After months of heated argument, the Linux kernel community has formalized rules that let developers use AI coding tools while banning low-quality generated output and placing full legal responsibility on the human who signs off.
The Linux kernel has always been unforgiving about quality, and its new AI policy reflects exactly that instinct. On April 12, the community concluded a debate that had been running since at least January and reached an agreement that is, in hindsight, characteristically Torvalds: pragmatic, blunt, and allergic to bureaucratic theater. AI tools like GitHub Copilot are in. Unreviewed, bulk-generated "AI slop" is out. And the human developer who submits the code owns it completely, legally and reputationally, no exceptions.
The mechanism is the project's existing Developer Certificate of Origin, or DCO. Every kernel contribution already requires a "Signed-off-by" tag, a declaration that the submitter has the right to contribute the code and has reviewed it. The new policy threads AI tools directly into that chain without loosening it. A developer can use Copilot to generate a suggestion, but the moment they sign off, they are personally attesting to its correctness and security. The AI provider carries no liability. The model carries no liability. The person hitting submit does.
Torvalds telegraphed this direction back in January when he waded into a documentation dispute and dismissed the idea of banning AI tools outright as pointless hand-wringing. What he objected to then, and what the policy now codifies, is the specific failure mode of treating AI output as finished work. The term "AI slop" has circulated in kernel mailing lists for months, describing contributions that appear machine-generated with minimal human scrutiny, and the new rules draw a hard line against it.
The timing of this agreement is not accidental. Security researchers spent the first quarter of 2026 documenting a measurable rise in vulnerabilities tied to AI-assisted coding. Veracode warned that rapid AI-driven development was making meaningful security review structurally harder to achieve. Sonatype reported a 75 percent growth in open-source malware alongside record package download numbers. For a project like the Linux kernel, which runs on everything from Android phones to critical infrastructure, those numbers are not abstract concerns.
Kernel subsystems were already running cautious experiments before April. Graphics driver maintainers were testing AI-assisted review tools in February, using them to help overloaded maintainers catch issues rather than to replace the review process itself. That experience likely informed the final policy: AI as a force multiplier for human judgment, not a substitute for it.
What this means beyond the kernel
Linux is the most widely deployed open-source project on the planet, and how it governs its development process tends to travel. Other major projects watching this debate now have a concrete model to work from: accept AI tools explicitly, define what disqualifying misuse looks like, and anchor accountability in a named human being rather than a process or a platform.
That framework matters for enterprises too. GitHub's own data from late 2025 showed AI coding assistants had become close to universal in professional software development. The question was never really whether developers would use these tools. It was who would be responsible when something went wrong. Linux has answered that question as directly as any institution has so far: the developer is responsible, full stop, and the signing of their name to the code is the proof.
For the broader software industry, the kernel's position sets a ceiling on how much autonomy AI can claim in high-stakes codebases, at least for now. The "human in the loop" framing has been a best-practice recommendation for years. Linux just made it a condition of participation. Other critical infrastructure projects, from the BSD family to major cloud provider toolchains, will face the same pressure and will likely use this agreement as their starting point. The debate about whether AI belongs in serious software development is effectively over. The debate about exactly how much human oversight is enough is just beginning.
