TYPESCRIPT / REACT · AI CATCHES THIS ✓
const fetchStory = async () => {
const data = await getStoryData(storyId);
setStory(data);
};
How AI review tools catch what humans miss, and where they still fall dangerously short.
Key Takeaways
Here's the short version. Scroll on for the full story.
- AI code review is a first pass reviewer, not a replacement for human judgment, the two serve fundamentally different purposes
- AI catches pattern-based issues consistently: async errors, null edge cases, security anti-patterns, missing hook dependencies
- What AI cannot do is understand your product, your team's decisions, or whether technically correct code is actually the right solution
- The biggest risk isn't the bugs AI misses, it's the false confidence that builds when teams start treating AI approval as a merge signal
- The best teams use AI to own the mechanical layer and protect human attention for architecture, business logic, and product alignment
- AI raises the floor. The ceiling is still set by human engineers.
SCENE
It was a Thursday afternoon. One of our senior engineers was deep into a critical feature, headphones on, completely zoned in. One of my PR notifications popped up on his screen. It was about 200 lines, mostly a refactor of the user data fetching logic in React. He quickly skimmed through it, saw familiar patterns, left a couple of small comments, and approved it saying: "Looks good to me."
Monday morning, our error tracker was screaming. A race condition in that “simple refactor” was causing intermittent data corruption for users on slow connections. The fix took half a day. The post-mortem took longer.
Nobody blamed the reviewer. He had three other PRs open, a sprint planning meeting at four, and a production incident from that morning still unresolved in another tab. He was tired, constantly context-switching, and the code looked fine.
This is the actual state of code review at most teams, not incompetent, not careless, just overwhelmed and human.
Now here's the uncomfortable question: would an AI have caught it?
Maybe. Maybe not. And that uncertainty, not the hype, not the fear, is exactly what we need to talk about.
We're at an interesting turning point in how software gets reviewed. Over the past couple of years, AI code review tools have quietly moved from "experimental curiosity" to something engineering teams are actually baking into their PR workflows. Not because of a top-down order, but because the tools got good enough that ignoring them started feeling like leaving value on the table.
But "good enough" is doing a lot of heavy lifting in that sentence. Because the gap between what AI review tools can do and what teams sometimes assume they can do is where things get genuinely risky. That's what we're going to dig into here with honest discussion, real code examples, and without pretending any tool is a silver bullet.
|
📊 84% of developers now use AI coding tools (Stack Overflow Developer Survey 2025) |
🔒 46% actively distrust the accuracy of AI output (Stack Overflow Developer Survey 2025) |
⚠️ +23.5% incidents per PR year-over-year as AI code volume grows (Cortex, Engineering in the Age of AI: 2026 Benchmark Report) |
Wide adoption, low trust, rising incidents. That’s the tension sitting at the center of every engineering team’s relationship with AI right now and it’s the exact tension this blog exists to unpack.
The Old World of Code Review
Without romanticizing it, let’s talk honestly about how code reviews really happen in software teams, not the perfect version shown in engineering blogs, but the real one where developers deal with deadlines, pressure, and human mistakes.
In theory: code review is a collaborative, thoughtful process where experienced engineers provide meaningful feedback on correctness, architecture, security, and long-term maintainability.
In practice: it's often a context-switching nightmare where someone glances at a git diff between two meetings and drops small comments before hitting approval.
Fast for small diffs, rubber-stamp for large ones: There’s a well-known phenomenon in software teams where a 10-line PR gets 14 comments, while a 500-line PR gets a quick “LGTM.” It’s not a joke. It’s cognitive load math. Large PRs take a lot more mental effort to review. When you're context-switching between your own feature work, a production investigation, and three Slack threads, approving a 300-line PR from someone you trust feels like a pragmatic call. You've worked with them for two years. You know how they write code. It's probably fine.
Most of the time, it is fine. But "most of the time" isn't the standard we want for production systems.
Good at catching surface-level stuff, bad at invisible logic: A human reviewer will spot a missing `await`, or a variable named `tmp2`, or a component that's using `useEffect` where it doesn't need to. They're less likely to trace whether a particular GraphQL resolver is accidentally exposing data that the calling component doesn't have authorization to request, especially if the resolver was written six months ago by someone who no longer works there.
There’s also the familiarity bias problem. Reviewers are usually good at catching issues in patterns they've seen before, but worse at spotting problems in code written in unfamiliar styles. That doesn’t always mean the code is bad, it just doesn’t match their mental pattern-matching the same way.
Junior engineers often have their code reviewed more strictly, while risky code written by senior engineers in clean, confident-looking styles can pass with little questioning. The same pattern might get flagged in one PR and praised in another, depending on who is reviewing, their experience, or even their mood that day.
