Your code review process wasn't built for this. When Faros analyzed development metrics across their customer base, they found code churn up 861%, incidents per PR up 243%, and time in review up 441%. The result? 31% more PRs are being merged without any review at all.
The old model of line-by-line scrutiny can't scale when your developers are shipping 10 times the volume with AI assistance. But abandoning review entirely creates compliance gaps and knowledge silos. You need a new approach that separates what humans must verify from what machines can enforce.
This guide walks you through building a two-track review system: intent verification for alignment and automated standards enforcement for consistency.
What You Need Before Starting
Tooling:
- Git platform with API access (GitHub, GitLab, or Bitbucket)
- CI/CD pipeline with custom check capability
- Static analysis tools you already use (ESLint, Pylint, Semgrep, etc.)
- Issue tracking system for pattern documentation
Team agreement on:
- Which changes require intent review (new features, architecture shifts, security-sensitive code)
- Which changes can skip human review (dependency updates, formatting, generated boilerplate)
- Who owns the standards register
Access:
- Write access to repository settings
- Permission to create required status checks
- Ability to modify CI/CD configuration
Step-by-Step Implementation
Track 1: Intent Verification (Human)
Step 1: Define intent capture points
Add a required PR template section:
## Intent
What problem does this solve?
What alternatives did you consider?
What could break?
These questions force the author to articulate reasoning before review starts. Configure your Git platform to require the template.
Step 2: Create intent-focused review guidelines
Document what reviewers should verify:
- Does the approach match the stated intent?
- Are there security implications the author missed?
- Will this create maintenance burden?
- Does it align with architecture decisions?
What reviewers should ignore:
- Formatting issues
- Style preferences
- Patterns your linters already catch
Step 3: Set review triggers
Configure automatic review assignment based on file paths or labels. Example GitHub CODEOWNERS:
/src/auth/** @security-team
/infrastructure/** @platform-team
*.sql @data-team
For AI-generated changes to existing code, require review only when the diff touches security-sensitive functions or crosses service boundaries.
Track 2: Automated Standards (Machine)
Step 4: Build your standards register
Create a markdown file in your repo's root: STANDARDS_REGISTER.md
Start with patterns you're already commenting on in reviews:
# Standards Register
## Error Handling
- NEVER: Catch exceptions without logging
- CHECK: `except.*:\s*pass` regex in Python files
- TOOL: Custom pre-commit hook
- ADDED: 2024-01-15
## SQL Injection Prevention
- NEVER: String concatenation in SQL queries
- CHECK: Semgrep rule `python.lang.security.audit.sql-injection`
- TOOL: Semgrep in CI
- ADDED: 2024-01-15
Each entry needs four fields: the standard, how to detect violations, what enforces it, and when you added it.
Step 5: Implement automated checks
For each standard, add enforcement:
# .github/workflows/standards.yml
name: Standards Check
on: [pull_request]
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Semgrep
run: |
pip install semgrep
semgrep --config=auto --error
- name: Check custom patterns
run: |
python scripts/check_standards.py
Step 6: Convert review comments to rules
When you find yourself writing the same review comment twice, stop and ask: "Can I detect this automatically?"
If yes, add it to the register and implement the check. If no, document why in the register so future reviewers understand the judgment required.
Example conversion:
# scripts/check_standards.py
import re
import sys
from pathlib import Path
def check_error_handling():
violations = []
for py_file in Path('src').rglob('*.py'):
content = py_file.read_text()
if re.search(r'except.*:\s*pass', content):
violations.append(f"{py_file}: Empty exception handler")
return violations
if __name__ == '__main__':
issues = check_error_handling()
if issues:
print('\n'.join(issues))
sys.exit(1)
Step 7: Make standards checks required
In your Git platform, mark the automated checks as required status checks. PRs can't merge until they pass. This removes the burden from human reviewers to catch these issues.
Validation: How to Verify It Works
Week 1 metrics:
- Count PRs that skip human review (should increase for low-risk changes)
- Measure time from PR open to merge (should decrease)
- Track how many review comments are about standards vs. intent (ratio should shift toward intent)
Month 1 validation:
- Review your standards register, are you still writing comments about these patterns?
- Check if incidents per PR are stabilizing or declining
- Survey your team: do reviewers feel they're focusing on meaningful questions?
Red flags:
- Standards checks are being overridden frequently (your rules are too strict or unclear)
- Review time hasn't decreased (you haven't automated enough patterns)
- PRs are merging with architectural misalignment (intent verification isn't working)
Maintenance and Ongoing Tasks
Weekly:
- Review PRs that required override of automated checks
- Add new patterns to the register when you write the same review comment twice
Monthly:
- Audit the standards register for rules that never trigger (remove them)
- Review false positives from automated checks (refine the rules)
- Update your PR template based on recurring intent gaps
Quarterly:
- Measure the ratio of intent reviews to standards violations
- Assess whether your review assignment rules are routing changes to the right people
- Survey developers: are the automated checks helping or hindering?
When you hire:
- New team members should read the standards register before their first PR
- Have them shadow intent reviews for a week before they start reviewing
This system scales with AI-generated code because it separates what requires human judgment (intent, architecture, security implications) from what machines can verify (formatting, patterns, standards). Your reviewers focus on the questions only humans can answer, and your pipeline catches everything else automatically.



