AI-assisted review, testing & anti-patterns
Add AI as an independent signal inside the review process teams already trust.
The PR is the unit of trust
After this you can explain why the pull request, not the diff or the chat transcript, is the auditable unit an enterprise trusts.
Everything an AI writes is a draft until it lands as a pull request.
The PR is where intent, change, evidence and human accountability fuse into one reviewable, revertable, auditable artifact. Internalize one idea from this module and make it the unit of trust is the PR. Not the diff. Not the chat transcript. Not the agent run.
Why the PR and not the commit or the agent output? A PR is the smallest object that carries all four things an enterprise needs at once:
- A bounded scope (blast radiusHow much breaks if a change goes wrong; the scope of potential damage. you can reason about).
- A description (the intent and the why).
- A set of checks (the evidence).
- An approval (the human who is now accountable).
A raw agent transcript has none of these as durable, queryable records. Picture your ITGCIT General Controls. The baseline IT controls auditors check: who can change what, how changes get approved and how systems are run. auditor six months from now, pulling that PR and asking three things:
- Who approved this?
- What did the checks say?
- Does the description match the diff?
AI changes who drafts the code. It must not change how code lands. The pipeline that protects production stays exactly the same whether a human or an agent typed the characters: scoped PR, deterministic checks, independent review, code-owner approval.
Your job as a field engineer is to make AI productive inside that pipeline. Never weaken the pipeline to make AI look productive.
Every author, human or agent-driven, inherits one mandate: the PR must be well-scoped, well-tested and well-described so that nothing downstream changes. Downstream means your reviewers, your CI, your CODEOWNERS routing, your release process, your auditors. Force any of those to behave differently with bigger diffs, weaker checks or skipped approvals and you've leaked the cost of AI velocity onto the parts of the system that exist to contain risk.
- Well-scoped
- One coherent change a reviewer can hold the whole blast radiusHow much breaks if a change goes wrong; the scope of potential damage. of in their head. Refactor and behavior change never ride in one PR.
- Well-tested
- Tests assert the intended behavior, run in CI and would fail if the change regressed. Coverage is an input to the gate, not the trophy.
- Well-described
- Title and body state intent, approach and risk. The description must match the diff. Drift between them is itself a review finding.
- Accountable
- A required human code-owner approves. That signature is the non-collapsible step. AI is a signal feeding it, never a substitute for it.
"AI changes who writes the first draft. It does not change how code earns its way into production. The PR is still the unit of trust and a human code-owner still signs."
Takeaway. The PR is the unit of trust: the smallest object that fuses scope, intent, evidence and an accountable approval into one auditable record.
Self-check
Layered review: AI as an independent signal
After this you can name the five review layers in order and explain why each one must stay independent of the others.
Review is defense in depth, not a single gate. Each layer catches a different class of failure and each one stays independent of the others. The moment two layers share a blind spot, you've spent process without buying safety.
The architecture exists so the cheap, fast, deterministic layers catch the boring stuff. That frees scarce human attention for where it's irreplaceable: design fit, intent, risk and the things only a domain expert sees.
Interactive widget. Tab through its controls; the result updates in the panel below as you change them.
Author self-review → deterministic checks → AI review (independent signal) → specialist review → required human code-owner approval. The code-owner gate never collapses into the others. It is the accountable signature.
- 1Author self-review. Before requesting review, the author reads their own diff line by line. With AI-authored code this is non-negotiable: you are claiming authorship of what the agent produced. Can't explain a line? It doesn't ship.
- 2Deterministic checks. Lint, type-check, build, tests, SASTStatic Application Security Testing. Scanning source code for vulnerabilities without running it., secret scanning, license checks. Reproducible and non-negotiable: same input, same verdict. They are the floor, not the ceiling.
- 3AI review (independent signal). BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. reads the PR fresh and comments inline. It is a second pair of eyes that did not write the code and that independence is the entire point.
