New here? Start with the worked example.

15-Minute AI PR Review Checklist

15-Minute AI PR Review Checklist

Use this when a pull request was substantially generated or modified by an AI coding agent.

This is not a replacement for human accountability. It is a fast review pass for the failure modes that show up when AI-generated code looks polished before anyone has inspected it closely.

0. The 60-Second Context Check

Before reviewing code, answer these three questions:

  1. What was the agent asked to do?
  2. Which files did it change?
  3. What would break if the agent misunderstood the task?

If you cannot answer all three, stop and request more context before reviewing.

1. Scope Drift - 2 Minutes

Look for changes outside the requested task.

Check:

Slow down if the PR is broader than the task.

2. Behavior And Edge Cases - 3 Minutes

Read the core changed path.

Ask:

Slow down if the code only handles the happy path.

3. Security And Data Risk - 3 Minutes

Scan for:

Slow down if security-adjacent code changed without explicit tests.

4. Test Reality - 2 Minutes

Do not just check whether tests exist.

Ask:

Slow down if tests look performative.

5. System Fit - 2 Minutes

Ask what the agent may not have seen.

Check:

Slow down if the code compiles locally but changes a contract elsewhere.

6. Agent Self-Review - 2 Minutes

Paste this into the coding agent before final human approval:

Review your own changes as if they were submitted by another developer. Focus only on likely defects, security risks, missed edge cases, stale tests, and scope drift. Do not praise the code.

Return:
1. The three highest-risk assumptions in this PR.
2. Any changed behavior not covered by tests.
3. Any security, auth, data, migration, or compatibility risk.
4. The smallest additional check or test that would most reduce risk.

Slow down if the agent identifies a real risk the PR has not addressed.

Merge Decision

Merge only if:

Revise, split, or escalate if:

Reviewer Note Template

AI PR review result:

- Scope drift: none / minor / material
- Security or data risk: none / needs follow-up
- Test confidence: low / medium / high
- Integration concern: none / needs follow-up
- Decision: merge / revise / split / escalate

Main reason:

Reminder

AI-generated code is still your code once it merges. The checklist exists to make that responsibility easier to discharge, not to move it onto the tool.