AI-Assisted Testing and Code Review
By NTh Hai - 7 min read
Writing features is only half of engineering. The other half is proving they work and catching mistakes before users do. AI is surprisingly good at suggesting tests and review comments — and dangerously good at sounding thorough when it is not.
This post covers concepts for integrating AI into testing and review without diluting accountability.
Why Testing Is a Natural Fit for AI
Tests encode behavior as examples. That is a language models understand well: given a function and a description, propose inputs, edge cases, and assertions.
Useful asks:
- Generate unit tests for a pure function from its type signature and docstring
- Propose property-based cases for parsers and serializers
- Suggest regression tests from a bug report
- Draft integration test outlines for an API contract
What AI does not replace: knowing which behaviors matter for the business, and maintaining a suite that stays fast and trustworthy.
A Healthy Test-Generation Workflow
- Write or refine the behavior in plain language (acceptance criteria).
- Ask for a test plan — cases, not code.
- Cull the plan — remove duplicates and fantasy edge cases that cannot happen in your domain.
- Generate tests for the survivors.
- Run them against real code and fix either the code or the tests deliberately.
- Keep only tests that fail for the right reason when you introduce a deliberate bug.
Step 6 is the quality filter. If a generated test never fails when the feature is broken, it is decoration.
Code Review With an AI Pass
Think of AI review as a first pass, similar to a linter that speaks in paragraphs.
Good review prompts focus on:
- Security (injection, authz gaps, secret handling)
- Concurrency and race conditions
- API compatibility and migration risk
- Missing tests for new branches
- Clarity: naming, dead code, surprising side effects
Bad review prompts ask “is this good?” without criteria. You get generic praise or generic nitpicks.
Keep humans on the merge button
AI should not be the approver of record. Use it to surface questions a human might miss on a tired Thursday. The reviewer still owns the merge decision and the culture of the codebase.
Concepts That Improve Both Testing and Review
Oracles matter
An oracle is how you know the answer is correct. AI can invent expected values that match its own wrong implementation. Prefer oracles from:
- Existing fixtures and golden files
- Mathematical invariants
- Cross-checks against a simpler reference implementation
- Production samples scrubbed of PII
Characterization before rewrite
When refactoring legacy code, ask AI to generate characterization tests that lock current behavior — even ugly behavior — before changing internals. That is one of the highest-leverage uses of AI in brownfield projects.
Diff-scoped context
Feed the pull request diff plus the surrounding modules, not the whole monorepo. Focused context yields focused findings.
Anti-Patterns to Avoid
Test theater. Hundreds of generated tests with weak assertions (toBeDefined() everywhere). Prefer fewer sharp tests.
Rubber-stamp AI comments. Pasting model output into review without verifying wastes authors’ time and erodes trust.
Skipping flaky investigation. If AI suggests “just retry,” dig into determinism instead.
Security by vibes. AI might miss domain-specific threats. Keep threat models and checklists human-owned.
Measuring Impact
Track simple signals:
- Escape rate of bugs that tests should have caught
- Review turnaround time vs. defect rate after merge
- Percentage of AI-suggested tests that still exist three months later
If suggestions are routinely deleted, improve prompts and criteria rather than generating more volume.
Closing Thought
AI accelerates the drafting of tests and review notes. Quality still comes from oracles, criteria, and human judgment. Integrate AI as a tireless first draft, then apply the same skepticism you would to any junior’s PR — and your project’s safety net gets thicker without becoming fake.