- 4Specialist review. Security, SRESite Reliability Engineering. The team and practice that keeps production reliable: monitoring, on-call and incident response., data or domain experts for changes that touch their risk surface. Routed by CODEOWNERS and risk tier, not by vibes.
- 5Required human code-owner approval. The accountable signature. This is the separation-of-duties control: the person who merges is not the person or agent who authored. It never collapses into any earlier layer.
The dangerous shortcut is letting AI review substitute for human approval: "BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. passed, ship it." That collapses two independent layers into one and quietly destroys separation of dutiesNo single person can author, approve and deploy the same change. The core control AI autonomy has to respect..
AI review is an input to the human decision, never the decision. Wire BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs.'s pass as an auto-merge trigger with no code-owner sign-off on risk-bearing code and you've built a control an auditor will flag. Eventually it merges something nobody owns.
Why independence is load-bearingthe core interview point
If the same model that wrote the code also reviews it, the review inherits the author's blind spots and rationalizes the same flawed assumption it baked in. Independence is what makes a second signal worth anything. BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. reviewing an agent's PR is valuable because it brings different context and a fresh read of the final diff. A human code-owner reviewing both is still required, because the human carries accountability and judgment no model layer provides.
Reproducible, binary verdict.
Catch: syntax, types, regressions, secrets, license violations.
Trust property: same input → same output, every time.
Probabilistic, contextual second read.
Catch: logic bugs, edge cases, missing error handling, intent drift.
Trust property: independence. It didn't author the code.
Judgment and accountability.
Catch: design fit, risk, business intent, the unknown-unknowns.
Trust property: the non-collapsible signature. Separation of duties lives here.
Takeaway. Each review layer catches a different failure class and stays independent; the human code-owner gate is the one that never collapses into the rest.
Self-check
QIn the layered review model, which layer must NEVER collapse into the others and why?
Bugbot mechanics and the discipline of tuning
After this you can describe how Bugbot runs, what .cursor/BUGBOT.md buys you and why tuning needs an owner and a cadence.
BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. is Cursor's AI code reviewer. Mechanically it auto-runs when a PR is opened or updated, reads the diff in the context of the repo and leaves inline comments on the specific lines it's worried about. This is not a linter with a fixed ruleset. It reasons about logic, edge cases, error handling and whether the change matches its apparent intent.
As of June 2026, Cursor says BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs.'s average review time is about 90 seconds, down from about five minutes; it costs about 22% less per run and finds about 10% more bugs. That's fast enough to sit in the PR loop without becoming the bottleneck. (Treat the specific percentages as perishable. Verify before quoting in a customer setting.)
The number Cursor's own team quotes most is the issue-resolution rate: across their fleet BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. consistently resolves north of 70-80% of the issues it raises. That's a signal-to-noise statement, not a vanity one. It's the proportion of flagged problems that turned out to be real and got fixed, which is exactly the health metric you want from a reviewer. (Perishable. Verify before you quote it in front of a customer.)
Trust progression: approve-each-fix, then graduate to auto-fixearn autonomy a rung at a time
BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs.'s config lives in an admin dashboard with four knobs worth knowing cold: which repos it operates on, the scrutiny level, whether it runs per-PR automatically or on a manual trigger, and whether it is surface-only or allowed to auto-fix. The recommended rollout is a trust progression: start with auto-fix off so a human approves every proposed fix, watch the resolution rate and false-positive rate, and only graduate a repo to auto-fix once the team trusts the signal. It's the same propose-then-earn-autonomy pattern as the bright line in the next section, applied to a single tool.
The leadership dashboard
BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. also exposes an engineering-leadership view: last-30-days PRs reviewed, issues resolved and automatic fixes merged, drillable down to a specific repo and broken out by severity (high / medium / low). This is the surface that turns AI review from a feature into an ROIReturn on Investment. The value gained versus what it cost, the language an economic buyer funds deals in. story. When a director asks 'is this worth it?', you don't hand-wave. You point at 30 days of resolved high-severity issues per repo. It's also the honest counter to volume metrics: it counts issues resolved, not lines touched.
