistent eight-section structure:
- Purpose -- Why the standard exists and what risk it mitigates
- Scope -- Which teams, projects, code types, and AI tools the standard covers
- Definitions -- Key terms with precise definitions
- Requirements -- Formal requirements using MANDATORY (:::danger) and RECOMMENDED (:::warning) classifications
- Implementation Guidance -- Practical steps, examples, and configuration templates
- Exceptions & Waiver Process -- How to request justified exceptions
- Related Standards -- Cross-references to other AEEF standards and external references
- Revision History -- Version tracking
Applicability
These standards apply to:
- All production code that is generated, modified, or influenced by AI coding assistants
- All production AI-powered features where model output influences user-facing behavior or operational decisions
- All development environments where AI tools are authorized for use
- All teams and individual contributors who use AI tools as part of their development workflow
- Both greenfield and brownfield projects
These standards do NOT apply to:
- Experimental or research code in isolated sandbox environments (though adoption is RECOMMENDED)
- Personal learning and training activities
- AI-generated code that is used solely as reference material and is rewritten manually
Governance
The PRD-STD series is governed by the Pillar 2: Governance & Risk framework. Standards are:
- Reviewed quarterly by the AEEF Standards Committee
- Updated as AI tool capabilities evolve and new risk patterns emerge
- Versioned using semantic versioning (Major.Minor.Patch)
- Communicated to all affected teams at least 30 days before enforcement of new requirements
Organizations SHOULD designate an AEEF Standards Champion within each engineering team to facilitate adoption, answer questions, and report compliance status.
For regional and country applicability boundaries, see the Regional Coverage Matrix and Conformance Assessment Model.
Getting Started
For teams new to the PRD-STD series:
- Begin with a gap analysis against Level 1 standards (PRD-STD-002, PRD-STD-004, PRD-STD-008)
- Configure CI/CD pipelines to enforce automated checks per PRD-STD-007
- Train reviewers on the AI-specific review checklist in PRD-STD-002
- Establish vulnerability SLAs per PRD-STD-004
- Progress to Level 2 and Level 3 standards as maturity increases
For detailed implementation guidance and assessment tools, see the Maturity Model and the Production Efficiency Overview.
Next Steps
- Start with a Level 1 gap analysis, then sequence remediation using Production Rollout Paths.
- Use the Apply-Ready Rollout Kit if you need an implementation plan with role ownership and 30/60/90-day cadence.
- Enforce the adopted controls in CI/CD before expanding to additional standards.
- Use Reference Implementations if you need a runnable Tier 1/2/3 apply path instead of starting from policy interpretation.