Vibe Coding & Software Risk

Think Before You Vibe: Don't Vibe Drunk

This is the danger of vibe coding β€” not that an inexperienced person can create something, but that a person can create something without understanding what has been created and then release it into the world as a finished product. The danger runs deeper than any single overconfident founder: it is reshaping how an entire profession learns, remembers, and pays for its own knowledge.

July 2026β—†16 min readβ—†AI Security
Think Before You Vibe: Don't Vibe Drunk
Listen to this article

Don't Vibe Drunk, the podcast

A 16-minute audio walkthrough of the vanishing junior pipeline, senior developers forgetting how to code, and the trillion-dollar bill for technical debt nobody budgeted for.

Streaming audioβ—†Loading...
Loading...
0:00--:--
1 Β· The Vibe Coder

β€œI'm not sure. It's on Vercel.”

At a recent gathering of technology professionals, I met a man who introduced himself as a technology β€œinfluencer” and β€œkeynote speaker.” He proudly explained that he had already β€œcoded” three applications. I asked him a simple question: β€œWhat stack are you using?”

Vercel, of course, is a deployment and hosting platform. It is not an answer to the question. He did not know which framework his applications used, which libraries they depended on, how authentication worked, where user data was stored, whether that data was encrypted, or whether secrets and sensitive credentials might be exposed. He could not explain who had access to the database or what would happen if an unauthorized user modified a request before sending it to the server. Yet there he stood, presenting himself as a technology entrepreneur and selling what appeared to be vibed snake oil. More troublingly, people were taking him seriously.

Four numbers worth sitting with before the rest of this piece:

17%

Lower coding-comprehension scores when developers delegate tasks to AI instead of using it conversationally.

Anthropic RCT, 2026
21–40%

Share of the typical enterprise IT budget now spent servicing technical debt rather than building new features.

Deloitte 2026 Global Technology Leadership Study
25.7%

AI-generated code samples containing confirmed, static-analysis-verified security vulnerabilities.

AppSec Santa, 522 samples / 6 models
$2.41T

Estimated annual cost of technical debt across the US economy.

Accenture estimate
2 Β· A Prototype Is Not a Product

Visual plausibility is seductive.

Vibe coding can be wonderful for experimentation. The problem begins when the prototype is mistaken for a product.

A designer can turn an idea into a working interface. A small-business owner can explore a potential workflow. A student can see how software components interact. An experienced engineer can automate repetitive implementation work and move more quickly through a familiar architecture.

A screen that loads is not necessarily a functioning application. A login form does not prove that authentication is secure. A database connection does not establish that authorization rules are correct. A polished dashboard tells us nothing about data isolation, dependency vulnerabilities, error handling, backups, auditability, or regulatory compliance.

Traditional software failures were often visible: the program crashed, the compiler complained, or the feature did not work. AI-generated software can fail more convincingly. It may appear to work during a demonstration while quietly exposing customer records, accepting unauthorized requests, or trusting values that should have been verified on the server. The interface creates confidence that the underlying engineering has not earned.

3 Β· β€œI Don't Know” Is Not a Security Model

Basic questions, not obscure ones.

What framework does it use? Where is data stored? How is authorization enforced β€” on the server, or is the app merely hiding buttons in the browser?

These are not obscure questions reserved for elite cybersecurity specialists. They are part of the basic responsibility of operating software. OWASP's secure-coding guidance covers input validation, authentication, session management, access control, cryptography, error handling, database security, and protection of sensitive data β€” and its secure-by-design framework emphasizes that security must be incorporated into architecture before code is written, not attached after the product is already assembled.

A person does not have to memorize every implementation detail. Experienced architects consult documentation, collaborate with specialists, and use automated tools. The essential difference is that they know which questions must be asked, which assumptions must be challenged, and which risks require expert review.

The dangerous vibe coder does not know what he does not know β€” and the AI generating the application may never alert him to those omissions. It is optimized to produce a plausible response to the request it received, not to perform a threat model on his behalf.

4 Β· The Marketing Incentive

An ecosystem that benefits from the myth.

AI companies need adoption. Coding-platform companies need subscriptions. Cloud providers need workloads. Chip manufacturers need demand. Here is what four different corners of that ecosystem actually say.

Consumer Platforms

Replit

Its consumer-facing description has claimed users can describe what they want and have the platform handle the building, testing, debugging, and hosting β€” an entire engineering and design team through a chat interface.