- Trigger
- Auto-runs on PR open and update, on every push to the PR
- Output
- Inline comments on the exact lines of concern
- Customization
.cursor/BUGBOT.mdholds repo- and area-specific custom rules- Autofix
- Isolated cloud-VM agents propose bounded fixes that humans still review before merge
- Speed (Jun 2026)
- ~90-second average review time; ~22% lower run cost; ~10% more bugs found (verify)
- Resolution
- Consistently resolves north of 70-80% of the issues it raises (verify)
- Dashboard
- Leadership view: last-30-days PRs reviewed / issues resolved / auto-fixes, by repo and severity
Custom rules: .cursor/BUGBOT.mdper-area, checked into the repo
Generic review advice is noise. the impact is .cursor/BUGBOT.md, a checked-in file where a team encodes its hard-won rules:
- "Never call the billing API without an idempotency key."
- "All DB migrations must be backward-compatible for one release."
- "PIIPersonally Identifiable Information. Data that can identify a person (names, emails, SSNs); regulated and sensitive. fields must go through the redaction helper."
Because it lives in the repo and can be scoped per area, the same BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. enforces different standards in the payments directory than in the marketing-site directory. That's how an AI reviewer stops being a generic nag and becomes a guardian of your specific risk tiers.
Autofix and isolated VMspropose, don't presume
When BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. can propose a fix, Autofix spins up an isolated cloud-VM agent to generate the change. It's sandboxed, so fix-generation has no ambient access to your laptop or secrets. Read Autofix correctly in an interview: the win is not automatic merge. The win is AI proposes, human disposes, with a review gate that accepts useful fixes and rejects weak ones.
The single fastest way to kill an AI reviewer's credibility is false positives. Three noisy comments and engineers start reflexively dismissing every BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. comment, including the true one that would have caught the incident.
Tuning is first-class work, not a someday-chore. It needs an explicit owner and a cadence: someone reviews dismissed and ignored comments, sharpens .cursor/BUGBOT.md rules and tracks the signal-to-noise ratio over time. An untuned reviewer is worse than no reviewer. It actively trains your team to ignore review.
Asked 'how do you know BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. is working?', don't cite bugs found. Cite the signal-to-noise trend and the comment-resolution rate, with a named owner and a review cadence. The metric that matters: are engineers acting on its comments or dismissing them?
Bonus credibility: 'tuning has an owner and a cadence' is the same operating discipline you'd apply to any noisy alerting system. False positives are an SRESite Reliability Engineering. The team and practice that keeps production reliable: monitoring, on-call and incident response. problem, not a tooling quirk.
Takeaway. An AI reviewer earns trust through tuning: a named owner, a cadence and .cursor/BUGBOT.md rules; the health metric is signal-to-noise, never raw bugs found.
Self-check
Test generation discipline: assert intent, not implementation
After this you can tell an intent test from a characterization test and decide when mirroring the code is actually correct.
AI is fantastic at generating tests and terrible at knowing what's worth testing. The discipline is the whole game. A generated test that mirrors the implementation is no safety net. It's a tripwire that fires only when you change the code, never when the code is wrong.
Assert intent, not the implementationthe cardinal rule
Here's the classic AI test anti-pattern. The agent writes the function, then writes a test that re-states what the function does line for line. If calculateTax has an off-by-one, the test generated from that buggy function asserts the buggy output and passes forever. A real test encodes the intent: the spec, the business rule, the expected behavior at the boundaries, derived independently of how the code happens to work. A good prompt is "write tests that assert the documented behavior and edge cases of this function." Then you read them and confirm they'd fail against a wrong implementation.
