This article is part of the How Do YOU CM2? blog series in collaboration with the Institute for Process Excellence (IpX). Although I receive compensation for writing this series, I stand behind its content. I will continue to create and publish high-quality articles that I can fully endorse. Enjoy this new series, and please share your thoughts!
When a Tier 1 automotive supplier receives an AI-approved engineering change showing 87% confidence that the modified brake component still matches its production baseline, the organization faces a question they can’t currently answer: is 87% good enough to release to the floor? The configuration manager doesn’t know, because the CCB charter has no policy for probabilistic approval thresholds. The manufacturing engineer doesn’t know, because the standard operating procedure assumes binary conformance: the part either matches revision D or it doesn’t. The quality engineer at the customer doesn’t know, because IATF 16949 was written for deterministic inspection systems, not probabilistic AI outputs.
The gap between capability and governance is widening. Industry has pragmatically adopted AI where return on investment is demonstrable, while configuration management standards remain largely silent on these developments. SAE EIA-649 defines five core functions without constraining implementation mechanisms. This flexibility permits AI adoption but provides no framework for validating probabilistic outputs against deterministic compliance requirements.
Where AI Actually Operates in Configuration Management
Evidence for AI in configuration management is primarily found in vendor documentation and industry case studies rather than in peer-reviewed research. Adoption has been driven by commercial solutions addressing specific pain points. The maturity varies considerably across SAE-649’s five functions.
Configuration Status Accounting has seen the most mature deployment. BOM quality tools, such as OpenBOM’s AI-powered checks, scan for duplicate parts, missing quantities, and inconsistent units using natural language processing and fuzzy matching. This addresses real pain: an as-released BOM and an as-maintained BOM that have silently diverged create exactly the supplier-version confusion that leads to wrong parts being shipped, lines stopping, and warranty claims months later. AI that catches BOM inconsistencies before release carries low stakes and recoverable failure modes.
Change Management is where AI encounters its most consequential governance gap. AI-powered CCB agents can automate data collection and initial impact assessment. But the CCB processes three meaningfully different document types: engineering changes (permanent configuration modifications), deviations (approved departures before the fact), and waivers (accepted nonconformances after the fact). Each carries different authority, approval chains, and contractual implications. Applying AI uniformly, without governance requirements, is not automation maturity; it is governance risk transferred to whoever sets the automation rules.
Requirements Traceability has evolved from manual link maintenance to AI-assisted generation and validation. A case study showed approximately 50% reduction in manual maintenance effort, though accuracy varies significantly based on domain training and documentation quality. The amplification dynamic here is important: a strong existing documentation discipline yields reliable AI-assisted traceability; a weak documentation discipline yields weak automation, with higher confidence scores than the underlying quality warrants.
Configuration Identification and Verification remain largely manual, and the reason is important to name correctly. It is not primarily that the technology is immature; BOM validation research has achieved 98.7% reproducibility fidelity in controlled settings. The barrier is that verification in regulated programs is tied to formal audit processes, the Functional Configuration Audit and Physical Configuration Audit, which require human sign-off against a defined baseline by contractual and regulatory obligation. Those obligations distinguish between what AI can technically do and what governance currently permits it to do autonomously.
The Determinism Problem
Configuration management operates on deterministic principles: a configuration item either matches its baseline or it doesn’t. As Oleg Shilovitsky notes, “Traditional PLM systems remained fundamentally deterministic. Run a query two times, and the system executes predefined logic and returns the same output every time. AI introduces probabilistic computation into enterprise engineering software for the first time; run the same request twice, and the output might vary.”
This represents “the collision between deterministic rule-driven systems and probabilistic reasoning engines”. The real paradigm shift is not the presence of AI features, but this fundamental architectural tension. As Shilovitsky warns, “AI is probabilistic, not deterministic. It will be wrong sometimes, and sometimes wrong in ways that are hard to detect automatically.”
Current configuration management standards provide no framework for addressing this. When should an 85% confidence threshold trigger manual review? At what level of precision does automatically identified traceability become trustworthy for audit purposes? These decisions are made daily based on organizational policy rather than industry standards.
The scale of this challenge becomes clearer in aggregate. Assessments of agentic AI find that even best-performing systems complete only around 30% of multi-step tasks correctly, meaning the majority of complex workflows require human correction. Applied to enterprise CM, these figures reframe the question of governance. It is not whether AI will fail; it is whether the organization will know when it has. When should an 85% confidence threshold trigger manual CCB review? At what level of precision does AI-generated traceability become trustworthy for formal audit purposes? Because no formal standard exists, organizations end up governed by whatever informal habits and ad hoc decisions fill the gap.
