Adapting the UK Government AI Playbook to software engineering: a CTOs guide
Your development team is likely already experimenting with AI coding assistants—whether they tell you or not. They’ll be using everything from GitHub Copilot to Amazon CodeWhisperer. And while AI is fundamentally changing how code gets written, many engineering organizations are left scrambling trying to keep up, or to publish clear internal guidelines on how to safely engage with these tools.
This guide adapts the UK Government AI Playbook to software engineering. The AI Playbook is an official UK government guide published in February 2025 that lays out how government departments and public sector organizations should safely, effectively, and responsibly harness AI technologies. It was created by the Government Digital Service and builds upon the previous Generative AI Framework for HMG from January 2024. Based on government frameworks and real-world implementations, these guidelines will help you systematically evaluate and adopt AI tools while maintaining high standards of quality and security.
1. Educate engineers on AI tool benefits and risks
Aligns with Principle 1: You know what AI is and what its limitations are
Engineering teams need education about AI development tools and their implications. While tools like GitHub Copilot can accelerate development, engineers must understand their limitations and risks. Consider creating training programs covering: AI coding assistant capabilities and limitations, best practices for prompt engineering, data privacy, and security risks of exposing sensitive code or data.
First step: Create an AI tools task force to develop a vetted tools list and training curriculum. Schedule mandatory training sessions for all engineering teams on AI tool usage, data privacy, and security best practices.
2. Practice development in secure environments
Aligns with Principles 2 and 3: You use AI lawfully, ethically and responsibly & you know how to use AI securely
Your engineering team needs a secure foundation for AI adoption. Tools like GitHub Copilot introduce novel security challenges around data exposure and code quality. Many organizations are finding success with using secure development environments like Gitpod for AI development while maintaining strict controls on production systems. You’ll need to implement security guardrails, but there’s no need to sacrifice the productivity gains that AI tools can offer if you develop securely.
First step: Audit your environment setup – can you centrally control what developers are doing? If not, research how to automate, standardize, and secure development environments with the aim to implement appropriate guardrails (helpful resource). Evaluate automated security scanning tools optimized for AI-generated code, and establish clear processes for developers to safely experiment with AI.
3. Implement human-in-the-loop development
Aligns with Principle 4: You have meaningful human control at the right stages
Teams using GitHub Copilot report that clear review protocols remain essential to avoid security risks and ensure production-quality code—they’re finding that AI works best as a collaborative tool rather than an entirely autonomous solution. AI does not negate the need for human review but increases the urgency to have strong and clear review guidelines.
First step: Define clear review processes in your source control (i.e. specific reviews) or by using CODEOWNER files. Set quality gates that all code must pass, regardless of origin.
4. Structure your AI development lifecycle
Aligns with Principle 5: You understand how to manage the full AI lifecycle
The integration of AI demands a fundamental reimagining of your software development lifecycle. If you are looking to run AI models in production you will need version control that tracks not only code changes, but model iterations and training data evolution. Your engineering teams might need new CI/CD pipelines to accommodate AI-specific testing such as model evaluation and bias detection. In addition to coping with the increasing throughput that AI development can lead to, you will want to evaluate AI tools that speed up quality and assurance, such as pull request AI review tools, production anomaly detection and security tools to ensure fast and secure flow of software from development to production.
First step: Evaluate automation tools to use AI for testing, monitoring and other areas of the software development cycle. For production models research and implement tools for managing model drift and version control specific to model development
5. Select the right development tools
Aligns with Principle 6: You use the right tool for the job
Your engineering teams need clear guidance on when to leverage AI tools versus traditional development approaches. While GitHub Copilot excels at generating boilerplate code and common patterns, critical algorithms and core business logic often benefit from conventional development. Systems handling authentication and authorization, financial calculation engines, data privacy, complex business rules with regulatory implications, and security-sensitive operations involving cryptography should be developed using conventional methods with minimal AI code generation. Teams should create an inventory of your source control and apply degrees of AI tool use permitted depending on the criticality.
First step: Map your development key risk areas for AI tooling. Document your approach and socialize internally.
6. Foster open-source and collaboration
Aligns with Principle 7: You are open and collaborative
Your organization’s AI journey shouldn’t happen in isolation. Forward-thinking engineering teams are actively participating in the broader AI development community—contributing to open-source projects, sharing learnings through internal knowledge bases, and establishing AI Centers of Excellence. This collaborative approach helps accelerate adoption while avoiding common pitfalls. Many organizations find that internal developer communities are emerging organically around AI tools, creating natural opportunities for knowledge sharing and best practice development.
First step: Join or create AI engineering communities of practice. Set up infrastructure for sharing AI development patterns.
7. Develop AI engineering excellence
Aligns with Principle 9: You have the skills and expertise needed to implement and use AI solutions
Your team needs new skills to thrive in an AI-enhanced development environment. Beyond traditional software engineering expertise, they’ll need proficiency in prompt engineering, MLOps, and AI security considerations. Invest in comprehensive training programs and create dedicated time for AI experimentation. You’ll find that building this expertise requires a balanced approach—combining structured training with hands-on practice in safe, sandboxed environments.
First step: Assess your team’s AI development capabilities. Establish communities of practice and other channels to share learnings internally.
8. Implement AI governance for engineering
Aligns with Principle 10: You use these principles alongside your organisation’s policies and have the right assurance in place
Your organization needs clear governance frameworks to manage AI adoption in engineering. Successful teams are implementing AI review boards, establishing quality metrics, and creating comprehensive security protocols. You’ll need to track key indicators like PR velocity, code quality scores, and developer satisfaction to ensure AI tools are delivering real value. Many organizations are finding that well-structured governance actually accelerates AI adoption by providing clear guidelines and reducing uncertainty about tool usage.
First step: Instrument comprehensive metrics including AI usage patterns, engineering velocity, and code quality indicators. Establish clear baselines.
Take action
These principles provide a framework for thoughtful AI adoption in software development. Implementing them requires careful planning and organizational change management. If you liked what you read and have thoughts, questions or feedback, drop us a line at ai.maturity.model@gitpod.io. We’re collecting stories from the field to share back with all of you.
