Cursor, SpaceX, and the End of Human Code Review
A pull request lands. An AI agent wrote it, tested it, and merged it. Nobody on the team opened the diff. Six months ago that sentence described a fringe workflow. Today, according to internal data Cursor shared with Business Insider, it describes a rising share of production code shipping across real engineering teams, and AI code review is disappearing faster than most CTOs have had time to build policy around.
This isn’t a hypothetical. It’s happening at companies running GitHub Copilot, Cursor, and a growing field of autonomous coding agents, and the evidence on whether that’s a problem is genuinely split. Some of it is reassuring. Some of it should worry you. This piece lays out both sides, with the receipts.
The numbers behind the disappearing review
Start with the trend everyone’s arguing about. Martin Monperrus, a professor at KTH Royal Institute of Technology, published a position paper in June arguing that coding agents have crossed a capability threshold where traditional human code review is no longer a necessary step in a software quality pipeline. It’s worth being precise about what that paper is: an argument, not an audit of production systems. But it’s landed at exactly the moment the data starts backing it up.
GitHub’s own telemetry shows Copilot’s agentic code review, which shifted architecture in March 2026 to actually gather repo context instead of just scanning a diff, has now handled more than 60 million reviews, over one in every five reviews on the platform. Seventy-one percent surface actionable feedback. That’s not a novelty feature anymore. That’s infrastructure.
Then there’s the number that should complicate your assumptions. Microsoft’s .NET team ran GitHub’s autonomous coding agent against the dotnet/runtime repository for ten straight months, from May 2025 through March 2026. It opened 878 pull requests. 535 merged. And of those merged PRs, only 0.6% were later reverted, a lower revert rate than the 0.8% baseline for human-written PRs on the exact same repo. If you’re building the case that agent-written code is inherently riskier, that data point makes it harder than it should be.
Meanwhile the workload math isn’t adding up the way vendors promise. A Digital Applied developer survey from April found engineers now spend 11.4 hours a week reviewing AI-generated code, versus 9.8 hours writing new code themselves. Review, not writing, has become the bigger time sink. And per LangChain’s late-2025 survey of 1,340 practitioners, 57.3% of organizations already have agents running in production, up from 51% a year earlier, with quality cited by 32% as the top blocker to scaling further.
The honest read: “Review is disappearing” is true in the sense that the checkpoint is vanishing at the margins for routine changes. It is not true in the sense of a wholesale industry shift to zero oversight. What’s actually happening looks more like review getting redistributed, sometimes to another AI, sometimes to nobody, and rarely with a documented policy behind the decision.
Where it actually breaks
Here’s the part the optimists skip. CodeRabbit analyzed 470 open-source pull requests and found AI co-authored code carries a 2.74 times higher rate of security vulnerabilities than human-written code, along with 1.7 times more issues flagged as major. Veracode’s testing puts it even more bluntly: 45% of AI-generated code samples introduce at least one known OWASP vulnerability class.
Georgia Tech’s Vibe Security Radar initiative has been tracking this in real time, and the trendline is steep. AI-code-caused CVEs went from 6 in January 2026 to 35 by March, nearly a six-fold jump in two months.
Google’s DORA team gave this phenomenon a name in its 2026 report: the “verification tax.” It’s the second-largest measured effect of AI adoption on delivery, right behind the productivity gain at the individual level, and it describes exactly what that Digital Applied survey found: the time saved writing code is getting eaten by the time spent verifying it.
Revert rate and vulnerability rate are measuring two different things, and conflating them is the single most common mistake in coverage of this topic. Code can ship, work, and never get reverted, while still shipping with a security flaw that simply hasn’t been exploited yet. Microsoft’s revert-rate win doesn’t cancel out CodeRabbit’s vulnerability-rate finding. They can both be true at once.
| Data point | Source | What it measures |
|---|---|---|
| 0.6% revert rate (agent PRs) vs. 0.8% (human PRs) | Microsoft .NET team, 10-month study | Does the code hold up in production |
| 2.74x more security vulnerabilities | CodeRabbit, 470 PR analysis | Is the code secure |
| 45% introduce an OWASP vulnerability class | Veracode | Is the code secure |
| 11.4 hrs/week reviewing vs. 9.8 hrs/week writing | Digital Applied developer survey | Net productivity impact |
The $60 billion wrinkle: SpaceX now owns Cursor
Here’s the fact most coverage of this story hasn’t caught up to yet. On June 16, 2026, SpaceX agreed to acquire Anysphere, the company behind Cursor, in an all-stock deal worth $60 billion, the largest acquisition of a venture-backed startup on record. The deal is expected to close in the third quarter of 2026, four days after SpaceX’s own roughly $75 billion IPO.
Cursor is the company at the center of this entire story. It’s the source of the internal data Business Insider used to report that human review is fading. It acquired code-review startup Graphite in December 2025. And its revenue trajectory is wild by any standard: annual recurring revenue grew from around $100 million in early 2025 to roughly $4 billion by June 2026, even as its market share of corporate AI-coding spend slipped from about 41% to 26% over the same window, according to Ramp’s spend data.
