Use AI to generate boilerplate (models, API stubs, test scaffolding) quickly; focus manual review on business logic, security, and error handling. Review AI code for unhandled edge cases, SQL injection risks, and architectural consistency. Allocate 30% of effort to generation, 70% to review and refinement. This guide covers effective workflows for combining AI generation with manual code review.
The Role Division: What AI Does Well
AI excels at generating repetitive boilerplate, scaffolding project structures, and creating test cases. It can rapidly produce code based on specifications, saving hours of manual typing. However, AI lacks understanding of your specific business context, security requirements, and architectural decisions.
The most effective approach assigns clear responsibilities: let AI handle the mechanical work while you focus on logic validation, security review, and architectural consistency.
Practical Workflow for AI + Manual Review
Step 1: Generate with Clear Context
When prompting AI for code, provide sufficient context. Include relevant file paths, existing patterns in your codebase, and specific requirements:
# Instead of:
# "Write a function to process user data"
# Use:
"Write a Python function to validate user registration data.
Follow our existing patterns in models/user.py. Use Pydantic v2
for validation. Return 422 on validation failure with error details."
Step 2: Automated Pre-Check Before Human Review
Run basic checks before requesting manual review:
# Run linter and formatter
python -m ruff check generated_code.py
python -m black generated_code.py
# Run type checker
python -m mypy generated_code.py
# Run tests
pytest generated_code_test.py
This catches syntax errors, style violations, and basic type issues automatically.
Step 3: Structured Manual Review Checklist
When reviewing AI-generated code, use a systematic approach:
-
Logic verification: Does the code actually solve the stated problem?
-
Edge cases: What happens with null values, empty inputs, or unexpected data?
-
Security: Are there injection risks, exposed credentials, or permission issues?
-
Performance: Are there obvious N+1 queries, missing indexes, or inefficient loops?
-
Dependencies: Are imported libraries necessary? Any version conflicts?
Example: Reviewing AI-Generated API Endpoint
Consider this AI-generated FastAPI endpoint:
@router.post("/users")
def create_user(user_data: UserCreate):
user = db.create(user_data)
return user
Manual review should catch several issues:
# After review - corrected version
@router.post("/users", response_model=UserResponse, status_code=201)
def create_user(
user_data: UserCreate,
db: Session = Depends(get_db),
current_user: User = Depends(require_admin) # Added auth
):
# Check for duplicates before creation
existing = db.query(User).filter(User.email == user_data.email).first()
if existing:
raise HTTPException(status_code=409, detail="Email already registered")
user = user_service.create(db, user_data)
return user
The review added authentication, duplicate checking, proper HTTP status codes, and response modeling.
Configuring AI Tools for Better Output
Most AI coding tools support configuration that improves output quality:
Cursor Rules Example
{
"rules": [
"Always add type hints to function signatures",
"Include docstrings for all public functions",
"Use logging instead of print statements",
"Add retry logic for external API calls"
]
}
Claude Code Project Context
Set up project-specific context to guide AI:
/project
/docs
architecture.md # System design decisions
coding-standards.md # Language-specific patterns
/src
/legacy # Note: Avoid modifying this folder
This prevents AI from generating code that conflicts with existing architecture.
Balancing Speed and Quality
The goal is maintaining velocity while ensuring correctness. Consider these thresholds:
-
Quick prototypes: Generate + syntax check only
-
Production features: Generate + automated tests + manual review
-
Security-critical code: Generate + security scan + senior developer review
-
Legacy modifications: Manual-only to preserve system stability
Review Effort by Code Category
Not all AI-generated code carries equal risk. Calibrating review depth to code category saves time without sacrificing safety.
| Code Category | Review Depth | Key Focus |
|---|---|---|
| Test scaffolding | Light — syntax + logic spot-check | Correct assertions, coverage |
| Data models / schemas | Medium — field types, constraints | Missing validations, nullability |
| API endpoints | Deep — auth, validation, error codes | Security, HTTP semantics |
| Database queries | Deep — SQL injection, N+1, indexes | Performance, correctness |
| Authentication / auth | Expert review required | Token handling, permission escalation |
| Background workers | Medium — retry logic, idempotency | Failure modes, duplicate execution |
Applying this table consistently prevents both over-reviewing trivial code and under-reviewing high-stakes paths.
