An emergent, innovative development technique known as vibe coding has recently dominated the technology space. Vibe coding refers to the practice of developing software applications through the use of natural language instructions with the assistance of generative artificial intelligence (gen AI) systems and agentic AI.1 When vibe coding, an individual might use natural language prompting techniques, such as asking the AI to “build a login screen with password reset functionality,” or “generate a REST API with token-based authentication,” to build an application from the ground up, or copy existing developments that others have built in record-breaking time.2 For instance, AI engineer Kehan Zhang successfully used Claude code with the use of the Cursor coding interface to replicate a real application, specifically Lovable.3 This demonstrates that an AI agent could rebuild a fully functional product with minimal manual intervention. This not only demonstrates the efficiency of vibe coding; but this practice also raises concerns about intellectual property rights, ownership, and the ease with which existing software can be cloned and redistributed without consent. In some cases, vibe coding incorporates voice driven interactions using speech-to-text engines such as SuperWhisper4 and in many cases, minimal manual review of code is performed.5 This combination of powerful language models and minimal manual reviews enables non-technical users to generate functional prototypes rapidly, skipping traditional development rigor.
To clarify, coding agents are AI tools that can autonomously perform multistep development tasks such as debugging, testing, and deploying. Vibe coding, on the other hand, is broader in scope. It includes any AI-assisted development workflow that is initiated through human prompting, usually through a creative or exploratory “vibe-driven” manner. Both of these approaches of using AI tools exemplifies a growing trend where software development is moving away from traditional programming in favor of development using natural language guidance. While using AI tools for programming promises speed and more accessibility, particularly for non-traditional software development experts, it also introduces risk. As an example, in July 2025, the AI-enabled coding platform, Replit,6 experienced a catastrophic failure when its autonomous coding agent went rogue during a critical “code and action freeze”. This freeze is a safeguard designed to prevent any changes to a live production environment.7 Even though attempts were made to prevent the AI agent from taking drastic actions, it still proceeded to delete an entire database, erasing critical documents. This incident exacerbates the dangers of relying on the use of AI code generation without stringent human oversight and reinforces the importance of defining clear boundaries for agent behavior in production workflows.8
Understanding what vibe coding is at a high level and its impact, along with why it is gaining traction and the challenges it will create, will help professionals prepare for its potential use and mitigate its effects.
Benefit and Appeal
Vibe coding is a newer and innovative approach to software development that is undeniably captivating, appealing especially to startups, individual creators, and larger enterprises eager to innovate quickly. Vibe coding’s accessibility creates a lower barrier of entry for non-developers to speed up development of applications with minimal experience, encouraging creativity and experimentation without traditional technical constraints. A notable example of an application being built with the use of vibe coding techniques is Dog-e-dex, an application built by Cynthia Chen.9 Using vibe coding, Chen was able to build the application in just 2 months.10
However, as exciting as the use of automation for tasks may be, there is a multitude of risk that comes along with vibe coding development techniques that turn out to be quite the recipe for disaster.
The Emergence of Black Box Apps
One of the most immediate and concerning consequences of vibe coding is the proliferation of black box applications on popular app stores and social media platforms.11 Vibe coded applications are built using techniques where prompting is done iteratively using natural language and all changes are set to “always accept,” usually without formal review of the adjustments. In addition to this, AI-generated code is often created without proper documentation that includes comments from developers, transparency on how it was built, and thorough security reviews after creation, offering little to no insight into its functionality.
While app stores, such as Apple’s and Google’s, have sophisticated app review processes that are usually quite thorough, they are not foolproof. It is still possible for applications that have been built with older vulnerabilities unknowingly baked into the code, or even apps built by those with malicious intent, to slip through the cracks and be granted access onto app stores.12 In many cases, the goal of releasing a malicious app is to steal user data, inject spyware or adware, exploit device permissions, or trick users into downloading seemingly benign tools that serve hidden, harmful purposes.
Beyond the traditional app store marketplaces, vibe coding developers and influencers increasingly promote applications they have created on various social media platforms such as YouTube, TikTok, and X. Their goal is not only to generate buzz or engagement to their social media channels, but to drive traffic to the applications themselves. These creators often boast their apps as side projects or AI experiments to gain views, attract users, collect feedback, and to ultimately go viral using the AI algorithm built into social media sites. All of this is usually conducted without fully disclosing the risk or rigor behind the development process. This amplification of under-reviewed apps through viral marketing channels only heightens risk exposure, especially as these apps reach non-technical audiences at scale.
Key Risk and Concerns
Once black box apps make it onto app stores or are promoted on social media platforms, they introduce a range of risk that security assurance professionals must keep an eye on.
Moreover, when it comes to vibe coding, security, privacy, and governance risk converge in critical ways. Code generated through the use of AI can introduce hidden vulnerabilities, such as insecure authentication, hardcoded secrets, and unpatched dependencies. Without thorough review, malicious code can become embedded, and supply chain risk emerges as a factor. This is because AI tools can incorporate outdated or compromised third-party libraries as developers are often iterating without reviewing changes while building apps.
