« All posts

A Practical Checklist for Reviewing AI-Generated Code

Why AI-generated code fails differently than human code, and a prioritized checklist covering hallucinated APIs, missing invariants, and security defaults.

AI-generated code fails in different places than human-written code — and that breaks the usual review instinct. Because models optimize for fluency, a subtly wrong function reads exactly as smoothly as a correct one, so 'it reads clean' stops being a useful signal for reviewers.

This piece organizes review priorities into three risk tiers ordered by cost of error rather than frequency: hallucinated APIs and function signatures that look plausible but don't exist, missing domain invariants like tenant scoping or ownership checks that live only in a team's head and never in training data, and recurring insecure defaults the model absorbed from public code (string-built SQL, permissive CORS, missing input validation). Catching the first category is mechanical — let the compiler and type checker do the work instead of eyeballing it. The second and third require deliberately testing against what isn't written, not what is.

For engineering teams scaling AI-assisted development, this reframes code review as a distinct discipline: attention should be spent where being wrong is expensive, not where the code merely looks messy — because with AI output, nothing looks messy until it breaks in production.