Common Pitfalls to Avoid
Trusting AI Without Verification
Never deploy AI-generated code directly to production without review. Even experienced developers miss issues; AI can confidently produce incorrect code.
Over-Reviewing Simple Code
Spending 30 minutes reviewing a generated test file wastes time. Apply proportional review effort based on code complexity and impact.
Ignoring AI Limitations
AI struggles with:
-
Domain-specific business logic
-
Security-sensitive operations
-
Performance optimization for specific workloads
-
Understanding your team’s existing patterns
Letting Generated Code Accumulate Without Tests
AI-generated boilerplate is easy to write and easy to forget about. Require that every generated module includes at least a smoke test before it merges. This creates a baseline for future reviewers to understand the expected behavior.
Measuring Success
Track these metrics to evaluate your workflow:
# Track review findings per code source
review_stats = {
"ai_generated": {"total_reviews": 50, "issues_found": 12},
"manual": {"total_reviews": 30, "issues_found": 8}
}
# AI-generated code has higher issue density, justifying review effort
Time-to-Deployment Tracking
Measure the total time from code generation to deployment:
# Track different stages
task_timeline = {
"ai_generation": "2 minutes",
"automated_checks": "30 seconds",
"manual_review": "15 minutes",
"revisions": "5 minutes",
"total": "23 minutes"
}
# Compare against purely manual development
Compare these metrics against purely manual development times to quantify AI’s value. Teams that track this data consistently find that AI generation provides the largest time savings on boilerplate-heavy tasks like CRUD endpoints and test fixture setup, while providing minimal speedup on complex business logic that requires deep domain understanding.
Frequently Asked Questions
Should AI-generated code go through the same PR process as manual code? Yes, without exception. Removing AI-generated code from normal review gates is the fastest way to introduce subtle bugs and security issues into your codebase. The PR process exists to catch mistakes regardless of their origin.
How do you handle IP concerns with AI-generated code? This varies by tool. GitHub Copilot, Cursor, and Claude each have different training data policies and output licensing terms. Review your organization’s approved tool list before adopting any AI assistant for production codebases. Many enterprises restrict AI tools to certain categories of code (tests, tooling) while requiring manual authorship for core business logic.
What is the right ratio of AI generation to manual coding? There is no universal answer. The 30% generation / 70% review guideline in this article is a starting point for teams new to the workflow. As familiarity with AI output patterns grows — and as you accumulate project-specific configuration that improves output quality — the review burden decreases. Measure your own issue density ratio and adjust accordingly.
How do you onboard new team members to an AI-assisted workflow? Start new developers with AI disabled for their first two weeks. Understanding the codebase manually before relying on AI suggestions prevents them from blindly accepting output that conflicts with established patterns. Once they have context, introduce AI tools with paired review sessions where a senior developer explains what they are looking for in generated code.
Can AI generation work well for compiled languages like Go or Rust? Yes, with caveats. The compiler provides a much stronger first-pass filter — AI-generated code that does not compile is immediately obvious. This means more of the review burden shifts toward logic correctness and idiomatic style rather than syntax. Rust’s ownership model is particularly effective at catching AI-generated memory management errors at compile time, making AI generation safer in Rust than in dynamically typed languages where incorrect code can silently pass until runtime.
What tooling helps track AI-generated code over time?
Some teams annotate AI-generated functions with a comment like # generated: claude-2026-03 to identify them in future reviews. This annotation pattern lets you grep for generated code when updating dependencies or auditing for security issues, giving reviewers context about how much scrutiny the code received at authorship time.
Related Articles
- Best Practices for AI Assisted Code Review Response and Revi
- Best Practices for Documenting AI-Generated Code for Future
- AI Code Generation for Java Reactive Programming with Projec
- AI Code Generation for Java Virtual Threads Project Loom Pat
- AI Code Generation for Python FastAPI Endpoints
Built by theluckystrike — More at zovo.one