This isn't a criticism of reviewers. It's just an accurate description of what the workflow actually is when our team is three sprints behind and everyone's carrying too much.
This is the kind of environment AI code review tools were introduced into, and in many ways, they are genuinely helping. Not because it's smarter than engineers. But because it's consistent in a way humans aren't.
Every engineering team has lived this. Nobody admits it out loud.
What Is AI Code Review and How Does It Work?
When people say “AI code review,” they’re usually talking about tools that sit in our PR workflow, between the code push and the human reviewer, and automatically analyze the git diff. These tools read changed files, try to understand the surrounding context, and leave comments about potential issues.
The better tools have moved far beyond simple lint-style pattern matching. They use LLMs with large context windows to understand what a function is trying to do, compare it against common failure patterns, and analyze related code around it. Some weaker tools are basically traditional linters with AI-style comments on top.
The tools we're encountering in the wild today include GitHub Copilot's built-in review, CodeRabbit, Sourcery, Qodo, Greptile, and others. We can also wire up Claude or other LLMs directly into our CI pipeline with a custom prompt if we want more control over the review behavior and tone. Each tool has different strengths, pricing models, and most importantly different failure modes.
No AI tool is as good as a focused, knowledgeable senior engineer reading your code carefully. What they are is consistent, tireless, and available at 2am when someone is pushing a hotfix and the rest of the team is asleep. That's a real advantage.
Benefits of AI Code Review: What AI Review Tools Catch That Humans Miss
A PR had been open for two days. Two senior engineers had reviewed it. One had left a couple of style suggestions, nothing structural. The other had approved it with a thumbs-up and a "looks good to me." The change was unremarkable on the surface: an async function that fetched data and updated component state.
Clean. Well-named. Logical. Two engineers had looked at it. None flagged anything. Then the AI reviewer ran.
The AI's comment was one sentence. It read:
The code had been correct in every scenario anyone had tested. The bug only existed in the gap between an `await` and a state update, visible only if you were specifically hunting for that pattern. The AI had seen it in under a second.
The suggested fix was a few lines:
useEffect(() => {
const controller = new AbortController();
const fetchStory = async () => {
try {
const data = await getStoryData(storyId, { signal: controller.signal });
setStory(data);
} catch (err) {
if (err.name !== 'AbortError') throw err;
}
};
fetchStory();
return () => controller.abort();
}, [storyId]);
That moment, quiet, slightly uncomfortable, is where a lot of engineering teams are right now. Not in a crisis. Not in a revolution. Just in a slow, meaningful shift that most of us haven't fully processed yet.
And that's one example. But it's not a fluke. AI reviewers are consistently good at a specific class of problems, the kind that can be identified directly from the code itself, without needing to understand your product, your team history, or why that function exists in the first place. Let’s look at some real examples.
1. Pattern Recognition at scale
One area where AI reviewers consistently shine is pattern recognition. AI tools have been trained on enormous amounts of code and real-world failure history.
Many bugs are not caused by complex algorithms or architectural mistakes. They're caused by small implementation details that look perfectly reasonable during review but behave differently at runtime.
Consider a React example:
TYPESCRIPT / REACT · AI CATCHES THIS ✓
// SubmitButton.tsx
const handleSubmit = useCallback(() => {
submitForm(formData);
}, []); // ← empty dependency array
At first glance, nothing looks suspicious.
The developer is trying to memoize the callback. The code is clean, readable, and appears intentional. A human reviewer scanning a large pull request might see it as a reasonable optimization and move on.
An AI reviewer, however, often recognizes a familiar pattern immediately.
A typical comment might look something like:
There is no crash. No console error. No failed test. The bug only shows up when a real user fills out a form, changes a field, and clicks submit. The request is then sent with the old values from when the component first loaded. By the time someone files a support ticket, the PR that introduced it is three sprints old and nobody remembers reviewing it.
The fix is straightforward:
const handleSubmit = useCallback(() => {
submitForm(formData);
}, [formData]); // ← formData in deps = always captures latest value
What makes this example interesting is that the original code is completely valid JavaScript. Depending on a team's tooling, it may pass linting, unit tests, and manual review without raising any concerns.
This is where AI review systems can provide real value.
They do not necessarily understand the feature, the business requirements, or the user's intent. What they do exceptionally well is recognize patterns that have historically led to bugs and surface them consistently across thousands of reviews.
A human reviewer might catch this issue.
An AI reviewer might catch it every time. That's pattern recognition at a scale no human reviewer can consistently replicate, across every PR, for every engineer, without getting tired, distracted, or trusting the author too much.