- Mirrors implementation (bad)
- Reads the code, restates its output
- Asserts intent (good)
- Reads the spec or requirement, states expected behavior
- Mirrors implementation (bad)
- Passes even when the code is wrong
- Asserts intent (good)
- Fails when behavior is wrong, regardless of implementation
- Mirrors implementation (bad)
- Breaks on every harmless refactor
- Asserts intent (good)
- Survives refactors; breaks only on behavior change
- Mirrors implementation (bad)
- Generated and merged unread
- Asserts intent (good)
- Generated, then read and challenged by a human
| Mirrors implementation (bad) | Asserts intent (good) |
|---|---|
| Reads the code, restates its output | Reads the spec or requirement, states expected behavior |
| Passes even when the code is wrong | Fails when behavior is wrong, regardless of implementation |
| Breaks on every harmless refactor | Survives refactors; breaks only on behavior change |
| Generated and merged unread | Generated, then read and challenged by a human |
Characterization tests before a refactorpin behavior first
Before you let an agent refactor a gnarly legacy module, write characterization tests first: tests that capture the current observable behavior, warts and all, even behavior you suspect is wrong. This is the one place 'mirror the existing behavior' is correct, because the goal is to pin behavior so the refactor can't silently change it. AI is excellent at this. Point it at the module, have it generate characterization tests across the input space, confirm they pass against the current code, then refactor. A characterization testA test written to pin down current behavior before a refactor, so you notice if the behavior changes. that breaks during the refactor just caught a behavior change you didn't intend, which is the whole point.
Characterization tests answer 'what does this code do today?' You mirror behavior on purpose, as a safety harness for change.
Intent tests answer 'what should this code do?' You derive from the spec, independent of the implementation.
Both earn their keep. Confuse them by writing intent-shaped tests that secretly just mirror the code and you ship a green suite that proves nothing.
Coverage is a gate input, never the goalGoodhart's Law
Coverage is useful as a floor. A PR that drops coverage on a critical module is worth a second look. The moment coverage becomes a target, Goodhart's Law kicks in: "when a measure becomes a target, it ceases to be a good measure." Teams and agents chasing a 90% number generate tests that execute lines without asserting anything meaningful, so coverage climbs while real safety goes flat or down. AI makes this worse: it manufactures coverage-padding tests by the dozen in seconds.
"Coverage tells you what code ran, never whether it's correct. We gate on coverage as a floor and review tests for whether they assert intent. An agent can take any number to 90% - that's exactly why the number can't be the goal."
Takeaway. Generated tests must assert intent, not implementation; the lone exception is the characterization testA test written to pin down current behavior before a refactor, so you notice if the behavior changes., written to pin behavior before a refactor.
Self-check
QCoverage on a team's repo jumps from 60% to 92% the month after they adopt an AI agent, but production incidents don't drop. What's the most likely explanation?
Build your own review skill and de-slop before the PR
After this you can codify a review step as a buildable skill and push quality controls earlier than the PR, before Bugbot ever sees the diff.
BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. isn't the only reviewer you get. You can codify your review step as a reusable skill and you can strip the most common AI failure patterns out of generated code before it ever reaches a PR. The discipline is to move quality controls earlier, not to lean harder on the last gate.
Why this matters now: agent-driven coding generates code at 10x-100x prior rates, so the bottleneck has shifted from writing code to reviewing it. There are far more PRs than humans can read line by line. The answer isn't to read faster. It's to layer cheap, repeatable quality controls in front of human review so the human reads a tight summary of what actually needs a decision, not three million unfiltered lines.
A mini Bugbot you build yourselfa review step as a skill
.cursor/BUGBOT.md tunes the hosted reviewer. A skill lets you build a reviewer of your own that runs locally, in your editor, on your terms. The pattern is simple: write a skill whose instruction is something like "You are an expert code reviewer. Audit this change for X, Y and Z", where X/Y/Z are your team's real risk areas, then set it to run whenever you commit new feature work.
name: feature-review description: Expert code review run after feature work. Audit the diff for missing error handling, untested edge cases, and any call to the billing API without an idempotency key. Report only reproducible findings against the actual diff. auto-run: after feature work that touches src/ or components/
When you create a skill, Cursor asks the three questions that make it governable: where to store it (project, so it's shared and committed, vs user, so it's personal), how to handle conflicts with other skills, and when it should auto-run (after any feature work touching components, only when you explicitly ask, or whenever tests or adjacent source files change). The auto-run trigger is what turns a one-off prompt into a standing review step.
