Reviewing AI‑Written Code: What To Read First

gent-written diffs are fast, large, and uneven. Some lines are perfect boilerplate; others hide quiet landmines. You don’t need to re-read everything, you need a better reading order.

AI Code Review Order

  1. Spot starting levelbegin
  2. Read tests firstthen
  3. Check public APIsthen
  4. Inspect error pathsthen
  5. Review rewritesthen
  6. Check importsdeepen
  7. Deeper review
  8. Ask agent redo
Start with calibration, follow five checks, then decide deepen or rerun.
Article mapOpen the visual summary

AI Code Review Order

  1. Spot starting levelbegin
  2. Read tests firstthen
  3. Check public APIsthen
  4. Inspect error pathsthen
  5. Review rewritesthen
  6. Check importsdeepen
  7. Deeper review
  8. Ask agent redo
Start with calibration, follow five checks, then decide deepen or rerun.
Table of Contents10 sections

What you’ll be able to do

  • Review AI-written diffs in 10-20 minutes by focusing on five high-signal areas instead of every line.
  • Decide when to trust tests, when to trust your own reading, and when to push work back to the agent.
  • Write clear re-do requests that make the next AI attempt safer and smaller.

Why AI diffs need a different review order

Traditional human PRs are usually shaped by intent. You know what the author was trying to do, and the diff tends to be minimal around that goal. Reading top-to-bottom works because the changes often tell a coherent story.

Agent diffs are different. They’re opportunistic: the model may refactor adjacent code, rename things, or “clean up” imports while touching the real change. Some edits are excellent, others are subtly wrong, and they’re all mixed together.

If you read them like human PRs, you waste time on correct boilerplate and may still miss the risky parts. Instead, you need a triage order tuned to where agents fail most: shallow tests, sloppy public contracts, brittle error paths, overeager rewrites, and messy dependencies.

Spot your starting level

Before we get fancy, calibrate how you’re reviewing AI code today. That starting point matters more than any advice.

Ask yourself which description fits you most often:

Level 1 – Line-by-line panic
You scroll from top to bottom, reading almost every changed line. Reviews feel slow and exhausting. You still worry you’re missing things.
Level 2 – Ad-hoc skimmer
You skim and dive into anything that “looks weird,” but you don’t have a stable checklist. Some diffs get a deep look; others get a shrug.
Level 3 – Focused triager
You deliberately start with tests, APIs, and error paths, then only widen if needed. You sometimes send the agent back for a re-do without touching code yourself.

If you’re Level 1-2, this article will pull you toward Level 3 with a clearer order and a simple practice loop. If you’re already Level 3, you’ll refine your checklist and your run-vs-read decisions.

The five-place reading order for reviewing AI code

Agent diffs tend to fail in predictable places. Use them.

For any non-trivial diff, read in this order:

  1. 1
    Tests: Are they meaningful, minimal, and actually exercising the change?
  2. 2
    Public API surface: Functions, classes, endpoints, messages, DB schemas, events.
  3. 3
    Error paths: Exceptions, error returns, retries, edge-case branches.
  4. 4
    Over-confident rewrites: Large blocks it rewrote instead of editing in place.
  5. 5
    Imports and dependencies: New libraries, cross-module calls, feature flags.

You’re not trying to certify every line. You’re trying to answer: “Given how this change will be used, where could it hurt us?” These five areas are where harm usually originates.

Treat AI diffs like an accident scene, not a novel. You are not here to appreciate the prose; you are here to locate impact. Start with the parts that touch users, data, and failure modes. Everything else is bonus. When in doubt, give your attention to where an incorrect assumption would be most expensive tomorrow.

First attempt: 15-minute triage on a real agent diff

Let’s turn this into practice right now. You’ll run a short triage loop on a real diff, not a toy example.

Pick a diff:

Your 15-minute triage task:

  1. 1

    Set a timer for 15 minutes

  2. 2

    Open the diff, but don’t scroll from the top

  3. 3

    Jump straight to tests, then the other four hotspots, in order

  4. 4

    Leave comments or notes as you go

    do not fix code yet.
  5. 5

    At the end, decide

    approve as-is, edit yourself, or ask the agent to re-do.

You’re training the habit of where your eyes go first, not perfection. The feedback you get from this run is key.

Reading tests: do they actually test what changed?

  • Check AlignmentDo the tests clearly match the described change?
  • Check SpecificityAre assertions checking actual behaviour or just existence?
  • Check Coverage of failureIs there at least one test for a non-happy path?
Three checks for whether changed tests really verify behaviour

Tests are the most visible place agents seem helpful—and one of the most misleading.

