Confidence: medium. Evidence: production telemetry and controlled study. Last substantive change: 2026-07.
This subsystem owns the gate between a finished change and the mainline: who reviews, how much, and on what evidence a change is allowed to merge.
The conclusion
Review policy should be risk-calibrated. Low-risk changes can be auto-promoted when the evidence is strong, while critical changes need accountable human ownership even when agents perform the technical review. Human review at volume is less reliable than teams assume, so it should be spent where accountability matters, not sprayed across every diff.
How the thinking got here
The starting point was a human reading every diff. Then agents began to pre-review, then automated low-risk review ran at scale, and then context-separated adversarial agent review with policy-weighted merge emerged. Production systems reviewing hundreds of thousands of diffs showed that risk calibration, not universal human review, is what scales.
Credible alternatives, and when each is right
| Approach | Right when |
|---|---|
| Mandatory human review | high-stakes or regulated changes |
| Agent-only review | low-risk, high-volume changes with strong evidence |
| Sampled human audit | maintaining trust in an automated lane |
| Risk-based review | changes span very different blast radii |
| Pairwise or ensemble reviewers | independent perspectives reduce correlated error |
Where it fails and what we still don't know
Failures include correlated reviewer error, collusion between a builder and its reviewer, and merge-queue backpressure when generation outruns review. Evidence is strong for automated low-risk review and clear that human oversight is less reliable than assumed. Open questions include no-review merge outcomes, reviewer independence, change attribution, and safe emergency bypasses.
What would change our mind
Controlled evidence comparing agent-only and human-gated review on the same consequential changes would settle how far the automated lane can safely extend.