The Complacency Risk
Perhaps the most overlooked danger in AI-assisted configuration management is the erosion of human expertise through over-automation. Aviation has already encountered this pattern with flight automation: research on automation-induced skill fade demonstrates that pilots who rely heavily on autopilot systems show degraded manual flying skills. When AI consistently provides correct answers, humans stop developing the judgment needed to recognize when AI recommendations are wrong.
In configuration management, the equivalent is beginning to surface. Configuration managers who have only ever reviewed AI-pre-assessed change requests are losing the ability to construct an independent impact analysis. The CM2 framework, developed by IpX, identifies impact analysis as a core competency rather than as an output to be reviewed. When that competency atrophies, the first signal is often an audit finding, because the organization has been producing compliant-looking outputs without the underlying reasoning that makes them trustworthy.
The pattern extends further. Quality engineers who rely on automated deviation flagging stop developing the judgment to recognize anomalies that the system was not trained to detect. Manufacturing engineers working from AI-validated release packages stop building the intuition for when something doesn’t look right before the floor runs it. When the AI is correct 97% of the time, the 3% becomes undetectable without the baseline competency that automation has eroded.
Automation strategy must therefore include a deliberate competency preservation component: a definition of which judgment capabilities must be exercised through human practice, even when automation could technically perform the task.
What’s Actually Missing
The mainstream discourse on AI in configuration management focuses overwhelmingly on efficiency: faster change processing, reduced errors, automated status updates. What receives insufficient attention is the organizational and governance dimension. When AI performs impact analysis for an engineering change in an automotive braking system, what constitutes adequate validation of that analysis? When machine learning identifies configuration discrepancies in avionic software builds, how do auditors verify the AI’s decision process?
A second dimension the prevailing discourse has not addressed is the regulatory exposure created when AI systems are trained on controlled technical data. Configuration management in defense and aerospace operates within the ITAR and EAR frameworks that govern the handling of controlled technical information. When an AI system is trained on historical change records, interface control documents, or specification data from restricted programs, the model itself may constitute a controlled item under applicable export regulations. The question of where training data originates, who processes it, and under what jurisdictional conditions the resulting model can be deployed has not been addressed in published CM guidance. The intersection of machine learning and export control is genuinely uncharted: federated learning approaches that allow a model to learn from distributed data without raw data crossing jurisdictional boundaries address some sovereignty concerns while introducing a traceability problem of their own. The model’s learned configuration has no documented genealogy that a configuration audit could reconstruct. Organizations treating AI adoption as a purely technical decision while operating across international defense supply chains are accumulating regulatory exposure they have not yet been asked to explain.
The cultural dimension compounds both risks. When AI automates impact analysis and approval routing, the CM role shifts from analysis to validation of AI-generated analysis. This is not a task substitution. It is a fundamental change in where expertise is applied and what organizations need to invest in developing.
The question of data provenance is particularly acute in regulated industries. When AI recommends a specific configuration based on machine learning from historical data, what happens when that historical data contains biases, errors, or unrecognized assumptions? AI automation can propagate historical errors at scale before human review intervenes.
Where AI Should Go Next
The near-term opportunity lies in developing hybrid approaches that combine AI capabilities with human judgment to satisfy deterministic governance requirements. Several technical approaches could bridge this gap:
Confidence-weighted traceability would treat automatically identified trace links as probability distributions with provenance metadata. A trace link identified with 95% confidence may be marked “AI-generated, verified” after human confirmation, whereas links with less than 70% confidence require mandatory manual review. This preserves audit trails that indicate whether traceability was algorithmically derived or human-confirmed.
Explainable impact analysis would make AI reasoning explicit: “This ECU firmware change likely affects thermal management because analysis of 147 historical changes shows that modifications to power management routines correlate with thermal profile changes in adjacent cooling systems.” This transforms impact analysis from automation that replaces judgment to decision support that enhances judgment.
Context-aware anomaly detection would recognize that a configuration anomaly in a development environment might be intentional experimentation, whereas the same anomaly in a production baseline would indicate a compliance failure. Training AI systems to recognize contextual signals would reduce false positives while improving the detection of meaningful anomalies.
