Brandon Gubitosa
June 04, 2026
10 min read
Share
Cut code review time & bugs by 50%
Most installed AI app on GitHub and GitLab
Free 14-day trial
AI-generated code is outpacing review. Harness engineering is the discipline of building the system around the model so an AI coding agent can work safely and coherently in production: the filesystem, sandbox, curated tools, context engineering, plan-and-verify, and memory. Most teams build most of that system. They are much less consistent about verification, and that is what decides whether the rest works.
A complete harness spans four rings. Most production harnesses run most of them. Verification is often the part that gets the least attention.
This piece lays out the four rings, names the code verification problem that shows up across customer deployments, and explains how to close it.
The harness matters more than the model because the model does not work in isolation. A senior software engineer doesn't write code in isolation. They have a filesystem, a shell, tests, linters, and a working memory of how the codebase fits together. Take any of those away, and the quality of their work drops, even if their skill stays the same.
The same applies to an AI agent. Picking a better model gets you marginal gains. Building a better harness around the model you have gets you order-of-magnitude improvements.
Compare three review configurations on the same task. A diff-only harness sees only the changed lines and misses bugs that depend on cross-file context. An all-code harness sees the entire codebase, finds more bugs, but burns 10 times the tokens.
A targeted harness picks the right files, runs the right tool, and gets the right answer. It beats both the diff-only and all-code versions on accuracy while using a fraction of the tokens.
Same model, same task. The harness changes the result.
Verification is the harness layer that catches what the agent gets wrong before the change moves downstream. It's where customer deployments most often have a weakness, and it's the layer that determines whether you can ship.
Oversight breaks when code generation speeds up, but verification does not. At Salesforce, the engineering team adopted AI coding tools, and code volume jumped approximately 30%. Pull requests (PRs) regularly grew past 20 files and 1,000 lines. Review time on the largest PRs flattened or fell, which meant reviewers were spending the same time on much bigger changes. They were no longer meaningfully engaging with the diffs in any real way.
The problem shows up in both survey data and platform data. The Stack Overflow 2025 Developer Survey, with more than 49,000 respondents, found 84% of developers use or plan to use AI tools, and 51% of professional developers use them daily. Yet 46% distrust AI tool accuracy, and only 33% trust it. The 2025 DevOps Research and Assessment (DORA) report similarly found that AI adoption pushed throughput and product performance up, but delivery stability down. AI speeds up the pipeline, and the instability shows up downstream.
The OpenAI Codex team named the code verification problem in December 2025. As autonomous coding systems spread, code volume outpaces what humans can review carefully, and the gap raises the risk of serious bugs and security holes.
CodeRabbit's State of AI vs. Human Code Generation report puts numbers on the problem. Across 470 PRs, AI-co-authored changes averaged 10.83 issues per PR. Human-only code averaged 6.45. Security issues showed up 1.57 times as often in AI PRs, and cross-site scripting (XSS) issues showed up 2.74 times as often. AI produces more code, and more of that code needs careful review.
Two failure patterns show up when the harness has no verification layer.
The first pattern is volume failure. Reviewers wave through large AI-written PRs they can't meaningfully engage with. Salesforce's reviewers showed this pattern.
The second is correctness failure at scale. AI agents produce the same kinds of bugs humans do, just at a much higher volume.
An AI agent executed destructive operations on a production database without anyone telling it to. In a separate case, a Claude Code agent ran a destructive infrastructure command on a live production environment and erased 2.5 years of student submission data at DataTalks.Club. In both cases, the teams added guardrails after the failure instead of building them in beforehand. The harness assumed verification was happening, and it wasn't.
The harness organizes into four rings: computer, context, orchestration, and learning, with verification distributed across the middle two. This structure is easier to reason about than a flat list of components.
The agent's working environment: filesystem, shell, sandbox, and a curated set of tools. A dozen tools, not a hundred. Every tool definition costs tokens, and overlapping tools confuse the model.
What the agent knows about the change in front of it. Show the agent metadata first and load full details only when it asks for it. Write long tool output to disk instead of stuffing it back into the context window. The cost metric that matters in production is prompt cache hit rate. If stable parts of the prompt aren't getting cached, long agent runs get too expensive to scale.
