AI Assisted Development Guidance

[VickM29-bit]

Add AI-assisted development and agent guidance

🗣 Description

This PR adds security-minded guidance for AI-assisted software development and
AI agent configuration.
The changes introduce:

• A new ai-assisted-development.md guide covering responsible use of
  AI-assisted development tools such as Cursor, Claude Code, GitHub Copilot,
  OpenAI Codex, and similar systems.
• A new ai/ directory with guidance for:
  • Rules
  • Skills
  • MCP servers
  • Coding agents
  • Non-coding agents
• Updates to the top-level README.md so the new guidance is discoverable.
  The guidance treats AI-generated outputs as untrusted until reviewed, tested,
  and validated by a human contributor. It emphasizes conservative use,
  protection of sensitive information, least privilege, human approval gates,
  reviewable outputs, configuration ownership, and small auditable changes.

💭 Motivation and context

AI-assisted development tools and agents are increasingly used in software
engineering workflows. This PR provides concise, security-minded guidance for
using these tools in a regulated or security-conscious environment without
favoring a specific vendor or relying on hype.
The guidance addresses practical risks including:

• Exposure of secrets, credentials, proprietary code, PII, CUI, and other
  sensitive information.
• Hallucinated APIs, insecure implementations, outdated dependencies, and
  incorrect generated content.
• Insufficient human review of AI-generated code or agent-produced artifacts.
• Licensing and provenance concerns for generated code.
• Overly broad agent permissions, uncontrolled tool use, and agent actions
  without human approval.
• MCP server configuration that expands an agent's reach without adequate
  review.
  This PR does not establish new legal, procurement, privacy, records management,
  accessibility, ATO, or sector-specific policy. Where those concerns apply, the
  new guidance directs teams to engage the appropriate authoritative documents
  and responsible teams.

🧪 Testing

This is a documentation-only change.
Local validation performed:

• Reviewed the new Markdown files for consistency with the repository's
  documentation style.

• Verified new content follows the repository's Markdown conventions,
  including ATX-closed headings and line-length expectations for new content.

• Checked edited Markdown files for local lint diagnostics.

• Confirmed the new AI guidance is linked from the top-level README.md.

• GitHub Actions ran the full pre-commit suite.

• Markdown, formatting, shell, Python, Ansible, and other applicable
  hooks passed.

• pip-audit initially failed on transitive dependency pyjwt
  (PYSEC-2025-183), which is unrelated to this documentation change.

✅ Pre-approval checklist

• This PR has an informative and human-readable title.
• Changes are limited to a single goal - eschew scope creep!
• I have read the CONTRIBUTING document.
• These code changes follow cisagov code standards.
• All relevant repo and/or project documentation has been updated to reflect the changes in this PR.
• All new and existing tests pass. (This was attempted but pre-commit hooks was blocked by local IT policy- VickM29-bit)

✅ Pre-merge checklist

• Revert dependencies to default branches.
• Finalize version.

✅ Post-merge checklist

• Create a release (necessary if and only if the version was bumped).