A senior engineer spent 20 minutes disproving an AI-generated code review comment that turned out to be completely fabricated. The AI had flagged an issue with plausible reasoning, but it missed a guard clause sitting in a separate file it never looked at. The review sounded right. It was not.
This is the core problem Alexandre Castro, a platform architect at a Chicago fintech with 15 years of experience, describes with current AI code review tools. They are not failing because of bad prompts. They are failing because they do not have enough context, and instead of admitting ignorance, they confabulate - generating confident, detailed explanations of bugs that do not exist.
The "Confidently Wrong" Pattern
Castro's team built an internal code review bot called Archbot and ran into this pattern repeatedly. The system would flag issues with sophisticated reasoning that looked convincing to experienced developers. But it was working from a fixed slice of code, pre-selected by a pipeline, with no ability to go check whether its assumptions held up.
The fundamental design flaw: traditional AI code review tools get handed a diff (the changed lines of code) and maybe some surrounding context, then asked to find problems. That is like asking a building inspector to evaluate structural integrity by looking at one wall through a window.
Letting the Model Investigate
The fix Castro describes is making the review process agentic - giving the AI model tools to actively investigate the codebase instead of passively analyzing whatever context it was handed. In practice, this means three tools:
- get_file_content - lets the model pull up any file it wants to check
- search_code - lets the model find where functions and variables are actually used
- submit_code_review - a structured endpoint that forces the model to submit findings with citations (file path and line number) rather than open-ended commentary
The key constraint: all high-severity findings must include citations. No file reference, no flag. This single rule eliminates most hallucinated bugs because the model has to prove its work.
Castro also found that feeding too much context up front actually made things worse. The model would pick up irrelevant patterns and generate false connections. Better to start with the diff alone and let the model decide what additional context it needs.
This approach lines up with a broader shift in how AI developer tools are being built. Tools like Cursor, Claude Code, and Cody already use agentic patterns for code generation - letting models search, read files, and run commands. Applying the same architecture to code review is a logical next step, and the early results from Castro's team suggest it produces reviews that senior engineers actually trust instead of reflexively dismissing.