AI-assisted software development has moved from line-level autocomplete to agents that can plan changes, edit files, and submit pull requests with limited human supervision. Open-source software, however, evolves through a process designed for humans: contributor agreements, codes of conduct, and review norms all assume a legally accountable person who can attest to provenance and answer reviewer questions. Autonomous and semi-autonomous AI contributors strain those assumptions, and the 2025-2026 record of agent-driven incidents, AI-generated nuisance volume, and platform-level shutdowns shows that the gap is operationally consequential. Several open-source organisations have responded with contribution policies, but the result is fragmented, and its alignment with emerging AI governance frameworks (EU AI Act, NIST AI RMF with the UC Berkeley Agentic AI Profile, ISO/IEC 42001 and 23894) is unmapped at the contribution level. We compare policies across six organisations (SymPy, LLVM, matplotlib, OpenInfra, the Apache Software Foundation, and the Linux Foundation) using Most-Similar Systems Design with indicator-based coding and process tracing for SymPy and LLVM. From this we derive a six-dimensional taxonomy (disclosure, responsibility, human oversight, licensing, enforcement, maintainer workload), an ordinal Policy Maturity Score, and a mapping of documented agent incidents onto the dimensions each policy fails to govern. Aligning the dimensions with the regulatory frameworks above identifies overlapping gaps neither side currently closes, and we close by sketching the shape of a harmonised tiered framework and the empirical evaluation needed to calibrate it.

翻译：人工智能辅助软件开发已从单行代码自动补全演进为能够在有限人类监督下规划变更、编辑文件并提交拉取请求的智能体。然而，开源软件的演进机制专为人类设计：贡献者协议、行为准则和审查规范均假定存在一个能证明代码来源并回答审阅问题的法律责任人。自主及半自主AI贡献者打破了这些假设，2025-2026年间由智能体驱动的事件记录、AI生成的干扰性内容激增以及平台级关停表明，这一差距已产生操作性后果。部分开源组织已制定贡献政策予以回应，但结果碎片化，其与新兴AI治理框架（欧盟AI法案、附加州大学伯克利分校代理型AI配置文件的NIST AI风险管理框架、ISO/IEC 42001及23894）在贡献层面的对齐尚未得到研究。我们采用最相似系统设计法（结合指标编码与过程追踪），对六个组织（SymPy、LLVM、matplotlib、OpenInfra、Apache软件基金会、Linux基金会）的政策进行比较研究。由此推导出六维分类体系（披露、责任、人类监督、许可、执行、维护者工作量）、序数型政策成熟度评分，并将已记录的智能体事件映射至各政策未能治理的维度上。将上述维度与监管框架对齐后，发现了双方均未填补的重叠缺口。我们最后勾勒了协调的分层政策框架雏形，以及校准该框架所需的实证评估方法。