AI Code Review: Who Checks the Agent?

A pattern I see creeping into client codebases is AI-written, AI-reviewed code. The author is Claude. The reviewer is also Claude. The bugs that slip through are the ones both agents happen to share. This is the subtle failure mode of agent-heavy workflows, and it's worth being deliberate about.

Where AI Review Works

AI review is genuinely useful for:

• Mechanical checks (style, obvious bugs, missing error handling)
• Consistency with an existing codebase
• Test coverage gaps
• Security patterns (unsanitized inputs, leaked secrets)

These are cases where the review is pattern-matching against known-good rules. The reviewer isn't making judgment calls.

Where AI Review Fails

AI review fails on:

• Business logic correctness
• Whether the chosen approach is the right one
• Performance characteristics under real load
• Long-term maintainability

These require context the agent doesn't have: user behavior, production data, team skill level, future plans.

The Rule I Use

AI reviews the small stuff. A human reviews the medium stuff. The client's production traffic reviews the big stuff. Each layer catches what the previous one can't. If any layer is missing, bugs leak.

Pre-commit:       agent code review (style, obvious bugs)
Before merge:     human review (business logic, approach)
In production:    monitoring (real-world behavior)

The Discipline

Never let both author and reviewer be the same agent. Use different models, or a human, or a delayed second pass. The discipline is cheap. The cost of missing it is subtle bugs that both agents missed because they shared the same blind spot.