AI-assisted software development accelerates code production but undermines the governance infrastructure that makes development decisions reproducible, attributable, and auditable. When AI agents generate code, the governing conditions—authorized scope, governing rules, and decision reasoning—are rarely preserved as persistent evidence. As a result, code artifacts accumulate while the governance legitimacy of the decisions that produced them remains indeterminate. This paper introduces Decision Risk, a structural governance framework that addresses this gap through four integrated components. Decision observability defines the evidence conditions under which development decisions can be structurally examined. Decision Analysis classifies observable decisions into five mutually exclusive states based on set-relational conditions among visible scope, artifact scope, and outcome scope. The Decision Risk model interprets these analytical states as governance risks, defining four risk categories, twelve threat types across three families, four manifestation levels, and a severity assessment matrix. The Risk Governance Model translates risk assessments into governance actions through three intervention levels and a PDCA cycle with risk-type-specific strategies. A case demonstration shows a single development task progressing through three governance stages, producing a measurable risk trajectory from unobservable risk to contained over-scope risk as governance infrastructure matures.
Spark Tsai (Sun,) studied this question.