AI agents are rapidly becoming the primary authors of pull requests, creating a volume of code that challenges traditional governance and human review capacity. This shift is creating a fundamental crisis in the software development lifecycle: we are producing code at a volume that has outpaced our ability to fully understand it.

When a software developer uses an AI coding agent to generate hundreds of lines in seconds, the traditional peer review process breaks. We are entering an era of "black box" code—code that looks correct and functions as intended, but contains nuances and dependencies that no developer on the team has fully internalized.

The challenge for software engineering teams is no longer just “how to move faster,” but “how to maintain integrity” when reviewing code they  didn't actually write and may not fully comprehend.

The collapse of manual code review

For decades, code review was a primary vehicle for knowledge sharing and quality control. It was a human-scale activity. But as AI scales software development velocity, the human-in-the-loop is becoming a bottleneck.

• The cognitive load problem: Reviewing machine-generated code requires significantly more mental effort than reviewing developer-written code. Our research shows that 38% of developers agree reviewing AI-generated code requires more effort than reviewing code written by their colleagues. AI can be overly verbose or use subtle patterns that are difficult for a tired human eye to catch.
• The "rubber stamp" trap: Faced with an explosive volume of code, reviewers often default to checking if the tests pass and moving on. This type of review ignores the long-term health, security, and maintainability of the codebase. A staggering 61% of developers agree that AI often produces code that looks correct but isn't reliable, creating a deceptive layer of quality that bypasses manual scrutiny. 
• The loss of context: When an AI agent generates code, there is no intent to discuss in a comment thread. If the reviewer doesn't understand the underlying logic, the effort to review AI code tends to become a surface-level check rather than a deep validation of the solution.

To survive this shift, we have to change how we approach the verification of the code artifact itself.

Source-agnostic, risk-specific AI code review

In the AI-driven SDLC, the origin of the code (who or what wrote it) matters less than the integrity of the result. To maintain standards without killing velocity, the review process must become source-agnostic.

This means the burden of proof for code quality and security moves away from the human reviewer and onto an automated, high-precision verification layer.

1. Automate the standard so developers can focus on intent

If your senior developer’s’ time is spent catching syntax errors, naming inconsistencies, or basic security flaws, you are misusing your most expensive resource. Automated code review can handle the deterministic aspects of code health—security vulnerabilities, reliability issues, and maintainability standards—leaving senior developers to focus on the high-level strategy, business logic, and architectural intent.

2. Implement risk-specific enforcement mechanisms 

Not all code is created equal. A source-agnostic approach allows you to apply different levels of rigor based on the impact of the application.

• For mission-critical systems: Automated standard enforcement isnon-negotiable. If the code doesn't meet the standard, it doesn't move forward.
• For innovation zones: Use automated feedback as a coaching tool to help developers understand the risks the LLM/agent might be introducing.

Scaling review with Sonar

Sonar views the implementation of governance frameworks as scaling enablers rather than hurdles. SonarQube analyzes over 750 billion lines of code every day. This massive scale equates to high-precision feedback required to review AI code at machine speed. This, in turn, enables software engineering teams to innovate more quickly using AI, because they have the confidence of knowing a governance regime exists to protect the health of their applications.

Sonar provides the infrastructure that allows teams to scale their review process without sacrificing standards:

• High-precision analysis: For automation to replace manual toil, it must be reliable. If a tool creates noise, developers will ignore it. SonarQube’s analysis provides actionable code intelligence that identifies exactly what is wrong and how to fix it, ensuring that AI code is thoroughly vetted before it ever reaches a developer .
• Review at the point of creation: Code review is a continuous process.With its IDE and MCP integrations, SonarQube catches issues the moment AI suggests them. This workflow allows software developers to experiment with AI tools while knowing their first line of defense is always active.
• Source-agnostic by design: Because our verification focuses on the artifact, it doesn't matter if your team is using Copilot, Cursor, or a custom internal agent. SonarQube provides a single, unified standard of excellence that scales across your entire organization, regardless of how the code was generated. 
• Architecture: As teams move from simple assistance to delegating code generation to autonomous agents, the risk of architectural drift increases exponentially. Sonar is  adding architecture capabilities to SonarQube to help teams ground these agentic workflows in sound architectural information. This infrastructure allows teams to discover their current state, formalize a target blueprint, and ensure that delegated agents remain within the intended structural constraints.

Managing the transition to agentic development

As we move from AI assistants to autonomous agents that can build independently, the need for a robust, automated review layer becomes an operational necessity. You cannot scale a human-only process to match an exponential increase in AI-powered build volume.

By deploying an automated, high-precision review infrastructure, your teams can innovate with confidence. You move from a culture of "hoping the AI code is right" to a culture of "knowing the code is secure."

The goal isn't just to review more code; it's to build software you can actually trust, even when you didn't write every line yourself.

*** This is a Security Bloggers Network syndicated blog from Blog RSS feed authored by Ekaterina Okuneva. Read the original post at: https://www.sonarsource.com/blog/how-to-scale-code-quality/