We were closing a security hole. It let you run a root level shell through Discord, which is too dangerous to leave open. The fix looked straightforward: restrict that worker's permissions down to read only, no running commands, no editing files. We wrote it, read it back once, and it looked fine.

But when we handed the same code to a second model to review, it caught in seconds that in the permission list we'd just written, the shell command showed up on both the "allow" side and the "deny" side at once. The hole we thought was sealed was actually still half open, because two config lines contradicted each other. Deleting the conflicting line was the fix, and only then was the hole really closed.

The scary part is we wrote that fix ourselves, read it back, and still didn't see it. Our head had already decided "this is the code that closes the hole," so our eyes slid right past the line that contradicted it. What caught it wasn't us getting more careful. It was a second model that didn't carry that assumption.

Why authors can't review their own work

When AI writes code for you, it doesn't just type it out. It holds a reason for every line, why it wrote it that way. Ask it to go back and read its own work, and that same set of reasons is still there, so it reads right past the wrong parts. From its point of view, every line already has an explanation.