Code Review With AI

TL;DR

AI catches: style issues, common bugs (null checks, off-by-one), known security patterns (SQL injection, XSS).
AI misses: architectural fit, "will this scale?", business logic correctness, and team conventions.
Use AI for the first pass. You do the second pass — the one that asks "should we build this at all?"

Code review is one of the highest-leverage uses of AI in dev workflows. It's also one where over-trust gets you in trouble.

Current reality: AI agent participation in PRs grew from 1.1% (Feb 2024) to 14.9% (Nov 2025)—a 14x increase. Three tools dominate: CodeRabbit (632K+ PRs), GitHub Copilot (561K+ PRs), Google Gemini (175K+ PRs)—72% of market activity. In large orgs (1,000+ employees), 100% use AI for automated security reviews. But 65% of developers say AI tools "miss relevant context"—that's the #1 pain point. Tools like Qodo now offer specialist-agent review (security, performance, correctness, observability) and "Context-First Review" where context is required input, not nice-to-have. Yet without severity-driven triage, critical issues get buried. AI triages; you decide.

What AI Catches

Style and Consistency

Formatting. Unused imports. Naming conventions.
AI is good at "this doesn't match the rest of the codebase" when it has context.

Common Bug Patterns

Null/undefined access. Missing error handling. Resource leaks (unclosed connections, file handles).
Off-by-one errors. Wrong loop bounds. Race conditions in simple async code.
AI has seen these thousands of times. It spots them fast.

Known Security Issues

SQL injection. XSS. Hardcoded secrets. Insecure deserialization.
AI knows OWASP. It'll flag the textbook stuff.
What it won't flag: custom auth logic, business-logic bypasses, "would a motivated attacker exploit this?"

Simple Logic Errors

"This condition is always true." "This variable is never used." "You're comparing string to number."
AI is reliable for the mechanical checks.

What AI Misses

Architectural Fit

"This adds a circular dependency."
"This pattern will make it hard to add multi-tenancy later."
"We're trying to get off this legacy system — why are we adding more coupling to it?"
AI doesn't know your roadmap or your tech debt strategy.

Performance and Scale

"This query is O(n²) — it'll be fine for 100 rows, death at 100K."
"This endpoint will get called 10K times/sec. No caching?"
AI doesn't profile. It doesn't know your load.

Business Logic

"Refunds should require manager approval over $500. This code doesn't."
"We can't charge before the trial ends. This does."
AI doesn't know your business rules. It can't verify correctness.

Team and Org Context

"We're deprecating this API in Q3. Don't add new usages."
"This violates our incident response playbook."
AI doesn't sit in your meetings.

How to Use AI for Code Review

Run AI first. Get the style, security, and obvious-bug pass. Triage its suggestions.
You do the "so what?" pass. Does this fit our architecture? Our roadmap? Our conventions?
Don't delegate "approve" to AI. AI says "looks fine" on code that's correct but wrong for your context. You own the final call.
Use AI for your own PRs before submitting. Catch the low-hanging fruit before your teammates spend time on it.

Quick Check

AI flags SQL injection and suggests a fix. What can AI NOT catch in the same review?

You manually read every line. Check style, security, logic. Cross-reference the ticket and architecture docs. 30–60 minutes per PR.

Click "With AI" to see the difference →

Do This Next

Run AI review on one open PR using CodeRabbit, Copilot, or Gemini. Compare what it catches vs. what you'd add. 65% of devs say AI misses context—you're testing that gap.
Add one "AI wouldn't catch this" comment to your next review. Architecture fit, roadmap impact, or team convention. Make the human value explicit.