Regulatory-aware change routing would automatically map proposed changes to applicable requirements. Aerospace programs operate under AS9100 and DO-178C; automotive programs under IATF 16949 and ISO 26262; medical devices under FDA 21 CFR Part 820; defense programs under export control obligations that extend to the AI systems conducting the analysis. AI that flags when a change triggers regulatory notification obligations or when the change record involves controlled technical data surfaces compliance risk before approval, not at audit.
Scaffolded AI workflows address the context degradation that undermines multi-step CM tasks. As Benedict Smith has demonstrated with the scaffolding pattern, effective AI-assisted workflows require decomposing processes into atomic, verifiable units with explicit acceptance criteria, rather than asking AI to “complete this ECO” as a single open-ended task. The CM alignment is direct: organizations with rigorous CM baselines, clear change processes, and structured documentation already have what scaffolding requires. If a team cannot explicitly articulate its CM requirements to structure the workflow, that is not an AI adoption problem. It is a CM discipline problem that predates the AI.
These mechanisms have not yet been validated across the full range of program types and regulatory contexts where the CM discipline is most consequential. That validation requires organizations willing to implement carefully, document outcomes, and share findings.
The Governance Work That Hasn’t Been Done
The technical capability exists today to deploy AI substantially more aggressively in configuration management than current practice reflects. What’s missing isn’t better algorithms. It’s governance frameworks that specify acceptable error rates for different AI applications, validation requirements for probabilistic decision support, and audit approaches for systems that combine human and machine judgment.
SAE EIA-649 could be revised to explicitly address AI-assisted configuration management. Professional certification programs for configuration managers have not yet incorporated AI literacy into core competencies. Configuration managers increasingly need to evaluate AI recommendations, understand algorithmic limitations, and recognize when probabilistic outputs are appropriate versus inadequate for specific decisions.
Industry consortia could develop validated approaches to AI integration that balance the benefits of automation with governance requirements. What practitioners need are current best practices validated across multiple implementations.
Alternative Perspectives on AI Risk
The analysis presented here emphasizes governance gaps and risks of expertise erosion, but alternative perspectives warrant acknowledgment. Some practitioners argue that concerns about AI are overblown. that efficiency gains justify rapid adoption, and organizations will naturally develop appropriate guardrails through experience. Others contend that standards bodies should avoid addressing AI until the technology matures. Both positions have merit, but ignore the reality that practice currently outpaces governance frameworks, creating particular risk in safety-critical domains.
A third perspective holds that AI will naturally self-correct over time, learning from errors without requiring intensive data quality management. Research evidence suggests this assumption is incorrect. AI systems trained on flawed data systematically replicate those flaws unless data quality is actively managed.
These alternative views inform the analysis rather than undermining it. The efficiency benefits of AI in configuration management are genuine. The question isn’t whether to adopt AI, but how to integrate probabilistic tools into deterministic governance frameworks while preserving the human expertise that makes configuration management effective.
What This Means for Practice
AI is already transforming configuration management in specific domains where business value is clear and implementation risk is manageable. Data quality and anomaly detection are relatively mature. Requirements traceability and change impact analysis are emerging but require careful validation. Configuration verification and audit remain largely manual because the gap between probabilistic AI outputs and deterministic compliance requirements remains unbridged.
For practitioners considering AI adoption, the evidence suggests focusing on applications where errors are recoverable and AI serves to focus human attention rather than replace human judgment. Using machine learning to flag potential duplicate configuration items for manual review carries low risk. Using AI to automatically approve configuration changes in safety-critical systems without human validation carries a substantial risk that current governance frameworks don’t adequately address.
The path forward requires parallel development of technical capability and governance frameworks. The algorithms will continue to improve, but the value of configuration management in safety-critical systems derives from rigorous verification, clear accountability, and deterministic baseline control. AI can enhance those capabilities, but only if the discipline does the conceptual work needed to reconcile probabilistic tools with deterministic requirements.
The standards won’t evolve until practice demonstrates validated approaches worth standardizing. Practice won’t advance systematically without frameworks for evaluating risk and validating outcomes. Breaking this cycle requires organizations willing to implement AI carefully, document what works and what fails, and share lessons learned across industry boundaries.
AI can address CM’s scaling challenges, improve data quality, and maintain traceability, which manual processes cannot. Realizing that opportunity requires treating AI adoption and governance development as parallel workstreams rather than sequential ones. The organizations that benefit most will be those that do the governance work before the audit, not after.
What’s your experience with AI in configuration management or similar governance-critical domains? Have you encountered the tension between automation efficiency and the preservation of expertise? Share your perspective in the comments or reach out. These challenges benefit from cross-industry dialogue.