When you jump to the test changes, look for three things:

  1. 1
    Alignment: Do the tests clearly match the described change? If the diff claims to add pagination, is there a test that fails without pagination and passes with it?
  2. 2
    Specificity: Are assertions checking actual behaviour or just existence? A test that only checks a 200 status while ignoring the response body is weak.
  3. 3
    Coverage of failure: Is there at least one test for a non-happy path (invalid input, empty result, permission issue)?

A common agent failure mode is tests that only assert that code runs, not that it does the right thing. Another is copying existing tests but changing names, leaving the real behaviour unverified.

Feedback signals from your first attempt:

  • If you spot a too-broad, low-value test quickly, your triage is working. Comment on it explicitly.
  • If all tests look plausible but you feel uneasy, note exactly why: vague naming, missing edge cases, or magic constants.
  • If you realize you’re nitpicking style (spacing, naming) before behaviour, pause and reset to behaviour-first.

After the timer, check a sample of these tests by actually running them or temporarily breaking the code they should guard. If broken code doesn’t fail tests, you’ve uncovered a serious gap—and a good candidate for an agent re-do focused on testing.

Public API surface: silent breaking changes

Next, inspect the code that other systems or teams depend on: exported functions, HTTP endpoints, message schemas, DB migrations, public classes, CLI flags.

You’re looking for signature drift. Did the agent:

These changes often look fine in isolation but quietly break callers.

During your first attempt, pick one affected public entry point and mentally walk a typical caller through it. Does the new contract still make sense? Would any existing callsites behave differently without changing their code?

If you find drift, resist the urge to patch it silently. Leave a comment or tell the agent:

Error paths: where agents stumble most

Agents are decent at happy paths; they’re usually worse at unhappy ones. That’s why error paths are third in the reading order, not an afterthought.

Scan for:

Look for these smells:

On your first attempt, pick one new error path and ask: “If this fires in production at 3am, would I know what happened and what to do next?” If not, that’s a change request.

Strong feedback signal: you catch at least one shallow or overbroad error handler in 15 minutes. Weak signal: you never even reached error handling because the diff description didn’t mention it; update your habit to scan for it regardless.

Over-confident rewrites and imports: what looks fine but isn’t

By now you’ve touched tests, APIs, and error paths. Next are the big chunks the agent rewrote and the imports/dependencies it changed to support them.

These are the changes that “look fine” at a glance but hide deeper risk:

For rewrites, compare old vs new at the level of behavioural checkpoints: inputs, side effects, and outputs. Ask: “Did any step disappear or move?”

For imports and dependencies, you’re watching for scope creep:

If everything looks fine but your gut says “this is more change than we needed,” that’s a signal—not to re-read every line, but to push back on the scope. Ask the agent for a smaller, edit-in-place diff that changes only what’s required.

Spot-checks vs full reviews: run-vs-read decisions

Running tests

  • behaviour is complex
  • test coverage looks solid
  • running tests over reading every branch
  • tests look meaningful
  • skim remaining diff

Reading code

  • behaviour is simple
  • error paths or contracts are subtle
  • reading over more test runs
  • full review
  • deeper attention
When to lean on running tests versus reading code

You won’t always have time or need for a full review. After a five-place pass, decide whether to deepen or stop.

Use this table as a quick guide after your 10-20 minute triage:

Situation What you do next Why
Found no serious issues in hotspots; tests look meaningful Run the full test suite, skim remaining diff for obvious formatting issues only The high-risk surface looks healthy; extra reading has low ROI
Found 1-2 fixable issues (e.g., missing edge test, mild error-path weakness) Ask agent to re-do with targeted instructions, then re-run the same five-place pass You want the model to learn the pattern and keep your time for judgement
Found structural issues (wrong API shape, bad data handling) Stop, request a significantly smaller or differently-scoped change from the agent The current attempt is misaligned; patching will take longer than rethinking
Under time pressure and change is non-critical Spot-check tests + API only, rely on monitoring in lower envs You’re making an explicit risk trade-off instead of an accidental one

This is also where run-vs-read comes in:

  • When behaviour is complex and test coverage looks solid, lean on running tests over reading every branch.
  • When behaviour is simple but error paths or contracts are subtle, lean on reading over more test runs.

Aim for most AI diff reviews to land in the 10-20 minute range, with only critical or hairy changes getting deeper attention.

When and how to ask the agent to re-do

  1. 1

    Ask for a re-do

    Ask for a re-do when tests, contracts, error handling, or diff scope look wrong.

  2. 2

    State the scope

    Say what the change should cover, and what must stay untouched.

  3. 3

    Set constraints

    Include backward compatibility, performance, and security notes.

  4. 4

    Require testing

    Specify exact behaviours to test, including at least one failure path.