Chip Manufacturers

Jensen Huang, Nvidia

Has argued natural language will increasingly serve as a programming language and that AI can make everyone a programmer β€” a framing that conveniently drives demand for the compute his company sells.

The More Careful Framing

OpenAI

Describes Codex as capable of writing features, fixing bugs, and proposing pull requests β€” but specifically presents those pull requests for human review, emphasizing that humans stay responsible for what ships.

The Cautionary Data

Anthropic

Has warned of a tension between faster AI-assisted development and the continuing need for humans skilled enough to catch errors β€” and found that reliance on AI assistance can interfere with the formation of coding skills itself.

Giving everyone access to power tools does not make everyone a structural engineer. Making automobile components easier to manufacture does not mean anyone can safely design a braking system. The democratization of construction does not repeal the laws of engineering. The most irresponsible message, therefore, does not always appear in a formal technical document β€” it emerges from the total atmosphere surrounding the products: build anything, build it instantly, do it without coding, replace a team with a prompt, and worry about the details later. But in software, the details are the product.

5 Β· The Vanishing On-Ramp

A generation that never learns to code.

The tasks that used to be a junior developer's apprenticeship β€” boilerplate, first-pass bug fixes, routine CRUD endpoints, simple tickets β€” are exactly the tasks AI tools now do fastest.

The junior pipeline, by the numbers
SignalChangeWhat it means
Junior developer job postingsdown ~60% since the 2022 peakThe apprenticeship-level jobs are the first to disappear
Employment, developers aged 22–25down ~20% (late 2022 β†’ mid-2025)Fewer young people are getting hired into the field at all
Junior employment at AI-adopting firmsdown 7–10% within six quarters of adoptionThe decline tracks AI adoption specifically, not just the economy
CS/computer-engineering grad unemployment~7.5%, vs. ~4.3% overall US rateNew graduates face a materially worse market than peers in other fields

That would be survivable if the juniors who do get hired were still learning to code. The evidence suggests many are not. An Anthropic randomized controlled trial found that developers who delegated coding tasks to AI scored meaningfully worse on subsequent comprehension tests than developers who used AI conversationally β€” about 17 percent lower, while those who used AI to ask conceptual questions scored well above baseline.

Senior engineers are not spontaneously generated. They are junior engineers who spent years being wrong in front of a compiler, tracing bugs by hand, and building the instinct that only comes from having personally broken something and fixed it. If that apprenticeship is skipped, the industry is not saving five years of training cost β€” it is deferring the bill to a moment, five or ten years from now, when it discovers it has no one left who actually knows how the systems work.

6 Β· When Senior Developers Forget

This isn't only a junior-developer problem.

A senior developer with roughly fifteen years of experience told me that after about a year of leaning heavily on an AI coding assistant, he caught himself blanking on things that used to be completely automatic β€” the exact syntax for a loop, boilerplate he'd written thousands of times before.

Developers describing this experience keep reaching for the same metaphor: muscle memory, replaced by the act of waiting for a suggestion. A widely shared comparison is GPS navigation β€” it makes you better at arriving, and worse at understanding the geography you passed through, with the erosion becoming visible only when the tool is unavailable or wrong.

Here is what makes this genuinely dangerous rather than merely nostalgic: AI does not evenly distribute its help. It tends to speed up exactly the routine work senior engineers had already automated in their own heads, while offering little help on the novel architectural problems and subtle bugs where their judgment actually matters. That same judgment β€” the instinct that recognizes a timing-attack vulnerability in a clean-looking authentication function, or knows that mapping over a million-row array will page someone at 3 a.m. β€” is precisely the thing that atrophies when it goes unexercised for long enough.

Senior engineers are the last line of defense in the review process. If that faculty is quietly eroding in the very people organizations are counting on to supervise AI output, the safety net has a hole in it that won't show up on a dashboard. It will show up the day something breaks.

7 Β· Speed Produces Its Own Blindness

Circular automation without accountable comprehension.

Imagine a process in which AI writes the implementation, AI generates the tests, AI reviews the pull request, and AI writes the commit message summarizing what supposedly changed. Who actually read the code?

I have described this broader condition elsewhere as the Blinded Mind Problem: a system crosses a comprehension threshold when its complexity and output exceed the ability of the responsible human or institution to understand, audit, and control it. A system that cannot be understood cannot be reliably secured or governed.