A review skill earns its keep only if it reviews the actual diff and surfaces reproducible findings. Ask it for concrete risks against the change in front of it, then apply only the findings you can reproduce. A skill that lists generic 'best practices' is noise, the same failure mode as an untuned BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs..
Want to know whether your rules are even being obeyed? Install a before-prompt hook that logs which rules are in context, so rule-compliance is auditable instead of assumed.
De-slop at generation timethe layered pre-PR pipeline
Cursor's own engineers run a de-slop skill consistently at generation time, before code reaches a PR. It evaluates model-written code and removes the typical AI slop: generic variable and function names, verbose throwaway comments, overengineering and unnecessary abstraction, bad boilerplate, then standardizes style. It's published on Cursor's public marketplace as a reusable skill, so it's a real, dogfooded example, not a hypothetical.
Stack it and you get a layered pre-PR quality pipeline: de-slop at generation → your review skill / BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. before the PR → human review of a clean diff. Each layer is cheaper than the one after it and each one means the human reviewer spends scarce attention on intent and risk instead of renaming data2 and deleting comments a model left behind.
The strong answer to 'how do you keep quality up at 10-100x code volume?' is layered controls moved earlier, not heroic human review. Name the stack: de-slop at generation, a review skill or BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. before the PR, then humans reviewing a clean diff and a tight summary. The mental model: review, not generation, is the new bottleneck, so you invest tooling exactly there.
Bonus credibility: a review skill and the de-slop skillA shared Cursor skill that strips typical AI-generated tells (filler comments, vague names, over-engineering) and applies house style. are the same primitive (skills) you'd use to encode any team standard, and both are buildable today, one on Cursor's public marketplace.
Takeaway. Review, not generation, is the new bottleneck: build a review skill, de-slop at generation time and layer controls before the PR so humans review a clean diff, not raw volume.
Self-check
QWhen you create a review skill, what three questions does skill creation ask, and which one turns a one-off prompt into a standing review step?
Cursor in CI and the bright line of autonomy
After this you can draw the bright line between 'AI proposes' and 'AI commits autonomously' and run the five-step red-pipeline fix.
Cursor's agent surface now reaches into the CI loop. Cloud AgentsAgents that run in a Cursor-managed virtual machine, check out the repo, do the work and open a pull request, then shut down, with no load on your laptop. (shipped in 3.5, May 2026) run in isolated cloud VMs with terminal and browser access, work across multiple repos in parallel and report back asynchronously. An agent can be triggered by a failing pipeline, investigate and propose a fix without a human babysitting the terminal. The CLI gained /debug in 3.1.
That's powerful and it's exactly where the governance question gets sharp.
The bright linepropose vs commit
One distinction decides everything about how you deploy agents in CI.
Agent opens a PR. A human code-owner reviews and merges.
All the existing gates still apply: checks, AI review, approval.
This is the default. It scales without expanding blast radiusHow much breaks if a change goes wrong; the scope of potential damage..
Failure mode is contained. A bad proposal is a rejected PR, not an incident.
Agent merges or deploys without a human in the loop.
Requires explicit governance: narrow scope, low risk tier, audit logging, kill switch, named owner.
Never the default. Justified case-by-case, reversible, observable.
Failure mode reaches production directly, so it's earned, not assumed.
AI proposes is default-safe and should be ~99% of your footprint. AI commits autonomously is a governed exception, allowed only on a narrow, low-risk surface, with logging and a kill switch, owned by someone accountable.
Blast radius decides which side of the line a use case sits on. A doc typo fix on a static site can earn autonomy. A schema migration on the payments DB never does.