  5. 5

    Request the format

    Ask for a smaller diff or a single-file edit if it sprawled.

How to ask an agent for a useful re-do

The biggest upgrade in an AI-heavy workflow isn’t catching every bug yourself; it’s pushing work back to the agent effectively.

You should ask for a re-do when:

When you do, be specific. A useful re-do request has four parts:

  1. 1
    Scope: What should the change cover, and what must stay untouched.
  2. 2
    Constraints: Backward compatibility, performance, security notes.
  3. 3
    Testing requirements: Exact behaviours to test, including at least one failure path.
  4. 4
    Format: Ask for a smaller diff or a single-file edit if the previous attempt sprawled.

For example:

Text
Your diff changed the shape of the `getOrders` API and added several refactors.

Re-do this change with these constraints:
- Keep the existing `getOrders(userId, { limit, cursor })` signature unchanged.
- Only modify the pagination logic; do not rename other functions.
- Add tests that fail if pagination is off by one page or returns duplicates.
- Include at least one test for an empty result set.

Return a minimal diff touching only the orders service and its tests.

On your next attempt, run the same five-place reading order. You should see fewer, sharper changes and tests that respond to your previous feedback.

Putting it together: a repeatable AI review loop

You now have a focused order and a sense for when to stop reading and start rerunning the agent.

Here’s a compact loop you can carry into daily work:

  • Triage (10-20 min): Apply the five-place reading order: tests → public APIs → error paths → rewrites → imports/deps.
  • Decide: Based on what you find, classify the diff as “approve with nits,” “agent re-do,” or “needs human redesign.”
  • Respond: For re-dos, send a structured prompt; for approvals, ensure tests and monitoring are in place.

Over a week of doing this deliberately, you’ll notice patterns: which agents are trustworthy in which modules, which hotspots are most fragile in your codebase, and where additional automated tests or tooling would pay off more than more human reading.

You’re not trying to outthink the model on every line. You’re building a reviewing style that lets you focus your human judgement exactly where AI is weakest.

Cheatsheet: Reviewing AI‑Written Code Fast

Five-place reading order

Use this sequence on any AI diff over ~30 lines: (1) Tests: do they fail if you temporarily break the new behaviour? (2) Public API: signatures, types, and schemas untouched or deliberately migrated. (3) Error paths: no swallowed errors, meaningful logs, preserved context. (4) Over-confident rewrites: compare inputs/outputs and key side effects against the old version. (5) Imports/dependencies: no unnecessary new libraries, no broken layering, no bypassed feature flags. Aim to cover all five in 10-15 minutes before you consider reading anything else.

⚡ Smell list for agent diffs

Watch for these high-yield smells: (1) Tests that only check status codes or that a function runs, not detailed outputs or edge cases. (2) API changes where params silently become optional/required or IDs change type. (3) catch blocks that log and continue without rethrowing or returning an error. (4) Large refactors introduced while fixing a small bug. (5) New imports pulling in heavy libraries for trivial jobs (e.g., a whole date library to add one day). Hitting any 2-3 of these smells is usually enough to justify a re-do request instead of manual patching.

⏱️ Run-vs-read decision

After your 5-place pass, decide in under 2 minutes: (1) If you saw zero major issues and tests look strong, run tests first and only skim the rest of the diff. (2) If tests look weak or missing around critical logic, read more in that area and then request additional or stronger tests from the agent. (3) If the diff touches critical paths (auth, billing, data integrity), budget up to 30 minutes and combine deeper reading with targeted manual tests. (4) If you’re under hard time pressure and the change is low-risk, accept a 5-10 minute spot-check focused on tests + APIs and rely on monitoring in staging or canary releases.

Structured re-do request

When asking the agent to try again, follow this 4-part template: (1) "What went wrong"; 1-3 concise bullets (e.g., tests not exercising failure, API change broke callers, error handling swallowed problems). (2) "Scope and constraints"; exact modules or functions to touch, and what must stay compatible. (3) "Test expectations"; list 2-4 behaviours that must be covered, including at least one error or edge case; mention any specific inputs to include. (4) "Diff shape"; request a minimal, additive change: same file, no unrelated refactors, one concern per diff. This keeps the next review close to 10-15 minutes and centered on behaviours, not formatting.

Want a more guided way to practice this?

Use quick checks, feedback, and a cleaner retry.
Practice this guide

FAQ: Making AI Code Reviews Sane

⏱️ How long should an AI code review take?

For most non-critical AI diffs (say 30-200 changed lines), aim for 10-20 minutes of focused review. That includes your five-place pass plus a decision on whether to re-run the agent, edit yourself, or approve. Critical paths like auth, billing, or data migrations may justify up to 30-40 minutes, but treat that as exceptional. If you routinely spend longer, your diffs are too broad; ask the agent for smaller, more targeted changes; and you’re probably trying to manually compensate for weak tests instead of improving them. Use your time budget as a forcing function to demand better diffs and better coverage from the start.