An automated reviewer can be valuable β€” it can identify patterns, flag suspicious changes, and supplement human analysis. NIST's Secure Software Development Framework explicitly describes tool-based review as something that complements rather than replaces review by people. OWASP likewise defines secure code review as manual examination intended to identify vulnerabilities that automated tools may miss, particularly those involving business logic and contextual understanding. The problem is not AI review. The problem is circular automation without accountable comprehension.

8 Β· The Evidence Is Not Reassuring

The concern is no longer theoretical.

A CodeRabbit analysis of 470 open-source pull requests found AI-generated PRs carried meaningfully more issues than human-generated ones β€” more logic errors, more security findings, more critical and major issues.

AI-generated vs. human-written pull requests (CodeRabbit, 470 PRs analyzed)
Human-written PRsAI-generated PRs
Average issues per pull request6.4510.83
Logic and correctness issuesbaselineup ~75%
Security vulnerability ratebaseline1.5–2x more frequent
Critical/major issue ratebaselinenotably higher

The security differences included greater rates of cross-site scripting, insecure object references, improper password handling, and insecure deserialization β€” weaknesses that can expose accounts and data or allow attackers to manipulate an application. AppSec Santa reported confirmed vulnerabilities in 25.7 percent of 522 AI-generated code samples tested across six models using five static-analysis tools, with server-side request forgery and path-traversal weaknesses among the most common findings.

A separate compilation of recent studies describes audits of thousands of publicly accessible vibe-coded applications that found exposed secrets, credentials, and personally identifiable information in production systems. AI-generated code can be useful, elegant, and correct. It can also be insecure in ways that remain invisible to someone who lacks the knowledge to inspect it. That is precisely why confidence is not evidence.

9 Β· Someone Will Have to Pay for This

A liability, not an asset, the moment it's written.

A line of code isn't an asset the moment it's written. It's a liability that has to prove itself over years of maintenance before it pays for itself at all.

What technical debt costs, in one table
Where it shows upFigureSource
Share of total IT spend servicing debt21–40%Deloitte 2026 Global Technology Leadership Study
Share of enterprise IT "balance sheet" tied up in debt~40%McKinsey
Developer time lost to debt-driven rework42%+Stripe developer research
Aggregate annual cost, US economy$2.41 trillionAccenture estimate
Mid-size legacy IT environment, annual maintenance$400,000–$800,000Nexa Devs analysis
A codebase produced fast by people who can't fully explain it isn't cheap software β€” it's expensive software with a deferred invoice. The apparent productivity gain is often just technical debt with better packaging.

None of the underlying research was measuring AI-generated code specifically β€” most of it predates the current wave of AI-assisted development. That's exactly the point. Technical debt at this scale was already accumulating when humans were writing every line by hand, deliberately and mostly with an understanding of what they were building. Someone always pays eventually β€” the company, in slower delivery and rising maintenance costs; the next engineer, in hours spent reverse-engineering a system nobody documented; or the customer, in a breach, an outage, or a compliance failure that traces back to a decision nobody remembers making, let alone understood at the time.

10 Β· Don't Vibe Drunk

Intoxicated by velocity.

The feature appeared in seconds. The interface looks professional. The deployment succeeded. The intoxication suppresses the questions that sobriety would require.

What did the AI actually build? What assumptions did it make? Which packages did it install? Which permissions did it grant? What data does it collect, and who can retrieve it? How will the system fail, and who will recognize that failure? Who will be accountable when someone is harmed? And, eventually: who is going to pay to fix it, and will there be anyone left on the team who still remembers how?

That danger grows dramatically in medicine, finance, healthcare, law, transportation, and other fields in which software decisions affect rights, safety, property, and human lives. Poorly engineered systems do not remain charming prototypes forever. They accumulate users, integrations, dependencies, and data. By the time an organization discovers it cannot explain the system it now depends upon, the cost of understanding it may exceed the cost that proper engineering would have required in the first place.

11 Β· Use AI, but Remain an Engineer

A tool does not assume responsibility for its output.

AI should help engineers move faster without asking them to stop being engineers. It should assist with implementation without eliminating architecture. It should strengthen code review without creating the illusion that review no longer requires a qualified human. And it should never be allowed to quietly replace the apprenticeship that turns juniors into seniors, or the practice that keeps seniors sharp.

