Tinker AI
Read reviews
intermediate 6 min read

AI as a code reviewer: where it helps, where it's noise

Published 2026-05-11 by Owner

Code review has two jobs: catch problems before they ship, and share understanding across the team. AI tools have gotten genuinely useful at the first job — for a specific, narrow slice of it. They are not useful for the second job at all. The failure mode is treating them as a single answer to both.

This guide covers what AI reviewers actually catch, what they consistently miss, and a workflow that gets value from both AI and humans without burning goodwill on false positives.

What AI catches well

AI review tools — GitHub Copilot code review, CodeRabbit, Sourcery, or asking an LLM to “review this diff” directly — perform well on a reliable category of problems:

Typos in identifiers. recieve, lenght, settimeout. These slip through spell-checkers because they’re valid in some context. An LLM scanning a diff spots them nearly every time.

Simple off-by-one errors. A loop using <= arr.length instead of < arr.length. An array slice that loses the last element. These are pattern-matching problems the model handles well.

Missed null checks. Calling .length on something that might be undefined. Optional chaining that stops one level short. An AI reviewer flags these with reasonable accuracy.

Basic security anti-patterns. SQL string interpolation that should be parameterized. A console.log that prints an auth token. Math.random() used where crypto.randomUUID() belongs. The model knows these anti-patterns from training data and will name them.

Missing error handling on async calls. A fetch() with no .catch() or no check on the response status. An await without a try/catch in a context where the caller doesn’t handle rejections. AI reviewers are consistent here.

Duplicate logic. A function that does the same thing as an existing utility three files away. Not always — the model doesn’t see the whole codebase — but when the duplicate is visible in the diff’s import context, it catches it.

These are not trivial catches. The typo-in-identifier bug that costs thirty minutes of debugging, the null check that causes a production incident — these happen on real teams. The value is in the consistency: an AI reviewer applies the same attention to every PR, at 2am, on the tenth PR of the day, when a human reviewer’s eyes are glazed.

What AI consistently misses

The flip side is harder to summarize, but there’s a pattern to it: AI misses anything that requires understanding outside the diff.

Architecture. “Is this the right abstraction?” is unanswerable from a diff alone. Whether a new UserPermissionsManager class should exist, or whether it’s duplicating a pattern that already lives three modules over — that requires knowing the codebase, knowing the trajectory, knowing the conversations about design that happened six months ago. No amount of context window solves this. The model doesn’t know what it doesn’t see.

Intent. “Is this solving the right problem?” is a product question wrapped in an engineering question. A PR that correctly implements a feature the spec didn’t ask for, or implements the right feature in a way that closes off the next four features — AI won’t surface either problem. It reviews what the code does, not whether the code should do that.

Taste. Every codebase has a voice. How errors are handled, how functions are named, how much gets abstracted versus left inline, which utility functions are canonical. Taste is learned from reading thousands of lines of the specific codebase. A model with a generic view of “good TypeScript” will suggest patterns that are locally wrong — not buggy, just off.

Missed requirements from spec. “This doesn’t handle the case where the user has no payment method on file” — that requires knowing what the spec said. If the requirement is in a ticket the model can’t see, the review won’t catch the gap.

Organizational context. A PR that’s “technically correct but we decided not to go that direction in the architecture meeting last Tuesday” — AI has no access to that signal. The correct response to such a PR is a context-sharing conversation, not a code comment. AI can’t have that conversation.

A useful heuristic: if the comment requires reasoning about code that’s not in the PR, AI won’t catch it. Human reviewers catch it because they’ve been in the same codebase for months.

The pair-review workflow

The workflow that actually works is AI first, human second — with a clear division of labor.

AI first pass: Before a human reviewer looks at a PR, run it through an AI reviewer. The goal is to surface the mechanical issues (typos, null checks, basic security patterns) so the human reviewer’s attention isn’t consumed by things a tool should catch. A human who spends mental energy correcting recieve to receive is spending less mental energy on whether the new caching layer will cause correctness issues under concurrent load.

Human second pass: The human reviewer starts with the AI’s comments already addressed or explained. Now they can focus on the things only a human can catch: does this fit the codebase design, does this close off future flexibility, does this solve the actual problem, does this match the spec.

The mental model for AI in this workflow: a thorough colleague who catches the small stuff reliably, but who hasn’t attended any of the architecture meetings and doesn’t know the product roadmap. Valuable in that specific role, not a substitute for the colleague who has.

One concrete improvement this enables: human reviewers can skip defensive scanning and spend the full review budget on reasoning. A typical human code review splits attention between “did I miss a typo” and “does this fit the system.” Offloading the first category means the second category gets more of the reviewer’s working memory.

