AI code review should not compete with continuous integration, tests, linters, or static analyzers for the same job. Deterministic tools are fast, reproducible, and enforceable when a rule can be encoded. A generative reviewer is valuable where the question depends on intent, changed context, or a repository convention that is difficult to formalize. A good pull-request workflow assigns each problem to the cheapest reliable mechanism.
Run formatters, type checking, linting, unit tests, and focused integration tests before model review when practical. Their failures are direct evidence and may also improve the context available to a reviewer. There is little value in paying a model to comment that code does not compile when the compiler can say exactly where and why. The model should spend its budget on reasoning the existing checks cannot express.
Make deterministic checks authoritative
Branch protection is appropriate for stable checks with clear remediation: required tests, build success, type safety, formatting, secret scanning, license policy, or a well-defined security analyzer. When a deterministic rule repeatedly proves useful, turn it into code and remove it from the generative prompt. This reduces variability and gives developers local feedback before they open a pull request.
- CI: build, types, tests, migrations, generated-file consistency, and environment-specific validation.
- Linters and static analysis: syntax-level patterns, data-flow rules they model well, dependency policy, and style.
- AI correctness review: changed invariants, cross-file behavior, error paths, and tests that assert the wrong thing.
- AI security review: contextual trust boundaries and plausible source-to-sink paths not covered deterministically.
- Humans: product intent, architecture tradeoffs, risk acceptance, readability for the team, and final merge judgment.
Pass check results as evidence, selectively
A reviewer can use a concise failing test, type error, or analyzer result to reason about the changed behavior, but do not dump entire CI logs into every prompt. Retrieve the relevant failure and nearby code. Make clear which evidence came from a deterministic tool and which conclusion came from the model. If CI has not completed, the review status should not imply those checks passed.
Avoid duplicate feedback. If a linter owns unused imports or formatting, tell the AI reviewer not to comment on them. If a security scanner already posts a precise dependency advisory, the model does not need to paraphrase it. Aggregating every tool into one interface can be useful, but retain source identity and remediation links so developers know which output is reproducible.
Keep generative review advisory
Model findings vary with prompt, model version, context, and provider behavior. Use confidence floors, evidence requirements, deduplication, and comment caps, then let a maintainer decide. If a generative finding reveals a pattern that must never recur, encode a regression test or static rule and make that deterministic artifact the future gate. The AI is then a discovery mechanism that improves the engineering system.
Optimize the whole feedback path
The fastest feedback should run locally or early in CI. Expensive contextual review should run only when the diff is ready enough to justify it. Humans should receive a compact set of unresolved questions, not repetitions of machine-verifiable facts. Teams reach a durable workflow when deterministic automation handles certainty, AI review handles evidence-seeking hypotheses, and people retain the decisions that require intent and accountability.
Review ownership periodically because the boundary moves. A repeated AI observation may become a linter rule; a flaky analyzer may need replacement; a new framework may shift which context the model needs. Keep one documented map of checks, triggers, owners, enforcement level, and remediation path. Developers should not have to guess whether to satisfy a bot, change a test, or ask a security owner when feedback conflicts.