A responsible AI-assisted development process should still include documented architecture, explicit data classification, threat modeling, dependency inventories, secrets management, access-control testing, automated security scanning, human review, logging, incident planning, clear ownership of every production system β€” and, deliberately, time spent coding without the assistant on, so the skill underneath the tool doesn't quietly disappear.

AI can write code. It cannot accept professional responsibility. It cannot be embarrassed before a customer, disciplined by a licensing body, questioned in a courtroom, or held morally accountable when a preventable failure harms someone. And it cannot pay the invoice when the technical debt comes due. That responsibility remains ours.

Think before you vibe. And whatever you do, don't vibe drunk.

References

Bibliography

  1. OWASP, "Secure Coding Practices Quick Reference Guide" https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/stable-en/02-checklist/05-checklist
  2. Replit: Vibe Code with AI Fast β€” App Store listing https://apps.apple.com/us/app/replit-vibe-code-with-ai-fast/id1614022293
  3. Medium, "Jensen Huang is Wrong about Coding" https://medium.com/%40nanecone/jensen-huang-is-wrong-about-coding-24c86a6e2203
  4. OpenAI, "Introducing Codex" https://openai.com/index/introducing-codex/
  5. Anthropic, "How AI assistance impacts the formation of coding skills" https://www.anthropic.com/research/AI-assistance-coding-skills
  6. Morph, "Will AI Replace Developers? What the Research Actually Says" https://www.morphllm.com/will-ai-replace-developers
  7. Hosseini Maasoum, S.M. & Lichtinger, G., "Generative AI as Seniority-Biased Technological Change," Harvard University / SSRN, August 2025 https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5425555
  8. CIO, "Demand for junior developers softens as AI takes over" https://www.cio.com/article/4062024/demand-for-junior-developers-softens-as-ai-takes-over.html
  9. arXiv, "The Productivity-Reliability Paradox: Specification-Driven Governance for AI-Augmented Software Development" https://arxiv.org/pdf/2605.01160
  10. Medium, "AI Coding Assistants: Cognitive Effects & Skill Retention" https://medium.com/@martin.jordanovski/ai-coding-assistants-cognitive-effects-skill-retention-4c10680a3969
  11. Medium, "AI Killed My Coding Skills: How I’m Rebuilding as a Developer" https://medium.com/@businessansh294/ai-made-me-forget-how-to-code-heres-how-i-m-relearning-one-bug-at-a-time-bfdeb75edfd0
  12. Icloudcentral, "The Copilot Workspace Productivity Paradox" https://icloudcentral.com/the-copilot-workspace-productivity-paradox-why-your-ai-assistant-might-be-making-you-slower/
  13. DZone, "Why Sr. Devs Are Actually Less Productive with AI Copilot" https://dzone.com/articles/why-senior-developers-are-actually-less-productive
  14. ArtNet Inc., "The Blinded Mind Problem" https://www.artnetinc.com/articles/blinded-mind-problem
  15. NIST, "Secure Software Development Framework (SSDF) Version 1.1" https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-218.pdf
  16. The Register, "AI-authored code needs more attention, contains worse bugs" https://www.theregister.com/software/2025/12/17/ai-authored-code-needs-more-attention-contains-worse-bugs/2576263
  17. AppSec Santa, "AI Security Statistics 2026" https://appsecsanta.com/research/ai-security-statistics
  18. AI Vyuh Code QA, "Why 53% of AI-Generated Code Ships with Vulnerabilities" https://codeqa.aivyuh.com/blog/ai-generated-code-vulnerabilities-2026/
  19. Software Improvement Group, "Cost of Technical Debt" https://www.softwareimprovementgroup.com/blog/cost-of-technical-debt/
  20. byteiota, "Technical Debt Costs 40% of IT Budgets in 2025: The $3M Crisis" https://byteiota.com/technical-debt-costs-40-of-it-budgets-in-2025-the-3m-crisis/
  21. Redeagle, "Technical Debt Cost Calculator UK" https://redeagle.tech/blog/the-true-cost-of-technical-debt
  22. Nexa Devs, "Legacy System Maintenance Cost 2026" https://nexadevs.com/legacy-system-maintenance-cost-2026/
  23. byteiota, "AI Coding Assistants Cut Developer Skills by 17%: Anthropic Study" https://byteiota.com/ai-coding-assistants-cut-developer-skills-by-17-anthropic-study/