Now it’s a subsidiary of a rocket and satellite company. That’s not a footnote. If you’re an engineering leader standardized on Cursor, you now have a governance question that didn’t exist a month ago: does a company built to launch spacecraft have the same incentives around code-review product investment, data handling, and long-term support that a software-native parent would? Ask your vendor rep directly. Get the answer about contractual continuity in writing before your renewal.
What the people building this stuff are saying
The strongest voice on the “this is fine, actually” side is Monperrus himself, who argues the current hybrid model, agents write, humans review, is the weak link.
“The hybrid workflow neither provides meaningful assurance nor scales with AI-assisted throughput.” Martin Monperrus, Professor, KTH Royal Institute of Technology, arXiv:2606.13175
But the sharpest pushback comes from people who build agent tooling for a living, not outside critics. Mario Zechner and Armin Ronacher, the engineers behind the Pi coding harness in the OpenClaw agent system, told the Wall Street Journal in May that the infrastructure underneath this shift is already showing strain.
“You have infrastructure that’s falling apart, and you have software that’s now very, very buggy compared to before. We can play this game for a couple more months, or maybe even years, but eventually it will catch up to us.” Mario Zechner, Engineer, Pi coding harness / OpenClaw, via Wall Street Journal
David Mytton, founder and CEO of developer security firm Arcjet, put it more bluntly in a January LinkedIn post covered by The New Stack, warning of what he called coming “big explosions” as vibe-coded applications hit production at scale.
Even Michael Truell, Anysphere’s CEO and the leader of the company most associated with this trend, draws a line. He distinguishes “vibe coding,” accepting AI output without examining it, which he considers fine for prototypes, from responsible agentic engineering at scale, warning that full disengagement from the code builds a shaky foundation. It’s a useful reminder that this isn’t simply vendors versus skeptics. Even the vendor is on record urging caution.
On the practitioner side, General Motors software development manager Suvarna Rane described Copilot’s code review as freeing her team to focus on more complex work as AI-driven code volume increased, a data point that fits the “augmentation, not replacement” camp inside large enterprises.
What engineering leaders should do this quarter
- Budget for review, not against it. The 11.4-versus-9.8-hour split means AI adoption is not currently a net time saver once verification is counted. Plan headcount and sprint capacity accordingly.
- Separate the model that writes from the model that grades. Cursor’s BugBot defaults to reviewing code with the same model family, Composer 2.5, that generated it, a “grading your own homework” setup CodeRabbit has flagged directly. Use an independent reviewer, human or model, on anything that ships to production.
- Track defect-escape rate separately from revert rate. They measure different failure modes. A low revert rate tells you almost nothing about whether you’re accumulating security debt.
- Get your Cursor contract terms in writing before Q3. The SpaceX acquisition closes soon. Confirm data handling, roadmap commitments, and pricing protection now, not after.
- Distinguish “bad code shipped” from “agent given too much access.” The most severe documented agent-related incident to date, the GTG-1002 espionage campaign, in which hijacked coding agents reportedly executed 80 to 90% of an operation against roughly 30 targets, was an authorization failure, not a code-quality failure. They require different fixes.
Frequently asked questions
Is AI-generated code safe to deploy without review?
Evidence is mixed. Microsoft’s .NET team saw AI-agent pull requests revert less often than human-written ones over a ten-month study, but CodeRabbit found AI co-authored code carries roughly 2.7 times more security vulnerabilities than human-written code. Safety depends on what you’re measuring.
Who owns Cursor now?
SpaceX agreed to acquire Anysphere, the company behind the Cursor AI code editor, for $60 billion in an all-stock deal announced June 16, 2026. The acquisition is expected to close in the third quarter of 2026.
Does GitHub Copilot replace human code review?
No. Copilot’s code review now handles more than one in five reviews on GitHub, but its comments don’t count as a required approval and can’t block a merge alone. It supplements human sign-off rather than replacing it.
What is the DORA verification tax?
It’s Google DORA’s 2026 term for the time developers now spend checking AI-generated code that looks correct but still needs verification, a cost the same report found only partly offset by time saved on writing.
What percentage of code is AI-generated in 2026?
Estimates vary by methodology and company, but multiple 2026 reports put AI-generated code at roughly 25 to 30% of new production code at large tech companies, with some AI-forward teams reporting notably higher shares.
Where this goes next
What you now know that you probably didn’t ten minutes ago: “AI code review is disappearing” is a real, measurable trend at the margins, not a wholesale industry shift, and the evidence for whether that’s dangerous depends entirely on whether you’re measuring revert rates or vulnerability rates. Those are different questions with different answers.
Watch three things over the next six to eighteen months. First, whether DORA’s verification tax keeps climbing as review-light workflows scale, or whether tooling closes that gap. Second, how Cursor’s product roadmap changes under a SpaceX-owned Anysphere, particularly anything touching code-review features. Third, whether more incidents like GTG-1002 surface, which would shift this conversation from a code-quality debate to an access-control one almost overnight.
Our read: the teams that come out ahead here won’t be the ones that eliminate review fastest. They’ll be the ones that figure out, deliberately, which 20% of changes still need a human’s eyes, and build that into their pipeline instead of discovering it after an incident.
Want the next development in this story before your competitors do?
