Code review has always been one of the most valuable practices in software engineering, not just for catching bugs, but for sharing knowledge, maintaining standards, and building collective ownership of the codebase. With AI-generated code becoming a significant portion of what gets reviewed, the practice needs to evolve.

The fundamental shift is this: when a human writes code, the reviewer can assume the author understood what they wrote and made deliberate choices. When AI generates code, that assumption doesn't hold. The reviewer's job changes from "verify that a competent colleague made reasonable choices" to "verify that a probabilistic text generator produced correct, secure, maintainable code." That's a harder job, and it requires different skills.

What Changes

You're reviewing for understanding, not just correctness. The most important question in an AI-assisted code review isn't "does this work?" It's "does the person submitting this understand why it works?" If the answer is no, the code is a liability regardless of whether it passes tests. Code that nobody understands is code that nobody can maintain.

Plausible errors become more common. AI-generated code tends to be syntactically correct and structurally reasonable. The errors are subtle, a security vulnerability that looks like a standard pattern, a race condition hidden in otherwise clean concurrent code, an API call that almost matches the real API but uses a deprecated or non-existent parameter. These require more careful attention than the obvious errors that human-written code typically contains.

Hallucinated dependencies need checking. AI models sometimes reference libraries, functions, or APIs that don't exist. Reviewers need to verify that all dependencies are real, current, and appropriate. This is a new category of review that didn't exist before AI code generation.

Licence compliance becomes a review concern. AI models trained on open-source code may generate output that's substantially similar to copyleft-licensed code. Reviewers need awareness of this risk, even if they can't catch every instance.

Pattern consistency matters more. AI-generated code often introduces patterns that are valid in isolation but inconsistent with the rest of the codebase. Over time, this inconsistency makes the codebase harder to navigate. Reviewers need to enforce consistency more actively.

New Skills for Reviewers

The skills that make someone a good code reviewer are evolving:

Sceptical reading. The ability to read code with healthy scepticism, not assuming that because it looks right, it is right. This has always been valuable, but it's now essential.

Security awareness. AI-generated code can introduce security vulnerabilities that follow common patterns. Reviewers need enough security knowledge to spot the most common issues, injection vulnerabilities, authentication bypasses, insecure defaults.

Architectural judgement. The ability to evaluate whether AI-generated code fits the broader system architecture, not just whether it solves the immediate problem. AI optimises locally; humans need to think globally.

The courage to reject. If a reviewer doesn't understand the code well enough to be confident it's correct, they should reject it, even if it passes tests, even if the submitter says "the AI generated it and it works." "I don't understand this well enough to approve it" is a valid and important review outcome.

Process Adaptations

Require understanding attestation. The person submitting AI-generated code should be able to explain what it does and why. If they can't, it shouldn't be submitted for review, it should be rewritten until they can.

Increase review thoroughness for AI-heavy PRs. Consider flagging PRs that contain significant AI-generated code for more thorough review. Not as a punishment, but as a recognition that these PRs carry different risks.

Invest in automated checks. Static analysis, security scanning, dependency verification, and licence compliance tools become more valuable when code generation is faster. They catch the mechanical issues, freeing human reviewers to focus on the judgement calls.

Review the tests, not just the code. AI can generate tests as well as code, and AI-generated tests can have the same subtle issues. A test that passes but doesn't actually verify the right behaviour is worse than no test at all, because it creates false confidence.

The Bigger Picture

Code review in an AI-augmented world is more important, not less. It's the primary mechanism for ensuring that the speed of AI generation doesn't outpace the team's ability to maintain quality, security, and understanding. The teams that invest in evolving their review practices will ship faster and more safely. The teams that don't will accumulate debt that eventually slows them down far more than the AI sped them up.