Be honest with yourself for a second. In the last year of your career—before AI could spit out a working feature in ninety seconds—how many pull requests did you actually read? Line by line, logic by logic, edge case by edge case? Or did you scroll to the bottom, see that it was your teammate Sarah who wrote it, remember that Sarah writes solid code, and click Approve?
I did it too. For years. And I bet most of us did.
That quiet little habit—approving because we trust the human, not because we verified the code—is the reason code review feels like it’s on fire right now. Because the human isn’t writing the code anymore. The machine is. And the machine doesn’t earn trust the way a colleague does.
The bottleneck moved, and nobody sent a memo
For most of my career, the constraint in software delivery was writing the code. Reviewing was the fast part—a formality we squeezed in between “real work.” Then vibe coding happened.
The term was coined by Andrej Karpathy in 2025, named Collins Dictionary’s Word of the Year, and adopted by an estimated 92% of US developers. The economics of building software inverted almost overnight. You describe what you want in plain English, and functional code appears. What used to take two days now takes twenty minutes.
So where did the time go? It didn’t disappear—it slid downstream. Straight into review. The numbers are brutal:
- Teams with high AI adoption completed 21% more tasks and merged 98% more pull requests.
- But PR review times went up 91%, and the PRs themselves got larger.
- In one 2025 study, senior engineers spent 4.3 minutes reviewing an AI-generated suggestion versus 1.2 minutes for human-written code.
Read that last point again. We review machine code almost four times longer than we review our colleagues’ code. That’s not a bug in our behavior—it’s a rational response. And it’s exactly why the queue is backing up.
The bottleneck didn’t vanish. It moved from the keyboard to the reviewer’s screen, and it got heavier on the way.
Why review used to be a no-brainer (and why that was a lie we told ourselves)
Here’s the uncomfortable truth I’ve come to accept from leading teams: a huge share of “code review” in the pre-AI era was never really review. It was social ritual.
Think about what actually happened in a healthy team:
- You knew the person who wrote the code.
- You’d seen their work for months or years.
- You trusted their judgment, their tests, their instincts.
- And—let’s be really honest—you didn’t want to bruise their feelings by nitpicking every line.
Researchers draw a sharp line between trust (“I expect your future actions to serve my interests”) and psychological safety (“I feel safe being myself in this group”). Both are wonderful for team health. Both also quietly lowered the bar for how hard we scrutinized each other’s code. We approved fast because monitoring a trusted peer felt unnecessary—and challenging them felt aggressive.
That model worked because a person was accountable. If Sarah shipped a bug, Sarah learned, Sarah grew, and Sarah’s next PR was better. The trust compounded.
Now ask yourself: who do you trust when the code was generated by a model that has no memory of your codebase, no stake in your product, and no capacity for embarrassment?
You can’t extend social trust to a statistical text generator. So the entire foundation review was quietly built on—interpersonal trust—just evaporated. And what’s left is the part we were never very good at: actually reading the code.
AI code needs a different review, not just a longer one
The instinct is to say “well, we just need to review harder.” That’s only half right. The bigger shift is that we’re reviewing for different things.
When a human wrote the code, the main risk was correctness—did they get the logic right? When AI writes the code, correctness is often fine on the surface. The new risks are subtler and, frankly, more dangerous:
- Necessity. AI loves to produce code. Lots of it. Is this abstraction, this dependency, this 40-line helper actually needed—or did the model pad the answer?
- Security. Studies consistently find that a large share of AI-generated code ships with vulnerabilities—one analysis put it at 45%. The model confidently writes insecure patterns because it saw them thousands of times in training.
- Silent drift. Domain-boundary violations, inconsistent naming, documentation that no longer matches behavior. The code compiles, the tests pass, and the architecture slowly rots.
- Volume-driven blindness. CodeRabbit found AI-written code surfaces 1.7× more issues than human-written code, and nearly half of developers say debugging AI output takes longer than fixing a human’s code.
As one engineer put it beautifully: reviewing AI code isn’t about validating correctness anymore—it’s about judging necessity.