Should I run the tests first or read first?

If you already have a good, trusted test suite, running tests first can be tempting, but for AI diffs it’s usually better to read key hotspots first. The reason is that agents often add or modify tests in ways that make the suite pass while still not exercising real behaviour changes. Your first 10-15 minutes should check whether tests are meaningful at all. After that, run the suite to catch integration issues or regressions you didn’t anticipate. Over time, if your five-place pass keeps confirming strong test quality, you can flip the order for familiar modules: run tests first, then do a faster reading pass focused on APIs and error paths.

What if the agent already ran tests and they passed?

Treat passing tests reported by the agent as a useful signal, not a verdict. The key question is whether those tests would actually fail if the implementation were wrong. During review, pick one or two crucial behaviours and temporarily imagine or introduce a bug; if the existing tests wouldn’t catch it, the green status is shallow. In that case, your feedback should be to strengthen tests, not just tweak code. You might ask the agent explicitly: “Show me a test that would fail if pagination returned duplicates,” or similar. Only when you see that kind of targeted coverage should you start to lean on the agent’s test runs as a strong trust signal.

Can I trust the agent’s self-review comments or explanations?

Self-review text from the agent (“I refactored X for clarity,” “This is backward compatible”) is helpful context but not proof. Assume it may be incomplete or overconfident, especially around subtle behaviours, performance, and error handling. Use the explanation to guide where you look first: if it claims no public API changes, confirm that before anything else. When the explanation matches what your five-place pass reveals, your trust can inch up for that agent in that module. When they diverge, treat it as a learning moment and harden your prompts, asking the agent to highlight any behavioural or contract changes explicitly next time.

When should I ask the agent to re-do the diff instead of editing it myself?

Ask for a full or partial re-do when the diff is structurally wrong, not just cosmetically off. Examples include: tests that don’t exercise the real behaviour, public APIs changed without a migration, error handling that weakens observability, or a change that sprawled into unrelated refactors. In those cases, your edits would amount to redesigning the solution; it’s better to spend a few minutes crafting a sharp re-do prompt. Reserve manual edits for local, tactical fixes—small logic corrections, comment clarifications, or adding a missing test case to an otherwise solid suite. The moment you feel you’re untangling a messy concept rather than patching a detail, stop and push the work back to the agent with clear constraints.

Conclusion: Aim your attention, don’t multiply it

Reviewing AI-written code isn’t about working harder; it’s about aiming your attention where models are weakest. That’s tests that don’t quite test, public contracts that drift, and error paths that quietly decay.

With a five-place reading order and a 10-20 minute triage loop, you can keep AI diffs moving without pretending to certify every line. Use your findings to decide whether to trust, extend, or reject the change—and don’t hesitate to ask the agent to re-do work when the structure is wrong.

As you practice, you’ll build a feel for which modules tolerate lighter review, where extra tests pay off more than more eyes, and how to use agents as collaborators rather than code firehoses. That’s the real skill: not just reviewing AI code, but designing a workflow where your judgement stays in front of the model, not behind it.

A practical triage order for reviewing AI-written code. Learn where agent diffs usually fail, what to read first, and when to ask the agent to re-do the ch

Next steps: Try this on your next AI diff

  • On your very next AI-generated diff, enforce a 15-minute timer and follow the five-place reading order instead of scrolling from the top.
  • Pick one hotspot (tests or error paths) where you felt most uneasy and write a structured re-do request for the agent focused only on that aspect.
  • For a week, log each AI diff as “approve,” “agent re-do,” or “needs human redesign,” along with what you found in your first 15 minutes; review patterns at the end.
  • Share the five-place reading order and the re-do template with your team, and try a pairing session where one person drives the review while the other writes the next agent prompt.

More guides from Taim.io

Guide

Reading a model card without zoning out

Read guide

Guide

What Current AI Models Still Get Wrong, Mid-2026

Read guide

Guide

What C2PA provenance actually proves

Read guide
View all guides

Explore more themes

Work smarter with AIAutomate what slows you downGrow with confidenceFix things that need fixingGet your money workingStay secure in an AI worldLive more sustainablyBuild real softwareBuild skills that compoundBuild habits that hold upSharpen your creative craftSell with intentSpeak with weightRun projects that landBuild a real networkCode with agentsWork for yourselfKeep your judgment sharp
Taim.io app

Continue this topic inside the Taim.io app

Use the next session for quick checks, feedback, and a cleaner retry.