Skip to content
Roy Avrahami
All articles

The Living Rules File: AI governance that actually compounds

March 14, 2026

  • AI Governance
  • CI/CD
  • Engineering Operations

Every engineering team using Cursor, Copilot, Claude Code, or similar assistants hits the same wall by week three:

"Why is the AI making the same mistake we corrected yesterday?"

The mistake isn't the AI's. It's that there is no system for converting a one-time correction into a permanent constraint.

The pattern

A senior engineer reviews a PR, finds an AI-introduced anti-pattern (wrong logger, missing transaction wrapper, outdated import path), and corrects it inline. Two days later, on a different branch, on a different file, in a different session, the AI makes the same mistake.

This is the "new session, same mistakes" problem. It's the AI equivalent of a team without a wiki — every onboarding repeats the last one.

The Living Rules File

A RULES.md (or .cursor/rules, or CLAUDE.md — name varies by tooling) at the repo root that:

  1. Captures every recurring correction as a one-line rule.
  2. Is loaded into the model's context on every session.
  3. Is enforced by a CI check that fails when violations land.
  4. Grows. Every new correction adds a line. Old ones are pruned when they become obsolete.
# Living Rules
 
## Database
- Always wrap multi-step writes in `with_transaction(...)`.
- Never use `SELECT *` in queries that cross service boundaries.
 
## Logging
- Use `structlog`, not the stdlib `logging` module.
- Include `request_id` in every log line in API handlers.

Why CI enforcement matters

Without CI enforcement, the rules file becomes wallpaper. Anyone can ignore it, including the AI. With enforcement — even a simple grep-based check that fails the build on rule violations — it becomes a contract.

The AI learns the rules because every PR that violates them turns red. Engineers learn the rules for the same reason. The rules sharpen because rules that catch nothing in six months get deleted.

What we measured

Across two teams that adopted this in 2026, recurring AI-introduced issues in PR review dropped by roughly 70% within six weeks. Rule count stabilized around 25–40 lines after three months — small enough to load on every session, dense enough to matter.

It's not AI safety. It's just engineering hygiene applied to a new collaborator.

Continue the conversation

Found this useful?

If something here resonated — or you disagree — I'd like to hear it. Most of my best thinking has come from someone pushing back.

Connect on LinkedInWhatsAppGitHubEmail