This study addresses the challenges posed by autonomous or semi-autonomous AI contributors to human-centric open-source governance mechanisms, which have led to policy fragmentation and misalignment with emerging AI regulations. Employing a most-similar systems design, the research combines policy text analysis, indicator coding, and process tracing to comparatively examine AI contribution policies across six open-source organizations. It proposes the first six-dimensional governance taxonomy and a policy maturity scoring framework specifically tailored for open-source AI contributions. The analysis identifies critical governance failures in dimensions such as disclosure, accountability, and oversight, and reveals significant coordination gaps between existing policies and international AI regulatory standards. Building on these findings, the study outlines an initial, calibratable, tiered coordination governance framework to bridge these disconnects.

AI-assisted software development has moved from line-level autocomplete to agents that can plan changes, edit files, and submit pull requests with limited human supervision. Open-source software, however, evolves through a process designed for humans: contributor agreements, codes of conduct, and review norms all assume a legally accountable person who can attest to provenance and answer reviewer questions. Autonomous and semi-autonomous AI contributors strain those assumptions, and the 2025-2026 record of agent-driven incidents, AI-generated nuisance volume, and platform-level shutdowns shows that the gap is operationally consequential. Several open-source organisations have responded with contribution policies, but the result is fragmented, and its alignment with emerging AI governance frameworks (EU AI Act, NIST AI RMF with the UC Berkeley Agentic AI Profile, ISO/IEC 42001 and 23894) is unmapped at the contribution level. We compare policies across six organisations (SymPy, LLVM, matplotlib, OpenInfra, the Apache Software Foundation, and the Linux Foundation) using Most-Similar Systems Design with indicator-based coding and process tracing for SymPy and LLVM. From this we derive a six-dimensional taxonomy (disclosure, responsibility, human oversight, licensing, enforcement, maintainer workload), an ordinal Policy Maturity Score, and a mapping of documented agent incidents onto the dimensions each policy fails to govern. Aligning the dimensions with the regulatory frameworks above identifies overlapping gaps neither side currently closes, and we close by sketching the shape of a harmonised tiered framework and the empirical evaluation needed to calibrate it.