Here’s what this looks like in practice with CodeRabbit on a mid-sized PR:

Automated review (CodeRabbit) flagged:
  - Line 47: potential null dereference on `user.profile.avatarUrl`
  - Line 83: `setTimeout` used with magic number 5000, suggest named constant
  - Line 112: SQL-style string concatenation in Knex query, use parameterized form

Human reviewer (15 min later):
  - Approved the null check fix and constant extraction
  - Flagged: this caching strategy won't work once we add multi-tenancy (line 34–60)
  - Flagged: spec says the fallback should use the org's default avatar, not null

The AI caught three real issues in seconds. The human caught the two issues that would have caused production incidents — and neither was visible in the diff alone.

The anti-pattern: when AI’s fix breaks things

There’s a specific failure mode worth naming: AI suggests a change that looks correct and introduces a regression because it misread the original intent.

Example. An AI reviewer flags this:

// Before (flagged by AI)
if (user.deletedAt != null) {
  return null;
}

Suggested fix: use strict equality.

// AI suggestion
if (user.deletedAt !== null) {
  return null;
}

The suggestion is mechanically reasonable — != null vs !== null. But the original code was intentional: != null checks both null and undefined, because the ORM returns undefined for unset nullable fields in this codebase. Changing it to !== null makes the guard miss undefined, which means soft-deleted users start appearing in queries.

This is a hard failure mode because the AI’s comment is confident, the reasoning sounds correct, and the reviewer who approves it doesn’t know the ORM behavior without checking. The bug ships.

The mitigation is not “never accept AI suggestions.” It’s: when accepting a suggestion that changes behavior (not just style), verify the original was not intentional. A one-line comment explaining != null is intentional would have prevented this. AI reviewers can’t write those comments; humans can.

There’s a version of this anti-pattern with performance, too: AI suggests replacing a loop with a .reduce() because the latter looks more idiomatic, missing that the original loop exits early on the first match and the .reduce() version doesn’t. Same shape — a correct-looking suggestion that changes semantics.

Rate-limiting AI comments

The most important operational constraint for AI code review is comment volume.

Three bad comments on a PR, and reviewers start ignoring all comments. This is not a hypothesis — it’s what happens on teams that enable AI review with default settings. The AI flags a minor style inconsistency, a pattern that’s actually intentional in this codebase, and a potential issue that’s already handled three calls up the stack. The comments are low-signal. The reviewer learns to scan past them. Then the AI catches a real null dereference, and the reviewer scans past that too.

Quality beats quantity by a significant margin. One well-targeted comment about a genuine bug has more impact than fifteen comments that require explanation or pushback.

Practical controls that help:

Configure severity thresholds. Most AI review tools let you set a minimum severity — only flag errors and warnings, skip informational suggestions. Start there. Informational comments are where the noise lives.

Domain-specific suppressions. If your codebase intentionally uses a pattern the AI always flags (a != null style convention, a library-specific pattern that looks like an anti-pattern), add it to the tool’s ignore list or add a comment that suppresses the rule. Don’t let the same false positive appear on every PR.

Review the tool’s hit rate periodically. For one sprint, tag every AI comment as “valid,” “invalid,” or “ambiguous.” If more than 30% are invalid or ambiguous, the tool is producing noise and the signal-to-noise ratio is hurting review culture. Either tighten the configuration or drop the tool.

Limit to changed lines. Some tools can be configured to only comment on lines in the diff, not on surrounding context. Enforcing this cuts comments dramatically without losing coverage of what actually changed.

The goal is a reviewer who trusts that when the AI flags something, it’s worth reading. That trust is built through a low false-positive rate, not a high comment volume. A reviewer who dreads opening a PR because there are forty AI comments to dismiss is a reviewer who’s drifting toward ignoring all of them.

What this doesn’t change

AI code review doesn’t change what good human review looks like. The human reviewer still needs to understand the system, know the product requirements, hold the codebase’s design history in their head, and push back when something doesn’t fit.

What it changes: the human reviewer gets to those higher-leverage questions faster, because a layer of mechanical issues was handled before the review started. That’s a real productivity gain. It’s not a replacement for review judgment, and treating it as one is how good engineers start shipping bugs they would have caught themselves.

The team that gets this right ends up with reviews that are simultaneously faster and higher quality. Faster because the mechanical pass is free. Higher quality because human attention concentrates on the questions that require a human. That’s the tradeoff worth optimizing for — not “can AI do this whole job?” but “can AI free the human reviewer to do the parts only a human can do?”

#ai-coding #code-review