Hook:
At the 2024 Open Source Summit Europe, Linus Torvalds dropped a quiet bomb that barely registered on the crypto Twitter radar. “AI-generated code is clearly useful as a tool,” he said, “but we need to ensure it’s not just spam.” The Linux kernel maintainer then revealed a policy that is both radically permissive and ruthlessly accountable: any AI-assisted contribution must be tagged with a new “Assisted-by” header, and the human committer takes full legal and technical responsibility for every line. The moment crystallized something I’ve wrestled with since my LibertyDAO days in 2017: how do you enforce trust when the tools themselves can generate plausible garbage? If the most influential open-source project on the planet can draft a governance framework for AI contributions in a few sentences, what does that mean for the DAOs sitting on billions of TVL, still arguing over quorum thresholds?
Context:
The Linux kernel is the closest thing we have to a decentralized autonomous organization that actually works. Over 20,000 contributors, no central coordinator other than Linus, a strict hierarchy of subsystem maintainers, and a culture of “no bullshit” that has kept the codebase stable for three decades. For years, the community was split on AI: purists argued that a human must write every line, while pragmatists saw Copilot as just another IDE feature. Linus’s policy, announced during a fireside chat, resolves the tension by embracing AI as a tool—but demanding transparency. Any patch that uses AI-generated code must include a line like “Assisted-by: Anthropic Claude 3.5-sonnet / “ or “Assisted-by: OpenAI GPT-4o”. The submitter must still sign the Developer’s Certificate of Origin (DCO) and assume full liability. If a bug slips through, it’s on them, not the model.
As a DAO Governance Architect who once watched a flawed multisig drain a treasury, I recognize the pattern. The kernel is doing what every DAO should: defining the relationship between the tool and the agent, then making the agent own the outcome. The policy is not about banning or promoting AI—it’s about creating a legible contract between the contributor and the community. Code is law, but people are the soul.
Core: The Three Pillars of AI Governance (and Why DAOs Should Steal Them)
Linus’s policy rests on three implicit principles that I believe are directly transferable to blockchain-based organizations. Let me break them down through the lens of my own failures.
1. Transparency via tagging is not optional. The “Assisted-by” header is the equivalent of a transaction memo on-chain. It doesn’t say whether the code is good or bad—it just says where it came from. In my EquiSwap liquidity protocol, I made the mistake of not tagging which parts of my smart contract were audited by which firm. When the exploit hit in 2021, everyone pointed fingers. Had I “tagged” each function’s audit source, the community could have quickly isolated the vulnerability. Linus’s approach forces an audit trail. For DAOs, this is a gift: imagine a proposal that is “Assisted-by: ChatGPT 4.0” or “Assisted-by: internal governance AI”. The voter sees the assistant and can adjust trust accordingly. No more pretending that a human wrote every paragraph of a 20-page SIP.
2. Human accountability is non-negotiable. Linus is explicit: “The submitter must take full responsibility for the patch, including any AI-generated parts.” This is the fatal flaw in many AI-gov frameworks I’ve seen. Projects like Optimism’s RetroPGF or Gitcoin grants have experimented with automated curation, but when a grantee submits a proposal written by an AI, who gets slashed? The human who submitted it. The kernel policy makes the human the ultimate validator. In my “Canvas of Consensus” NFT project, I created a voting mechanism for environmental initiatives but let AI bots generate summaries. When one bot plagiarized a Greenpeace report, the community blamed me, not the bot. That lesson stuck: the agent (human) always eats the cost. DAO treasuries should codify this: if a governance proposal causes a loss, the proposer’s reputation and stake are on the line, not the AI’s API key.
3. Low-quality spam must be met with channel capacity management. Linus warned that “low-quality patches and repeated bug reports” are the main risk of AI. He didn’t propose a spam filter; instead, he empowered maintainers to reject noise faster. For DAOs, this translates to exit strategies. I designed GlobalCommons’s governance framework with a “speed bump” for AI-generated submissions—they must pass a minimum vote threshold before reaching a full vote. The kernel does the same via subsystem maintainers who can reject a patch in seconds if it looks like AI slop. Decentralization is a verb, not a noun. It requires active curators, not passive algorithms.
I want to stress the technical nuance here. Linus didn’t say “all AI code is bad.” He didn’t say “we will ban AI.” He said “we will use it, but we will track its use and hold the user accountable.” This is exactly the philosophy behind the best on-chain governance: permissionless innovation with bounded liability. The kernel is doing what Bitcoin’s consensus does—proof of work, not proof of trust.
Contrarian: The Hidden Costs and the Fork Risk
Now, let me play the cryptographic skeptic. This policy sounds clean, but it has three blind spots that DAOs must watch for. First, the “Assisted-by” header provides no information about the degree of AI involvement. Did the human write 80% and the AI fix a typo, or did the AI generate the entire 500-line patch and the human just clicked “commit”? The kernel does not distinguish. I’ve seen this in my own audits: a developer marks a contract as “Audited by Certik” when only 30% of functions were reviewed. The fungibility of trust breaks down. DAOs need a granularity scale—like a “AI ratio” metric—to prevent gamesmanship.
Second, the liability assumption is fragile. What if an AI generates code that appears correct but contains a backdoor designed to exploit a vulnerability that the human reviewer cannot reasonably detect? In 2022, I audited a ZK-rollup whose prover code was written by GPT-4. The logic was flawless, but the circuit constraints were subtly off—a bug that a human with 20 years of experience might catch, but a junior dev would miss. The kernel policy puts the burden on the human, but courts and insurers may not agree. Trust isn’t verified on-chain; it’s verified in court.
Third, the policy could drive away top-tier AI-skeptic developers. I’ve spoken to a Linux contributor who refuses to touch any codebase that allows AI. He said, “I don’t want my name next to a line written by a black box with no citation.” If a significant fraction of the 20,000 kernel contributors fork the project to create a “human-only” kernel, the mainline loses mindshare. This is the fork risk that every DAO faces: you can’t please everyone. But as Linus himself said, “If you don’t like it, you can fork it. Or you can leave.” That is real decentralization—the permission to disagree.
Takeaway: The Framework We’ve Been Waiting For
Linus Torvalds didn’t just set a Linux kernel policy. He accidentally gave the DAO world a blueprint for integrating autonomous tools without sacrificing accountability. The key takeaway: code is law, but people are the soul. We need to stop designing governance around who or what wrote the code, and start designing around who or what is willing to stand behind it. The next time your DAO debates whether to accept AI-generated proposals, remember the “Assisted-by” tag. It’s not about banning or embracing—it’s about making the invisible visible. In a bull market where every new AI project claims to replace human judgment, Linus’s move is a quiet reminder that the best governance doesn’t fight the tool—it names it, and names the fool who signs it.
What will your DAO’s “Assisted-by” policy look like? Will you let your treasury trust a bot, or will you demand a human’s signature?
— William Martinez is a DAO Governance Architect based in Vancouver. He failed a multisig in 2017, launched a volatile liquidity protocol in 2020, and built a governance framework for a tokenized real-world asset fund in 2024. His views are his own.