How the agent's work stays coherent across turns. Sub-agents handle parallel work. Plan-and-verify loops decompose tasks and run tests after every step. Hooks fire deterministic checks before merge.
This is where verification lives. The agent plans an action, then checks the result before continuing. If you only verify at PR-submission time, you're catching the problem twenty steps after the agent introduced it.
How the harness gets sharper over time. Memory files the agent reads on every start and edits as it learns. Reflection over old runs to distill what worked into reusable skills, prompts, or memory.
If you're running this stack, your job is to make sure each ring fires. Most production gaps live in the orchestration ring.
Teams close the verification problem by making standards run automatically before human review. freee saw this when engineers using AI coding agents produced more PRs than human reviewers could absorb.
Over the last six months, the team saved 32.8 weeks of reviewer time by writing their conventions into CodeRabbit so the same checks ran on every PR automatically. When output scales faster than review, verification becomes the bottleneck. The fix is to make the standards execute themselves.
Kiran Kanagasekar, Senior Engineering Manager at Taskrabbit, figured out the order before most teams did. "Writing code faster was never the issue; the bottleneck was always code review." Taskrabbit fixed review turnaround before adopting AI coding agents, cutting time to merge by 25%. The verification layer came first. The rest of the harness had something to push code through.
Deterministic rules run first. Semgrep custom rules, defined in .semgrep.yml and running in CI, catch known anti-patterns before a human sees the diff. Humans write the rules; AI helps fix the violations the rules catch.
Policy gates close what deterministic rules miss at the infrastructure level. Open Policy Agent (OPA) with Conftest, per the OPA docs, reads infrastructure configs as JSON, checks them against Rego policies, and blocks merges that break the rules.
AI code review catches the contextual issues that pattern-matching can't reach. CodeRabbit's State of AI report found logic and correctness issues were 75% more common in AI PRs, and AI-generated code introduced about 1.7 times the defects of human-only code overall. Static analysis can't see most of that: business logic errors, cross-file dependency violations, and conventions the team agreed on six months ago. AI review reads the change against the codebase, the linked tickets, and the team's prior decisions.
Dual-surface scanning catches what IDE plugins miss. AI agents often write code outside the IDE and push directly to version control. If your guardrails only run inside the IDE, those commits slip through. Scan in the IDE and again in the CI pipeline, using the same rule set in both places.
Human review runs last, focused on design and architectural judgment, freed from the volume of issues the first three layers already handled. Will Larson, CTO at Imprint and author of An Elegant Puzzle, puts it plainly. Humans stay central to review; the agent assists. Review is also a learning loop, and that learning is part of its value. The harness exists to keep the loop tight, not to replace it.
Each layer reduces the surface area the next layer needs to cover. Deterministic catches the obvious. Policy gates catch the structural. AI review catches the contextual. Humans catch the strategic.
That's the verification layer running at full coverage.
CodeRabbit is the verification layer in an agentic SDLC. It reads the change against the codebase, the linked tickets, and the team's prior decisions. It also runs more than 40 bundled linters and static application security testing (SAST) tools inside a sandboxed review pipeline. Pre-Merge Checks enforce plan-and-verify on every PR. Learnings and path-based rules encode the team's conventions so the standards stick as the codebase grows.
Abhi Aiyer, CTO at Mastra, put the result of that loop simply. "CodeRabbit is the only tool that I trust after fully autonomous coding loops."
Abnormal AI shows what that looks like in practice. CodeRabbit pulls in Abnormal's internal markdown policy files automatically. Abnormal doesn't maintain any CodeRabbit-specific configuration on top. In the last 30 days, Abnormal hit a 65% acceptance rate on critical-severity comments and saved more than 100 hours of reviewer time.
If you're an EM or VP shipping AI-generated code and your review queue is growing faster than your team is, the problem is in your harness, not your model. Audit the four rings. The computer ring is usually fine. The context and learning rings are improving. The orchestration ring is where most teams find the surprise: the verification layer they thought was running was really just CI plus reviewer goodwill.
Pick one verification problem and close it this quarter. Deterministic rules in CI if you don't have them. A policy gate on the infrastructure changes. AI review on every PR before human eyes touch it.
The teams that ship AI velocity without losing oversight built harnesses designed for verification from the start. The better model came second.
Ready to build verification into your harness? Get a 14-day free trial of CodeRabbit today.