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
Plot a use case on blast radius × reversibility. Only the low-blast, reversible corner earns autonomous commit; a payments-DB schema migration lives in the far corner where AI proposes only.
The governance guarantee: automations never mergethe merger is accountable, full stop
Here is how Cursor's own engineering team states the rule, and it's the cleanest version of the bright line you can hand a customer: no automation agent ever merges directly to the repo. It always produces a PR a human reviews and the person who clicks merge is accountable for what lands. You can layer BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. and as many validation automations as you like in front of that PR. The accountability never moves off the human who merges.
Staying on the propose side doesn't mean dumb dispatch. A mature pattern is the risk-rated PR automation: an agent triggers on PR-opened, classifies the change as low / medium / high risk, and routes accordingly. A genuinely low-risk change (say a title or copy tweak) gets auto-approved and merges easily; a high-risk change is held for human review and the automation assigns the right reviewers by running Git blame to find the people who actually own those lines. That's the deterministic dispatch behind the bright line: the agent does the routing, the human still owns the merge on anything that carries risk.
Wiring automations almost never changes your security story, with one exception worth saying out loud: a triggerable automation opens a new vector. If anyone in a Slack channel (or any external surface) can fire an automation that touches code, then everyone who can fire it effectively has a path to your codebase. If those people shouldn't have repo access, don't wire them to a code-touching automation.
Contain it the usual way: read-only integrations where you can (a read-only SQL connection can't drop a prod table), least-privilege scopes, and hooks that block secrets or private keys before any change is proposed.
Never fix a pipeline by disabling a checkthe cardinal sin
CI goes red, the pressure is on and the seductive 'fix' presents itself:
- Disable the failing check.
- Mark the test as skipped.
- Merge with admin override.
This is the one move that is always wrong. The check is the evidence. Disabling it doesn't fix the problem. It deletes the proof a problem exists and silently lowers the bar for everyone after you.
An agent told to 'make CI green' will absolutely do this if you let it. That's why agents that touch CI need rules forbidding it and why a human reviews any change to the pipeline config itself.
- 1Read the failure. Get the actual error and the failing check's logs. Don't guess. (The CLI
/debugand Cloud AgentsAgents that run in a Cursor-managed virtual machine, check out the repo, do the work and open a pull request, then shut down, with no load on your laptop. are good at exactly this.) - 2Reproduce locally or in an isolated agent VM. A failure you can't reproduce is a fix you can't trust.
- 3Find the root cause. Is the code wrong or the test or check wrong? Both are legitimate, but you must know which. Changing a test to match buggy code is itself the bug.
- 4Fix the cause, not the symptom. Repair the code or correct the test if it was genuinely wrong, with justification in the PR. Never disable, skip or override to go green.
- 5Re-run the full suite and confirm green for the right reason. Land it as a normal PR through the normal gates.
"You never fix a red pipeline by disabling the check. The check isn't the obstacle - it's the evidence. Disabling it doesn't solve the problem, it just deletes the proof and lowers the bar for everyone who merges after you."
Takeaway. Keep agents on the propose side of the bright line by default and never make CI green by disabling the check that holds the evidence.
Self-check
The anti-pattern taxonomy
After this you can name any AI-in-the-SDLC failure in a customer's org and prescribe the single guardrail that contains it.
Every AI-in-the-SDLC failure mode rhymes. Learn the taxonomy and you can name what's going wrong in a customer's org in one sentence, then point at the guardrail. For each one: the failure, who loses trust and the control that contains it.