Let me show you what “judging necessity” looks like in practice. Ask an AI to “add a helper to format a user’s display name,” and you often get something like this:
// What the AI generated
function formatDisplayName(user, options = {}) {
const config = {
fallback: options.fallback ?? "Anonymous",
capitalize: options.capitalize ?? true,
maxLength: options.maxLength ?? Infinity,
separator: options.separator ?? " ",
};
let name = [user?.firstName, user?.lastName]
.filter(Boolean)
.join(config.separator);
if (!name) name = config.fallback;
if (config.capitalize) {
name = name.replace(/\b\w/g, c => c.toUpperCase());
}
if (name.length > config.maxLength) {
name = `${name.slice(0, config.maxLength - 1)}…`;
}
return name;
}
It’s not wrong. The tests would pass. But your app only ever needed this:
// What the codebase actually needed
const formatDisplayName = user =>
[user?.firstName, user?.lastName].filter(Boolean).join(" ") || "Anonymous";
A human reviewer trusting a human author would have approved the first version without blinking—“looks thorough, nice job.” An AI-era reviewer has to catch that four of those five options will never be called, that maxLength truncation is a UI concern that doesn’t belong here, and that you just adopted 20 lines of maintenance burden for a one-liner. That is the new job.
So yes—review is the new bottleneck. Now what?
If your instinct is to gate the flood with more human eyeballs, you’ll lose. Humans don’t scale at machine speed, and forcing them to try just produces exhausted engineers rubber-stamping 600-line diffs. We’re already seeing the damage: one 2026 benchmark found incidents per pull request rose 23.5% year over year even as PRs per author climbed 20%. Code is shipping faster. Quality is not keeping up.
Here’s my honest take: if AI created the bottleneck, AI has to help clear it. You fight fire with fire.
AI code review tools have gotten genuinely good. Across 5,000 repositories that onboarded AI reviewers, teams saw 10–20% faster median PR completion, with 85% developer satisfaction. Catch rates vary a lot by tool—recent benchmarks put Greptile around 82%, CodeRabbit in the mid-40s—so pick deliberately and measure. The point isn’t the leaderboard; it’s that a machine can do the first, exhausting pass that humans keep skipping.
Wiring an AI reviewer into your pipeline is trivial these days:
# .github/workflows/ai-review.yml
name: AI Code Review
on:
pull_request:
types: [opened, synchronize]
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run AI reviewer
uses: your-ai-reviewer/action@v1
with:
api-key: ${{ secrets.AI_REVIEW_TOKEN }}
# Fail the check on security findings, comment on the rest
fail-on: security
But—and this is the part people skip—the AI reviewer is not the reviewer. It’s the linter’s smarter cousin. It handles the mechanical, tireless layer so your humans can spend their limited attention where it actually matters.
What humans should still own
Automation should absorb everything that a machine can decide deterministically. Push it hard:
- Linters and formatters for style—stop reviewing whitespace.
- Static analysis for known security patterns.
- Automated tests for logic, and contract tests for API changes.
- AI reviewers for the first pass on necessity, drift, and obvious smells.
That frees your people for the things no model can judge:
- Context. The historical decisions, the “we tried that in 2023 and it broke billing,” the integration seams only a veteran knows.
- Compliance and judgment. Where separation of duties is legally required, a human has to sign.
- Necessity at the system level. Does this feature even belong? Does this abstraction earn its keep?
And two process changes matter more than any tool:
- Small batches. Review the AI’s output against the spec in small chunks before you open a monster PR. Defect detection collapses past a few hundred lines—for humans and AI alike.
- Define “done” up front. Write your acceptance criteria in plain language before the first line of code. When the definition of correctness exists before generation, review stops being the place you discover whether the code is right.
The reviewer’s role is shifting from “reader of every line” to judge of structured findings. That’s not a demotion. It’s a promotion into the part of the work that was always the most valuable and the most human.
The metaphor I keep coming back to
For years, code review was a friendly neighborhood border crossing. You knew the guard, the guard knew you, a nod and a wave and you were through. It worked because both sides were people with reputations and relationships.
Vibe coding turned that quiet crossing into a major international airport overnight. The traffic multiplied a hundredfold, and half the travelers now arrive with no passport, no history, and no reason to care whether they get through. You cannot wave them past with a nod anymore—and you cannot personally frisk every single one without the whole terminal grinding to a halt.
So you build the modern airport. Automated scanners handle the first pass at machine speed. Clear lanes separate the routine from the suspicious. And your most experienced officers stop checking boarding passes and start doing the one thing machines can’t: using judgment about who—and what—actually belongs on the other side.
The bottleneck didn’t appear because review got harder. It appeared because we were finally forced to do the reviewing we’d been waving through for years. Build the airport.