The moment a change lands on main, every other team in the organization starts building on the assumption that it works. They branch from it, deploy on top of it, and debug their own failures, believing that what came before them was sound. A merge is a contract. The moment a change lands on main, every other team in the organization starts building on the assumption that it works.
Most engineering organizations have never written that contract down. They have a pipeline that runs checks, and whatever the checks cover is what the merge promises. Ask what a green checkmark on a PR actually guarantees, and you rarely get a precise answer.
Now add AI coding agents to that equation. Agents that write code faster than humans can review it. Agents that hallucinate dependencies. Agents that can be fooled by images hidden in pull requests. The contract doesn't just break. It dissolves.
The industry is treating this as a tooling problem. Better linters. Faster CI. More comprehensive test coverage. Visual context for code review. But the real problem is organizational and contractual. We have not redefined what a merge actually guarantees when the code was written by an agent, reviewed by a human who trusts the agent, and deployed by a system that assumes the human did their job.
The merge contract is broken
85% of developers say code review is now the new bottleneck. That statistic is being read as a call for better tooling. Faster review. More automation. But it's actually a symptom of a deeper failure: the merge contract no longer holds.
When humans wrote code, the contract was implicit but functional. A developer wrote code. Another developer reviewed it. Both understood the stakes. Both knew that a merge meant the code was sound enough to build on. The contract was weak, but it existed.
When agents write code, the contract collapses. The agent doesn't understand the stakes. The reviewer doesn't understand what the agent understood when it wrote the code. The downstream team doesn't know whether the merge represents agent-generated code, human-reviewed code, or some hybrid that nobody fully understands.
The bottleneck isn't review speed. The bottleneck is that we have no clear definition of what a merge means anymore.
AI hallucinations are now supply chain attacks
Slopsquatting is a new supply chain threat made possible by AI hallucinations. Developers rely on AI coding assistants. The assistants hallucinate dependencies. The hallucinated dependencies get merged. The hallucinated dependencies get deployed. The hallucinated dependencies become attack vectors.
This isn't a code quality problem. This is a trust problem. The moment you merge code written by an agent that can hallucinate, you've introduced a supply chain vulnerability that your testing pipeline may never catch. A hallucinated import that doesn't exist yet. A hallucinated package that looks real but isn't. A hallucinated API that the agent confidently calls.
The fix isn't better linting. The fix is redefining what a merge guarantees. And right now, it guarantees nothing.
Code review was never the bottleneck
The narrative around AI acceleration says code review is slowing us down. Developers are writing code faster than humans can review it. So we need faster review. Better tooling. More automation.
This is backwards. Code review was never the bottleneck. Code review was the contract enforcement mechanism. It was the moment where someone said: I have read this code. I understand what it does. I am willing to stake my reputation on the fact that it is safe to merge.
When agents write code, that moment disappears. The reviewer doesn't understand what the agent understood. The agent doesn't understand what the reviewer is checking for. The contract breaks.
The bottleneck isn't review speed. The bottleneck is that we have no clear definition of what a merge means anymore.
Visual context doesn't solve trust
AI screen recorders allow developers to show Claude visual context instead of lengthy text. This is being positioned as a productivity win. Show the agent a screenshot. Let it understand the problem visually. Get faster, better code.
But visual context doesn't solve the trust problem. It makes it worse. Now the agent has more information. Now it's more confident. Now it's more likely to hallucinate with conviction. Now it's more likely to merge code that looks right but isn't.
Visual context is a productivity tool. It's not a safety tool. And we're treating it like it is.
When agents review agents
The logical endpoint of this trajectory is agents reviewing agents. An AI coding agent writes code. Another AI agent reviews it. Both are confident. Both are fast. Both are wrong in ways that humans can't detect until the code is in production.
Researchers have demonstrated attacks that hide malicious instructions in images that AI code reviewers never open. The attack is elegant: a pull request with a PNG that contains a prompt injection. The human reviewer doesn't open the image. The AI agent does. The agent reads the hidden instruction. The agent steals the secrets.
This isn't a hypothetical. This is happening now. And it's happening because we've built a system where agents can review code without understanding what they're reviewing.
The Zig-to-Rust moment: speed without consensus
Bun was completely rewritten in Rust in 11 days, sparking public outrage from the creator of Zig. This is the vibe coding moment made real. An agent (or a team moving at agent speed) rewrote millions of lines of code. The code is probably fine. The performance is probably better. But the community didn't consent. The creator didn't consent. The contract was broken.
This is what happens when speed outpaces consensus. When agents move faster than organizations can govern them. When the merge contract no longer means anything.
The fix isn't better agents. The fix is better contracts. Better definitions of what a merge actually guarantees. Better organizational structures that can keep pace with agent velocity.
Until we do that, we're building on sand. Agents write code faster than teams can govern it. And that's not a feature. That's a liability.
The industry is moving fast. But it's moving faster than it can think. And that's a problem that no amount of tooling can solve.




