AI-generated code should be reviewed as untrusted implementation until it passes the same architecture, security, correctness and test standards as human-written code.
Verify scope before code quality
The first question is whether the generated change solves the right problem and stays inside the requested boundary. A clean implementation can still be wrong if it edits the wrong layer.
Reviewers should compare the diff to the acceptance criteria, existing conventions and data ownership boundaries.
A generated patch that drifts from scope should be rejected before style review.
Review hidden risk deliberately
Generated code can introduce subtle security, caching, data-fetching or dependency problems. Reviewers should inspect inputs, outputs, authorization, error handling and lifecycle effects.
Tests should cover the behavior that could regress, not merely the line that changed.
Assume plausible-looking code may be wrong until the runtime behavior is verified.
Use tests as trust gates
A generated implementation should earn trust through focused tests, type checks and, when relevant, browser or integration verification.
The review is not complete until the team knows what was checked and what remains unproven.
Report verification honestly, including any checks that could not be run.