I think most AI governance conversations stop too early.
Teams talk about dashboards, usage charts, and prompt capture. Those are useful, but they are not the same thing as a trustworthy record.
The harder problem is this: if someone asks you six months later whether a block of code was AI-generated, can you prove the record still means what it said when it was created?
That is why we added two things in LineageLens: a provenance hash chain and a signed AI BOM export.
On a Tuesday, the first enterprise question is usually not can you capture AI code? It s who can see the records, how long do they live, and what happens when a policy blocks a change?
That s the part LineageLens is built for. Base gives you local capture. Lite gives a shared team record. Plus and Max move the data into a backend where auth, permissions, retention, and policy live next to the provenance records instead of around them.
The useful thing here is not another dashboard. It s a self-hosted record of prompt, model, tool, file, and outcome that engineering, security, and platform teams can actually govern on their own infrastructure.
I keep seeing AI governance tools start with visibility, then discover that the real enterprise questions are identity, retention, and review. If the record cannot be scoped, retained, and exported on your side, it is not really governable.
One thing that surfaced while tightening LineageLens this week: capture is not the hard part. Agreement is.
If the extension, backend, and MCP server describe the same AI edit with slightly different field names or status values, you do not have provenance, you have three believable stories about the same event. That matters because reviewers and assistants start trusting whichever surface they looked at last.
The question I keep coming back to is simple: if a record can look applied in one place and accepted in another, is that still a single source of truth?
