Brandon Gubitosa
June 16, 2026
9 min read
June 16, 2026
9 min read
Share
Cut code review time & bugs by 50%
Most installed AI app on GitHub and GitLab
Free 14-day trial
A coding agent workflow is the end-to-end loop an engineering team runs when AI agents help write code: plan, generate, verify, merge.
The boundary between the code-writing step and the code-checking step controls the risk. Get that boundary wrong and you ship faster into a wall. Get it right and you have a development loop that scales as agent volume rises.
A coding agent workflow moves through spec, plan, implementation, test, code review, and merge. Two steps stay human. Plan approval comes before the agent writes code, and PR review comes before merge. Everything between those two steps is automation.
Start in planning and refine the plan until it's explicit. Generate code only after the plan is approved. Then automated lint checks run first, a deeper review runs before the pull request opens, and a final pass checks the PR against a checklist before merge.
Keep the agent that reviews code separate from the agent that writes it. The agent that writes code has every reason to produce something that compiles and moves on. A reviewer's only job is to find what's wrong.
Collapse both roles into one agent and the review step stops working. The same agent that wrote the code now signs off on it, so it tends to wave its own mistakes through.
Agent-driven PR volume puts review capacity under pressure.
Review time climbs once AI-generated PRs outnumber what reviewers can keep up with, especially as the PRs get bigger and harder to read. Teams push more changes to merge with less real review.
At freee, adding AI-powered code review saved the team 32.8 weeks of reviewer time in the last six months. What freee ran short on was reviewer attention, not engineering time.
The DORA 2025 report (DevOps Research and Assessment), based on roughly 5,000 survey responses, found that AI adoption helps teams ship faster but makes their delivery less stable. Higher adoption also brought more deployment instability and more work afterward on auditing, testing, and verification. DORA calls AI an amplifier. It magnifies a team's existing strengths and its existing weaknesses.
In the State of AI report, CodeRabbit's review of 470 PRs found AI co-authored pull requests averaged 10.83 issues per PR versus 6.45 for human-only PRs. But the average hides the worst cases.
At the 90th percentile (the worst 10% of PRs), AI PRs hit 26 issues versus 12.3 for human-only PRs, a 2.11x gap. Review queues don't break on the average PR. They break on the rare giant ones.
Picture the reviewer who opens a 40-file agent PR at 5pm. The easy ones already cleared. This is the PR that hides a regression, and it lands when attention has run out.
When agents raise PR volume and each PR carries more issues, a team would need far more review capacity just to keep bug rates from rising. Most teams can't add reviewers that fast.
The biggest blind spot in AI-generated code is readability and maintainability. Security scanners miss it entirely.
Run static analysis on AI-generated code and you find plenty of code smells, the naming and structure problems that make code hard to maintain over time. Security scanners are a different kind of tool. Static application security testing (SAST) looks for vulnerability patterns, not bad names or weak structure, so these maintainability problems slip right past it. A CodeRabbit review of AI-authored and human-only pull requests found AI-authored PRs had more issues overall, and more security issues specifically. If you only watch AI output for security bugs, you miss the maintainability cost, and it builds with every PR.
The State of AI report also found code readability issues were more than 3x more common in AI PRs. That kind of debt builds up faster than a security dashboard will ever show you.
Comprehension debt is code you can't understand well enough to know whether it needs rewriting. Regular technical debt is code you know needs rewriting. Comprehension debt is code where you can't even tell.
An agent writes in 30 minutes what takes far longer to read carefully. How long would it take you to read that output closely enough to trust it? Most reviewers won't spend that time, so the naming and structure problems a careful review would catch slip through.
Standards drift when you update your conventions in one place but not everywhere the agents read them. After that, different tools generate code to slightly different rules. Both versions can still pass the linter.
SAST won't flag style or convention drift either. At Common App, AI-powered review caught a race condition the team's previous tooling missed, and cut review time by 35%.
CodeRabbit reads the same convention files your agents do and checks every PR against them. The standards your team agreed on get enforced at review time instead of drifting quietly.
AI agents produce the same familiar security bugs as human developers, just more often. So the question that matters is where in the workflow you catch them.
Security studies of AI-generated code keep finding the same familiar flaws, the kind that show up on the OWASP Top 10, the standard list of common web-app security risks. A Cloud Security Alliance research note found higher rates of security issues in AI-authored PRs, and reported those PRs carry about 1.7x more issues overall than human-only ones.
The same 470-PR review found AI PRs had more security issues than human-only PRs.
OWASP points the same direction. Its excessive-agency guidance tells teams to enforce limits like access control in their own application code rather than trusting the model to do it.
Production governance for agents comes down to a single rule. Every agent change goes through the same PR gate humans already use. An InfoQ panel with engineers from Intuit, FICO, and others describes the same approach. They build one shared platform that handles security, compliance, observability, and monitoring for every team. The payoff is speed, since no team rebuilds the same controls, and auditability, since regulators want consistent evidence.
The controls start with identity and boundaries. Each agent gets a short-lived token scoped to its task, and boundary rules block it from committing straight to main. Reasoning separation adds a checkpoint. The agent proposes an action, and a policy layer approves or blocks it before anything runs.
Audit log guidance closes the loop. It says to record every step the agent reasoned through and every action it took, each with a timestamp.
If you enforce standards across many repos, CodeRabbit's Path Instructions and Code Guidelines keep the review rules in the codebase itself, not in people's heads. That matters when code reaches the PR gate from many different tools but still has to meet one standard.
Homegrown review scripts and CI gates stop scaling once agent volume gets high enough that reviewers tune out on big diffs.
Code volume rises, diffs get bigger, and review quality drops. On the largest changes, reviewers stop looking closely. The old human-paced workflow breaks.
Building review in-house comes with hidden costs. You end up maintaining cost controls, risk tiers, and context-window management on top of the review logic itself. A dedicated review agent handles all of that for you. At Writer, an AI-native company facing this exact choice bought instead of building and cut review time by 30%.
Verification also has to move earlier, so the PR gate isn't the first real check.
Context engineering means pulling in the whole picture. The review reads related files, linked issues, and lint signals, not just the changed lines. An arXiv paper on automated code review maps where review automation succeeds and fails. Scripts that read only the diff miss anything that depends on other files, and they can't tell whether a change fits the architecture.
Those cross-file mistakes are exactly what diff-only scripts miss. So the buy case gets stronger as agent volume rises, because your own scripts can't match the depth of context engineering that good review now needs.
CodeRabbit's context engineering does this for both pre-PR and PR review. It combines Codegraph, your integrations, linked issues, and 40+ linters to build the cross-file view diff-only scripts can't.
Agents write code at a pace no human team can review by hand. The workflow that survives that pace keeps two human gates that don't move, plan approval and PR review. Between them, it runs automated checks and a review layer with enough context to catch what linters and SAST tools were never built to find.
The speed gains are real. So is the cost in stability. We want the speed without letting the instability erase it, and that is the job of the verification layer.
Cut code review time & bugs by 50%. Most installed AI app on GitHub and GitLab. Free 14-day trial. Get Started.