- Anti-pattern
- Vibe-merges
- Failure → who loses trust
- Merging on a green-checkmark feeling without reading the diff → reviewers, then prod when it breaks
- Guardrail
- Required author self-review plus code-owner approval; AI review stays an independent signal, never the merge trigger
- Anti-pattern
- Mega-diffs
- Failure → who loses trust
- One PR touches 80 files mixing refactor and behavior → reviewers can't hold the blast radiusHow much breaks if a change goes wrong; the scope of potential damage., so they rubber-stamp
- Guardrail
- Enforce scope: split refactor from behavior, keep PRs small and coherent, flag oversized diffs in review
- Anti-pattern
- Prompt-and-pray
- Failure → who loses trust
- Fire a vague prompt, accept whatever comes back unverified → the author, whose name is on it
- Guardrail
- Specify intent, read the output, test it. The author owns the agent's work, full stop
- Anti-pattern
- Fabricated confidence
- Failure → who loses trust
- Model states a wrong answer fluently (hallucinated API, invented behavior) → whoever trusted the fluent tone
- Guardrail
- Verify against ground truth: docs, types, a running test. Tone is not evidence
- Anti-pattern
- Hidden generated code
- Failure → who loses trust
- Large AI-generated blocks merged with no signal they're generated → future maintainers and auditors
- Guardrail
- AI-code tracking and attribution; honest PR descriptions; review density scales with how much is generated
- Anti-pattern
- Context rot
- Failure → who loses trust
- Long agent session drifts off the original task; later edits contradict earlier ones → the author, silently
- Guardrail
- Short, scoped sessions; re-ground the agent; review the final diff against intent, not the conversation
- Anti-pattern
- Secrets / prompt-injection
- Failure → who loses trust
- Secrets pasted into context or hostile content in a repo or issue hijacks the agent → security, the whole org
- Guardrail
- Secret scanning, Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. and ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it., terminal sandboxing, least-privilege MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs., treat external content as untrusted
- Anti-pattern
- Excessive agent permissions
- Failure → who loses trust
- Agent granted broad repo, tool and prod access 'to be convenient' → security and SRESite Reliability Engineering. The team and practice that keeps production reliable: monitoring, on-call and incident response.; the blast radiusHow much breaks if a change goes wrong; the scope of potential damage. is now huge
- Guardrail
- Least privilege: model/MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs./repo allowlists, RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually., terminal sandboxing, isolated VMs, scoped tokens
- Anti-pattern
- Volume-as-success / mandated usage
- Failure → who loses trust
- Measuring lines-of-AI-code or mandating usage → leadership credibility, then engineers who game the metric
- Guardrail
- Measure outcomes (DORADORA metrics. Four widely-used delivery measures: deployment frequency, lead time for changes, change failure rate and time to restore service., throughput, defect rate), not AI volume; drive adoption via mentorship, not mandate
| Anti-pattern | Failure → who loses trust | Guardrail |
|---|---|---|
| Vibe-merges | Merging on a green-checkmark feeling without reading the diff → reviewers, then prod when it breaks | Required author self-review plus code-owner approval; AI review stays an independent signal, never the merge trigger |
| Mega-diffs | One PR touches 80 files mixing refactor and behavior → reviewers can't hold the blast radiusHow much breaks if a change goes wrong; the scope of potential damage., so they rubber-stamp | Enforce scope: split refactor from behavior, keep PRs small and coherent, flag oversized diffs in review |
| Prompt-and-pray | Fire a vague prompt, accept whatever comes back unverified → the author, whose name is on it | Specify intent, read the output, test it. The author owns the agent's work, full stop |
| Fabricated confidence | Model states a wrong answer fluently (hallucinated API, invented behavior) → whoever trusted the fluent tone | Verify against ground truth: docs, types, a running test. Tone is not evidence |
| Hidden generated code | Large AI-generated blocks merged with no signal they're generated → future maintainers and auditors | AI-code tracking and attribution; honest PR descriptions; review density scales with how much is generated |
| Context rot | Long agent session drifts off the original task; later edits contradict earlier ones → the author, silently | Short, scoped sessions; re-ground the agent; review the final diff against intent, not the conversation |
| Secrets / prompt-injection | Secrets pasted into context or hostile content in a repo or issue hijacks the agent → security, the whole org | Secret scanning, Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. and ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it., terminal sandboxing, least-privilege MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs., treat external content as untrusted |
| Excessive agent permissions | Agent granted broad repo, tool and prod access 'to be convenient' → security and SRESite Reliability Engineering. The team and practice that keeps production reliable: monitoring, on-call and incident response.; the blast radiusHow much breaks if a change goes wrong; the scope of potential damage. is now huge | Least privilege: model/MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs./repo allowlists, RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually., terminal sandboxing, isolated VMs, scoped tokens |
| Volume-as-success / mandated usage | Measuring lines-of-AI-code or mandating usage → leadership credibility, then engineers who game the metric | Measure outcomes (DORADORA metrics. Four widely-used delivery measures: deployment frequency, lead time for changes, change failure rate and time to restore service., throughput, defect rate), not AI volume; drive adoption via mentorship, not mandate |
Volume-as-success and mandated usage are dangerous precisely because they look like leadership 'driving adoption.' The metric goes up while trust goes down. Engineers game the number and the org learns that AI means theater you're forced to perform.
