Review AI-generated code in timeboxed sprints

Traditional review assumes a human author with intent you can interrogate. AI-assisted output can be locally plausible everywhere and globally wrong on edge cases. Timeboxing forces you to prioritize invariants: auth, concurrency, data boundaries, and tests—before nitpicking style.

Tier A: permissions, money movement, PII, crypto, distributed systems. Tier B: core business logic with weak tests. Tier C: mechanical refactors with strong coverage. Your reading depth and required reviewers should track tiers—not every PR deserves the same ceremony.

If a single “sprint” tries to review a four-thousand-line AI refactor, you are doing theater. Split work: generation sprint, consolidation sprint, review sprint. Smaller diffs reduce the odds you rubber-stamp because fatigue arrived before comprehension.

Minimum: unit tests for changed behavior, typecheck or compile, and a smoke path for user-visible flows when UI changed. AI can write tests—treat tests as part of the generation sprint, not a separate optional pass.

Start with data invariants and error handling, then control flow, then naming. Style last—formatters exist. If you start with style, you will run out of attention before correctness.

Reject when the change mixes unrelated concerns, lacks tests for new branches, or hides behavior behind clever abstractions you cannot explain in one paragraph. “Reject” is not moral judgment—it is refusing to merge ambiguity into production.

Publish a team default: maximum AI-generated diff without design note, required pairing for Tier A, and explicit labeling in the PR body when assistants were heavily used. Transparency reduces guesswork and blame after incidents.

Mechanical rename across modules: Tier C if tests cover behavior. Review sprint focuses on import paths, missed references, and CI green—style nits last. If the diff explodes, split into two PRs even if the AI “could do it in one go.”

Auth change suggested by a model: Tier A. Require explicit threat model notes: session fixation, CSRF, token lifetimes, and rollback. If the PR cannot explain those in plain language, it is not ready—regardless of how confident the prose sounds.

Generated tests that pass immediately: suspicious. Spend review minutes ensuring tests assert meaningful behavior, not `expect(true)`. AI can satisfy coverage metrics while failing to protect invariants.

Mixed human and AI commits: label them. Reviewers allocate attention differently when they know which sections were typed under time pressure versus generated wholesale. Transparency reduces unfair blame and unfair trust.

Review AI-generated code like flight checks: risk tier, diff budget, tests, invariants—then stop when the box ends. Speed without bounded review is how teams ship subtle bugs at scale.