Automated Remediation Guardrails: A Risk-Aware Framework for Validating AI-Generated Production Scripts in Regulated Financial Infrastructure
DOI:
https://doi.org/10.63282/3050-9416.IJAIBDCMS-V6I2P113Keywords:
AI-Generated Code, Remediation Guardrails, Blast Radius Analysis, Terraform Validation, SOC 2 Compliance, Model Context Protocol, Agentic AI, Infrastructure as Code, Change Control, Risk Classification, Financial Services SREAbstract
The integration of AI coding assistants into DevOps and site reliability engineering workflows has accelerated infrastructure automation, enabling engineers to generate Terraform configurations, shell scripts, and deployment parameter files at speeds previously requiring significantly more time. However, AI-generated infrastructure artifacts introduce a novel category of operational risk: code that is syntactically valid but semantically incorrect in the specific production context, hallucinated API calls, or configurations that create valid infrastructure with unintended security or reliability implications. Research has shown that approximately 40% of programs generated by AI assistants contain exploitable vulnerabilities, and that iterative AI code generation without human validation can increase critical vulnerabilities by as much as 37.6%. In regulated financial services environments where infrastructure changes require documented change control and SOC 2 audit evidence, deploying AI-generated production scripts without a structured validation framework creates compliance gaps that outweigh the productivity benefit. This paper presents a risk-aware remediation guardrail framework developed and deployed at NCR/Candescent for validating AI-generated infrastructure artifacts before their application to production banking environments. The framework implements a four-tier risk classification system based on blast radius analysis, reversibility assessment, and scope validation against existing Terraform state. It integrates with the Jira DCR change control workflow through Model Context Protocol tooling, ensuring every AI-generated artifact modifying production infrastructure is associated with an approved change record. Evaluated against a production corpus of 108 AI-generated artifacts, the automated tier classifier achieved 91% accuracy against expert human review as ground truth, with a 4.6% false negative rate in the safety-critical undertierring direction. The framework caught 7 artifacts containing production errors that visual plan review alone would not have detected.
References
1. E. Tabassi, "Artificial Intelligence Risk Management Framework (AI RMF 1.0)," National Institute of Standards and Technology, 2023. https://doi.org/10.6028/nist.ai.100-1
2. Y. Dong et al., "Safeguarding large language models: A survey," arXiv, 2024. https://doi.org/10.48550/arxiv.2406.02622
3. S. Shukla, H. Joshi, and R. Syed, "Security degradation in iterative AI code generation: A systematic analysis," arXiv, 2024.
4. P. Nama and S. Z. Khan, "Enhancing software testing efficiency with generative AI and large language models," Int. J. Leading Research Publication, vol. 5, no. 12, pp. 1–15, 2024.
5. H. Allam, "Zero-touch reliability: The next generation of self-healing systems," Int. J. Artificial Intelligence, Machine Learning and Data Science, vol. 5, no. 4, pp. 59–71, 2024.
6. HashiCorp, "Terraform Documentation Plan and Apply," HashiCorp, 2024. [Online]. Available:
https://developer.hashicorp.com/terraform/cli/commands/plan
7. Amazon Web Services, "AWS WAF Developer Guide," AWS Documentation, 2024. [Online]. Available:
https://docs.aws.amazon.com/waf/latest/developerguide/
8. Amazon Web Services, "AWS DMS Best Practices," AWS Documentation, 2024. [Online]. Available:
https://docs.aws.amazon.com/dms/latest/userguide/CHAP_BestPractices.html
9. Anthropic, "Model Context Protocol Documentation," Anthropic, 2024. [Online]. Available:
https://docs.anthropic.com/mcp/
10. Atlassian, "Jira Software Documentation," Atlassian, 2024. [Online]. Available: https://support.atlassian.com/jira-software-cloud/
11. Amazon Web Services, "AWS Reachability Analyzer," AWS Documentation, 2024. [Online]. Available: https://docs.aws.amazon.com/vpc/latest/reachability/
12. B. Beyer, C. Jones, J. Petoff, and N. R. Murphy, Site Reliability Engineering: How Google Runs Production Systems. O'Reilly Media, 2016.
13. G. Kim, J. Humble, P. Debois, and J. Willis, The DevOps Handbook. IT Revolution Press, 2016.