And that consistency is one of the strongest arguments for using AI as a first-pass reviewer.
2. Boundary conditions and edge cases humans skip
Human reviewers read code in the direction of "this is how it's supposed to work." AI tools are better trained to ask "what happens when it doesn't." Take something common:
return name
.split(' ')
.map(part => part[0])
.join('');
};
A human reviewer might nod and move on. An AI will flag: "If name is an empty string or contains only spaces, part[0] will be undefined." It's obvious in retrospect. It's the kind of thing that produces a silent `undefined` in UI three months later when a user submits a form with an empty display name.
3. Cross-Codebase Consistency at Scale
One area where AI genuinely outperforms humans: scale and consistency. A human reviewer looks at one PR in isolation. An AI tool with codebase context can notice that your new component handles loading states completely differently from the other 14 components that do the same thing. That kind of cross-file consistency checking is exhausting for humans and effortless for a well-configured AI. It can flag these patterns consistently, across every PR and for every engineer, without getting tired or distracted.
|
AI CATCHES WELL ✓ |
AI MISSES BADLY ✗ |
|
- Unhandled promise rejections and async edge cases - Null/undefined access on optional fields - Security anti-patterns (console.log, over-fetching) - Missing error boundaries and try/catch blocks - Dead code, unused imports, unreachable conditions - Inconsistent error handling across similar components - Missing dependency arrays in useEffect / useCallback - Known vulnerability patterns in library usage |
- Business logic that’s correct code but wrong feature behavior - Violations of team’s architectural decisions - Code that contradicts the actual ticket requirements - Cross-file interactions that only appear at runtime - State management pattern violations (Jotai, Redux, etc.) - Whether this approach fits the product roadmap - Context from past PRs, team decisions, or design docs - When technically correct code is simply the wrong solution |
Limitations of AI Code Review: Where AI Reviewers Still Fail
This is the section that matters most, and the one I really want you to read. Because everything above, the caught bugs, the security flags, the consistency checks, those are real. But they come packaged with a risk that’s easy to underestimate: AI review creates a powerful illusion of thoroughness.
It Has No Idea What Your Product Does:
This is the most fundamental limitation of AI code review tools, and no amount of tool improvement will fully solve it without explicit product context injection. AI sees code. It doesn’t see requirements, user stories, business constraints, or the three-day discussion that led to a particular architectural decision.
An AI reviewer mainly sees the code diff in front of it. Human reviewers, on the other hand, carry team knowledge and historical context. They often know why a particular decision was made, what problems existed before, and which trade-offs the team intentionally accepted.
It Can Confidently Recommend a Pattern That’s Broken:
This one is subtler and scarier. AI tools trained on your codebase will sometimes say “align this with how module X handles it.” Here the problem is: what if module X has a bug? The AI has just guided you toward a broken pattern with complete confidence and zero self-awareness that the pattern is broken.
REAL RISK
False Confidence Is the Worst Outcome:
Here’s what quietly worries many experienced engineers about AI review: it’s not just the bugs AI misses. It’s what can slowly happen to a team’s review culture when people start treating AI approval as a strong signal that code is safe to ship.
Over time, the question changes from: “Has someone who truly understands this system carefully reviewed this change?” to “The AI didn’t flag anything, and a human took a quick look, so it’s probably fine.”
That change happens slowly. Nobody intentionally decides to review code less carefully. But PR after PR, AI reviews can create the feeling that the code has already been checked properly. Over time, teams can become less rigorous in reviews, not because people stopped caring, but because the AI created a false sense of safety.
The "No Production Signal" problem:
Good human reviewers review with a mental model of production: what does this code do under real traffic? What happens at 3am when this Lambda cold-starts and this DynamoDB read takes 400ms instead of 40ms? What happens if this GraphQL mutation gets called twice in quick succession by a flaky client?
AI tools don’t truly understand real production environments. They can analyze code structure and common patterns, but they cannot fully predict how complex distributed systems behave under real-world load and failures.
Problems like race conditions, timing-related bugs, or failures caused by bad retry logic often require real operational experience to notice. That kind of practical production intuition is something AI still does not have.
How AI Code Review Is Changing Software Engineering Standards
Whether teams planned for it or not, AI code review is already changing how code reviews work in real software teams at the PR level. Here’s what’s actually happening in practice, beyond the marketing examples.
The Two-Phase Review Is Becoming Standard
In teams using AI review thoughtfully, PRs are increasingly going through two stages. First, the AI automatically reviews the PR as soon as code is pushed. Then a human reviewer checks the PR, usually starting from the AI’s findings instead of reviewing everything from scratch.