The Box case study is the counter-model: 85%+ daily active and 30–50% throughput gains came from mentorship, not from a mandate (+75% usage in 6 weeks via peer enablement). Pull, not push.
How they clusterthree root causes
Notice the through-line. Nearly every guardrail in the right column is something we already covered: the well-formed PR, the layered review with a non-collapsible human gate, intent-asserting tests, least privilege, outcome metrics over volume. The anti-patterns aren't exotic. They're what you get when you skip the disciplines. Your job in the field is to spot which discipline a team dropped, then restore it.
The canonical prompt anti-patternwhere prompt-and-pray actually starts
Most prompt-and-pray messes begin with the same move: a vague prompt on the most expensive model. "Make the app better" on a frontier model, expecting horsepower to substitute for direction. With no concrete target the agent makes blind, scattershot edits, which burns tokens, then burns more tokens reading and fixing the bad code it just wrote: a compounding blind edits → read/fix → more tokens loop that drives cost up and quality down at the same time. Power on a fuzzy task is the worst of both worlds.
- Vague (drives the loop)
- "Make the app better."
- Scoped (names surface, change, constraints)
- "Under the shop page, add an in-stock filter next to the existing tag and sort controls. Preserve URL query params and update tests if needed."
- Vague (drives the loop)
- Any model, no success check
- Scoped (names surface, change, constraints)
- Match model power to task; in plan mode for anything non-trivial
| Vague (drives the loop) | Scoped (names surface, change, constraints) |
|---|---|
| "Make the app better." | "Under the shop page, add an in-stock filter next to the existing tag and sort controls. Preserve URL query params and update tests if needed." |
| Any model, no success check | Match model power to task; in plan mode for anything non-trivial |
Specificity, not model price, is what stops the blind-edit loop. The fix is a concrete success check, plan mode first and a fresh agent when context bloats.
Tie the whole taxonomy together with one mental model: with agents producing code at 10x-100x prior rates, the constraint is no longer generating code, it's reviewing it. There are far more PRs than humans can read line by line, so quality and review become where engineering effort and tooling investment belong.
The goal isn't to read faster. It's to read less, better: the human stops reading every line and instead reads a tight, agent-written summary, 'the agent generated 3M lines; here are the 7 things you, the expert, should decide on.' Every guardrail in this module exists to protect that scarce human review attention, which is exactly why volume-as-success is so corrosive: it celebrates the thing that is now cheap while ignoring the thing that is now scarce.
When a customer describes a mess, resist solutioning immediately. Name the anti-pattern first ('that's classic vibe-merging' / 'you've made coverage a target'), say who's losing trust, then prescribe the single guardrail. That sequence, name → trust impact → control, separates a field engineer from a feature-lister.
Strongest closing line: 'AI didn't break your pipeline. Skipping a discipline did. We put the discipline back - the PR stays the unit of trust.'
Takeaway. Every anti-pattern is a dropped discipline; name it, say who's losing trust and prescribe the one guardrail that puts the discipline back.