In terms of privacy, there are a slew of concerns about data governance, such as vibe coded apps collecting or sharing personal data without proper consent. For example, vibe coded applications may not be properly prompted to implement consent mechanisms, or they may neglect to define data minimization policies, or store user data without encryption or clear retention limits. If the developers of these apps do not have a background in the security or privacy profession, or are not at least conscious of security and privacy best practices, then these oversights can lead to significant regulatory violations and erode user trust.
On the governance front, the limited traceability of natural language prompts, poor documentation, and insufficient quality assurance create challenges. When the decisions behind code generation lack transparency, it becomes difficult to assess an application’s integrity. As a result, organizations could struggle to meet compliance standards, manage risk, or respond effectively to security incidents that stem from AI-generated code.
Practical Steps for Assurance Professionals
As automation and AI begin to redefine the way applications are built, there is no better time to start addressing emerging risk than now. Vibe coding inevitably comes with risk, but with the right safeguards in place, there are practical steps available to support innovation without compromising trust, security, or compliance. Some of the actions that professionals should consider include:
- Integrate AI code reviews—All AI generated code, whether authored by a developer or prompted by a non-traditional developer, must undergo manual security review.
- Ensure privacy by design principles are applied—Applications should be reviewed to ensure that privacy best practices are followed.
- Maintain prompt traceability—Documentation of the AI prompts used should be encouraged. This will improve accountability and help with future auditing.
- Track components and dependencies—Require documentation of packages, libraries, and API’s that are used in the generation of AI apps.
- Establish boundaries for AI agents—Limit how autonomous tools can take action, especially in production environments and ensure manual security review.
These actions will help establish a foundation to oversee autonomous agents and provide governance as these new development techniques become more popular. They also address the challenges vibe coded applications create such as lack of documentation, limited traceability, security vulnerabilities, and the misuse of AI in production environments.
Conclusion
Vibe coding represents a groundbreaking shift in how software development is taking place and how applications are built, offering unmatched speed, creativity, and accessibility. Yet these advantages bring a complex web of security, privacy, and governance risk that cannot be underestimated. As organizations experiment with and increasingly adopt these new approaches, establishing robust governance frameworks, enforcing rigorous validation practices, and fostering a culture of transparency and accountability are essential.
Endnotes
1 Google, “What is Vibe Coding”
2 Kehanzhang, “Lovable Clone,” GitHub
3 Riley Brown, “We Made Claude Code Build Lovable in 75 Minutes,” YouTube, 8 July 2025; Cursor, “The AI Code Editor”; Lovable
4 Superwhisper
5 Karpathy, A.; “There's a new kind of coding I call "vibe coding", where you fully give in to the vibes, embrace exponentials, and forget that the code even exists. It's possible because the LLMs (e.g. Cursor Composer w Sonnet) are getting too good. Also I just talk to Composer with SuperWhisper so I barely even touch the keyboard. I ask for the dumbest things like "decrease the padding on the sidebar by half" because I'm too lazy to find it. I "Accept All" always, I don't read the diffs anymore. When I get error messages I just copy paste them in with no comment, usually that fixes it. The code grows beyond my usual comprehension, I'd have to really read through it for a while. Sometimes the LLMs can't fix a bug so I just work around it or ask for random changes until it goes away. It's not too bad for throwaway weekend projects, but still quite amusing. I'm building a project or webapp, but it's not really coding - I just see stuff, say stuff, run stuff, and copy paste stuff, and it mostly works,” X.com, 2 February 2025
6 Replit
7 Nolan, B.; An AI-Powered Coding Tool Wiped Out a Software Company’s Database, Then Apologized for a ‘Catastrophic Failure On My Part’,” Fortune, 23 July 2025
8 Nolan, “An AI-Powered Coding”
9 Ming, L.C.; “A Block Product Designer Spent 2 Months Vibe Coding a Dog ID App. Her Top Tip: Sometimes AI Needs to be 'Babied.',” Business Insider, 26 May 2025
10 Ming, “A Block Product Designer Spent”
11 Dakinedi, A.; “[Pt. 1/2] Vibe Coding My Way to the App Store,” Medium, 26 May 2025; Dakinedi, A.; “[Pt. 2/2] Vibe Coding My Way to the App Store,” 27 May 2025
12 Noble, W.; “Top 5 Problems With Vibe Coding,” 30 June 2025
Collin Beder, CSX-P, CET, Security+
Is a lab developer at ISACA®. In this role, he focuses on the development of ISACA’s emerging technology-related resources, including books, white papers, and review manuals, as well as performance-based exam development. Beder authored the book Artificial Intelligence: A Primer on Machine Learning, Deep Learning and Neural Networks, and develops hands-on lab items.