Vercel reports 58% of PRs in its biggest monorepo merge automatically without human review

Vercel’s engineering team built the auto‑merge pipeline around a risk‑based classification model that runs on the company’s own AI Gateway. The model ingests the full diff, title and description of each pull request and emits a JSON payload that includes verbatim snippets from the change (“evidenceQuotes”), a concise rationale, a list of affected files, and a final “riskLevel” flag (HIGH or LOW) (Vercel, 2026). The schema forces the language model to surface concrete evidence before deciding, which the team says reduces hallucination and makes the decision traceable for auditors. Low‑risk PRs—defined as UI tweaks, CSS updates, documentation edits, refactors, tests and feature‑flag toggles that are disabled—receive the “LOW” label and are handed off to an autonomous merging agent. High‑risk changes that touch authentication, payments, data integrity, security or infrastructure retain the “HIGH” label and are routed to a human reviewer for final sign‑off, as mandated by Vercel’s governance lead Kacee Taylor (Vercel, 2026).

The classifier’s performance was validated against the monorepo’s historical data, which showed that more than half of the 400 weekly pull requests were approved with zero comments and 18 % were rubber‑stamped in under five minutes. By isolating the subset that truly required human judgment, the team eliminated a bottleneck that previously added an average of 29 hours between “ready‑for‑review” and merge. After deploying the auto‑merge agent, the median (P50) and 90th‑percentile (P90) merge times both fell sharply, and the overall average dropped 62 % to 10.9 hours (Vercel, 2026). The reduction is especially notable for time‑sensitive A/B tests and critical design updates, which now reach production in a fraction of the former latency.

Safety safeguards were baked into the workflow to prevent accidental deployment of risky code. The merging agent only acts on PRs that the classifier tags as LOW risk, and every auto‑merged change is logged with the full JSON evidence for post‑mortem analysis. Vercel’s compliance team monitors these logs to ensure that no high‑impact modifications slip through the automated path. The company also runs a continuous feedback loop: misclassifications trigger a retraining cycle for the LLM, and engineers can manually override the agent’s decision, which is then fed back into the risk model as a labeled example (Vercel, 2026). This iterative process mirrors the “human‑in‑the‑loop” paradigm often advocated for production AI systems.

From an architectural perspective, the solution leverages Vercel’s existing AI infrastructure rather than a third‑party service, allowing tight integration with the CI/CD pipeline and preserving data locality. The AI Gateway acts as a thin façade that routes PR metadata to the LLM, receives the structured response, and feeds it into a custom GitHub Action that either auto‑approves and merges or escalates to a reviewer. By keeping the model inference on Vercel‑controlled hardware, the team mitigates latency and compliance concerns associated with external APIs. The approach also demonstrates a practical use case for “agents deploying to production”—the same category of autonomous software Vercel highlighted as risky but feasible when bounded by clear risk criteria (Vercel, 2026).

The experiment underscores a broader shift in large‑scale software development: distinguishing between alignment (the “what” and “why” of a change) and verification (the “does it work?”). Vercel’s data showed that most PRs in a mature codebase require only verification, a task that modern LLMs can perform reliably when supplied with concrete diffs and explicit risk signals. By automating verification for low‑impact changes, the team freed engineers to focus on higher‑level design discussions, reducing cognitive load and accelerating the delivery pipeline. While the auto‑merge rate of 58 % is still below the theoretical maximum—some low‑risk changes remain manually reviewed for cultural or procedural reasons—the results provide a compelling proof point that AI‑driven risk classification can safely scale code integration in production‑grade monorepos.