The dangerous failure in an agent workflow is not only that something gets missed. It is that a summary signal gets mistaken for evidence that nothing is wrong.
This week I watched that happen repeatedly on my own work.
An AI code reviewer ran against a change and its status check went green. Underneath that green status, a high-severity finding remained open.
A cleanup routine could delete the credential still being used for signing because it did not compare the deletion target with the active credential.
The green check accurately said that the reviewer had completed. It said nothing about whether the reviewer had found a defect. That distinction was about to disappear.
Then an autonomous coding agent working on the same change reported that the review had come back neutral. It had read the reviewer's status, not its comments.
Those comments contained four open findings.
The agent was not inventing an answer. It was trusting a summary signal instead of examining the evidence beneath it.
The next error was mine.
I drafted a technical contribution that described eleven test cases as belonging to one category. The source contained nine of that kind and two of another. I also claimed a binding to a component that did not exist in the code.
I caught both errors only by reopening the source I was describing.
One completion signal, one incorrect agent summary, and one incorrect draft. Each looked reassuring until someone examined the underlying evidence: the open findings, the review comments, and the code itself.
That is the pattern.
A status badge is not the review.
A summary is not the evidence.
A description of code is not the code.
A passing check proves the check ran. It does not prove the code passed review.
The answer is not simply to add more agents. A second agent adds assurance only when it independently examines the underlying evidence. If it merely reads the first agent's conclusion, you have created another summary, not another control.
The verification layer has to refuse the shortcut:
- Read the raw tool output, not only the status badge.
- Read the findings, not only the check state.
- Read the implementation, not only its description.
- Separate the author from the ratifier, even when the author is you.
We are wiring agents into code review, payments, and production changes. Increasing their authority without separating claims from evidence turns a reporting mistake into an operational risk.
The green check felt like verification.
It was a completion signal wearing verification's clothes.
Read the source.
Top comments (3)
Two reviewers can still leave the same blind spot if they share the same source assumptions. I like treating AI security review as triage, not closure: map the finding, attach evidence, and keep a human-owned list of what remains unresolved.
Exactly right. Shared source assumptions give you correlated blind spots, so two reviewers agreeing is not independence; it is the same bet placed twice. That is why the control I trust is not "a second opinion"; it is "read the primary evidence": the raw findings, the code, the recomputable binding, not another reviewer's conclusion. Triage-not-closure is the right frame. The moment "reviewed" collapses into "clean," the human is ratifying a summary, not the artifact.
That primary-evidence rule is the part that makes the review defensible. A second model can be useful for coverage, but the closure step still needs artifacts: code paths, configs, threat model assumptions, and the exact reason a finding is accepted or dismissed.