AI

Vibe coding and the AI security governance gap

Vibe coding is accelerating software creation, but is security governance keeping up? Richard Beck explores the emerging AI risk gap.

Why AI-enabled software development is changing the economics of cyber security risk faster than organisations can adapt.

The democratisation of software development is accelerating faster than most security teams realise. What once required teams of developers, months of effort, and significant technical expertise can now be accomplished through a series of natural language prompts.

Applications, workflows, automations, integrations, and data pipelines can be generated in minutes rather than weeks.

Sceptics will rightly point to previous waves of no-code and low-code platforms (did they fail or just not evolve?). The difference this time is scale, accessibility, and speed.

Vibe coding enables almost anyone to build production-ready applications through natural language, compressing weeks of development into minutes. The topic first caught my attention during a discussion with a colleague experimenting with Replit alongside his son.

The productivity gains can be significant for certain products. However, the security implications are only beginning to be acknowledged. Much of the current discussion focuses on whether AI-generated code contains vulnerabilities.

Researchers at RedAccess recently analysed thousands of applications created using popular vibe coding platforms, including Lovable, Replit, Base44, and Netlify. They identified more than 5,000 applications with little or no security controls or authentication, with nearly 40% exposing sensitive information such as medical records, financial data, internal business documents, and customer conversation histories.

The issue was not malicious intent; it was software being deployed faster than it could be secured.

While this is important, it is not the most significant challenge facing the CISO. Software has always contained vulnerabilities, despite the persistent shift-left, DevSecOps, and Secure by Design collaboration efforts.

The more consequential issue is that vibe coding is changing the economics of software creation faster than enterprises can adapt proportionate risk management processes.

For decades, organisations have built security programmes around the assumption that software development was performed by skilled engineers operating within structured development lifecycles.

Architecture reviews, code reviews, security testing, dependency validation, compliance assessments, and deployment approvals were designed around human-led workflows.

Today, business users, product owners, analysts, marketers, operations teams, and entrepreneurs can create functional applications with little or no formal software engineering experience.

Some of the barriers to software creation are disappearing. Unfortunately, the barriers to creating insecure software have also disappeared.

The fundamental problem is that AI optimises for functionality, not security. If a prompt asks for a customer portal, booking system, or internal dashboard, the model’s primary objective is to generate a working application.

Secure architecture, least privilege, threat modelling, input validation, and abuse cases are rarely part of that prompt. Unless security is explicitly requested and then independently verified, the result is often software that works exactly as intended but is not resilient against attack.

The AI security governance gap

Many AI-generated applications are developed outside traditional software engineering teams and beyond established governance processes. Security reviews may never occur, and dependencies may never be validated.

Sensitive data could be exposed through poorly configured integrations. Authentication, authorisation, and data protection controls may be implemented incorrectly or overlooked entirely, creating a new generation of shadow development.

The challenge extends well beyond application security. Typically, organisations manage security risk through centralised technology teams, defined development processes, and established governance structures.

Vibe coding is decentralising those functions at unprecedented speed. The ability to create software is moving from a relatively small population of software engineers to potentially every knowledge worker within the enterprise.

Every employee is becoming a software developer. Every AI model is becoming part of the software supply chain. Every prompt is becoming a potential source of enterprise risk.

Large language models do not understand security. They generate statistically likely code, not secure software. Security intent, organisational context, regulatory obligations, and risk appetite remain human responsibilities.

Research has repeatedly demonstrated that AI-generated code can contain exploitable vulnerabilities and insecure design patterns, underpinned by a lack of suitable AI governance. More importantly, these vulnerabilities can be replicated at machine scale.

The challenge is that many of these weaknesses are not obvious. AI-generated code can successfully pass traditional security and dependency scanning while still containing flaws in business logic, authorisation, trust boundaries, or application design.

Security tools built for reviewing human-written code are not always equipped to understand software generated through prompts and AI-assisted workflows.

An insecure implementation generated once can quickly become an insecure implementation generated thousands of times.

A longer-term concern is the emergence of an AI vulnerability cycle. As more AI-generated code is published to public repositories, future coding models may increasingly learn from software that has never been properly engineered or security tested.

Insecure patterns risk being repeated, amplified, and embedded into the next generation of AI-assisted development. At the same time, attackers are learning from the same code and using AI to identify and exploit those weaknesses at scale.

The risk is not simply that AI generates vulnerable software. It is that AI could accelerate the creation, reuse, and exploitation of insecure code faster than the industry can secure it.

The implications extend beyond cyber security

As organisations increasingly rely on AI-generated applications to support business operations, customer engagement, supply chains, and decision-making processes, software governance becomes a strategic business issue rather than simply a technical one.

Poorly governed AI-generated systems can create exposure, operational disruption, expansive technical debt, and systemic AI risk.

For boards and executive leadership teams, this will become a broader security governance issue rather than a technology challenge.

The software supply chain implications are equally significant. Modern vibe coding environments increasingly rely on a complex ecosystem of models, agents, connectors, APIs, MCP servers, plugins, skills, and third-party dependencies.

Most organisations lack visibility into which AI systems are contributing to software creation, what components are being introduced, and what risks those components carry.

Traditional software supply chain security is focused on source code and dependencies. AI-enabled development and vibe coding introduce an entirely new supply chain that requires AI security governance.

This is why security leaders must begin thinking beyond DevSecOps and towards what could be described as AgentSecOps. This is less about replacing DevSecOps than extending it to govern AI agents, prompts, models, and autonomous development workflows.

Organisations need security controls capable of operating directly within AI-enabled development environments.

Vulnerabilities, prompt injections, insecure coding patterns, malicious dependencies, and unauthorised actions must be identified before generated code enters production pipelines.

We cannot rely on LLMs to identify and correct their own security weaknesses (not today anyway).

Instead, automated guardrails need to be embedded directly within AI-enabled development workflows, validating prompts, generated code, agent interactions, and dependencies before they become executable actions.

Equally important is visibility

Most organisations cannot accurately answer a simple AI assurance question: which AI models, agents, MCP servers, tools, and third-party services are currently contributing to software development?

Without visibility, governance becomes impossible.

Just as Software Bills of Materials (SBOMs) became essential for managing software supply chain risk, AI-enabled development requires AI Bills of Materials (AI BOMs) that continuously inventory the models, agents, tools, connectors, and dependencies participating in software creation.

This visibility provides the foundation for governance, risk assessment, compliance, and incident response in AI-driven environments.

AI agents are becoming a new digital workforce. Like human employees, they require oversight, accountability, monitoring, access controls, and governance.

The objective is not to slow innovation

The productivity benefits of AI-enabled development are too significant to ignore, and attempts to prohibit their use are unlikely to succeed.

The organisations that thrive will be those that implement governance and security controls that operate at the same speed as AI itself.

Vibe coding represents one of the most significant shifts in software development since the emergence of cloud computing. Like every major technology transition, it creates new opportunities and new risks.

The central challenge for cyber security leaders is no longer preventing insecure code from being written. It is preventing insecure software from being generated faster than it can be governed, understood, and secured.

AI has not simply changed how software is written. It has changed who can create it, how quickly it can be deployed, and how much enterprise risk can be introduced with a single prompt.

For CISOs, the challenge is no longer securing software written by developers. It is governing software generated by an AI-enabled workforce operating at machine speed.

The organisations that succeed will not be those that slow AI adoption. They will be the ones that build AI governance, security, and assurance that can keep pace with AI-driven software creation.

 


Ready to strengthen your organisation’s AI security posture? Explore our cyber security training to build the expertise needed to manage AI-driven risk.

Related Articles