When it works, that’s a genuinely good outcome. Human reviewers can spend less time on repetitive checks and more time thinking about architecture, business logic, scalability, and system behavior. The risk is when the human review gets compressed because everyone assumes the AI already checked everything important.
AI Is Becoming a Triage Layer
In teams with large numbers of PRs, AI review is acting as a triage layer. Only PRs that pass the initial automated checks move meaningfully onto senior engineer’s radars. This is compressing cycle times for clean, bounded changes, which is legitimately good. It’s also creating a subtler problem: AI-flagged PRs sometimes stall, because no one wants to be the human who approved something the bot flagged. Over time, the AI’s opinion can start carrying more influence than it probably should.
Reviewers Are Shifting Toward Architecture and Intent
The best outcome from widespread AI review isn't faster merges or fewer lint comments. It's this: senior engineers are increasingly getting their attention back. They can spend more time focusing on the bigger picture.
When AI handles the mechanical layer, the null checks, the missing awaits, the inconsistent error handling, human reviewers can finally spend their energy on the questions that actually require judgment. Is this the right solution for this problem in this system at this moment? Is this going to become a scalability problem six months from now when traffic doubles? Does this decision conflict with something the team agreed on in the last architecture discussion that the author might not have been in the room for?
These are the questions that separate a good review from a checkbox. They're also the questions that get skipped most often when a reviewer is already mentally exhausted from checking whether every async function has proper error handling.
AI doesn't answer those questions. But by handling the layer below them, it gives human reviewers the space to actually ask them, which is closer to what code review was always supposed to be.
THE REAL SHIFT
AI is not removing craftsmanship from code review. It’s changing where that craftsmanship is applied. The goal was never just to protect coding standards or catch small syntax mistakes. The real goal is to build reliable systems and good products.
AI can help reduce repetitive review work, while human reviewers focus more on judgment, system design, and product thinking.
Conclusion
The Human Reviewer Hasn’t Left. They Got an Assistant.
The story at the beginning of this blog, the Thursday afternoon approval and the Monday morning production issue, is not unusual. These kinds of mistakes existed before AI review tools, and they will continue to exist after them. Human reviewers get tired, overloaded, distracted, and sometimes miss things while balancing deadlines, meetings, incidents, and feature work all at once.
What AI review really does is raise the floor.
Many of the obvious problems, forgotten null checks, unsafe patterns, unhandled async errors, inconsistent logic, and common security mistakes, can now be caught before a human even opens the PR. That is genuinely valuable. Teams using these tools well are already seeing faster reviews and fewer mechanical bugs reaching production.
But the ceiling is still human.
AI does not understand product goals, team history, business trade-offs, or why certain architectural decisions were made. It can analyze code, but it cannot fully understand the bigger context around the system. It cannot replace the reviewer who notices that a solution is technically correct but still the wrong choice for the product or the architecture.
The best teams will not use AI to replace human review. They will use it to reduce repetitive work so engineers can spend more time on judgment, architecture, scalability, and product thinking.
The PR is still yours. The bot just joined the thread.
AI review is a very capable first pass. But the second pass is still on us.
Frequently Asked Questions
What is AI code review?
What is the difference between AI code review and traditional linting?
Traditional linters check code against a fixed set of rules, syntax errors, formatting standards, unused variables. AI code review goes further: it understands what a function is trying to do, recognizes patterns that have historically caused bugs, and can analyze how a change interacts with surrounding code. A linter checks whether code follows rules. An AI reviewer checks whether code is likely to work correctly.
Can AI code review replace human code reviewers?
No. AI code review works best as a first pass, catching pattern-based issues before a human reviewer opens the diff. What AI cannot do is understand our product's business logic, team's architectural decisions, or whether a technically correct solution is actually the right one for the system. Human judgment remains essential for anything beyond mechanical correctness.
What are the risks of relying too heavily on AI code review?
The biggest risk is false confidence, teams treating AI approval as a signal that code is safe to ship. AI tools have no awareness of your product requirements, team conventions, or production environment. A PR can pass AI review and still contain the wrong solution to the right problem. Over-reliance also risks eroding the mentorship layer of human review.
How should engineering teams integrate AI code review into their workflow?
The most effective approach is to use AI review as a mandatory first pass that runs automatically on every PR push, followed by a required human review before any merge. The team should define explicitly what AI review is responsible for (pattern-based issues) and what human review is responsible for (business logic, architecture, product alignment). AI approval should never be treated as a merge signal on its own. The key rule is: AI approval is a prerequisite for human review to begin, not a replacement for it.
06/07/2026