What does your team actually produce as evidence when AI code goes to production?

Something I keep coming back to: if an auditor asked your team to prove that the AI-generated code in your last release passed your risk policy — what would you actually hand them?

Most teams I talk to would produce a PR link, maybe a Copilot usage dashboard, and a verbal description of their review process. No record of which model generated which function, no risk score at insertion time, no machine-verifiable proof that a human reviewed the AI context rather than just the diff.

We just shipped an indemnity certificate system in LineageLens. You define a policy (max risk score, allowed models, require human review, license clean), call an endpoint for a specific PR or release, and the system evaluates every provenance record tagged to that scope against your rules. Either it issues a signed Ed25519 certificate — verifiable by any third party without workspace credentials — or it returns a structured list of exactly what failed and why.

The certificate anchors to the provenance hash chain at the moment of issuance, so it's not just "we said it was reviewed." It's a cryptographic statement tied to the capture records that existed at the time.

What I'm genuinely curious about: what does your team produce today as evidence when AI code ships? Is there anything machine-verifiable in that process? And where do you think the enforcement gate should actually live — pre-merge block, or post-merge audit evidence?