Debunking AI & ML Myths
AI is evolving fast. See how AI and humans can thrive together in this free guide.
Vibe Check: Coding in the AI Era
By
David Bianco
In case you haven’t heard, vibe coding is here and it’s here to stay.
This emerging development style, characterized by AI-driven code generation, unlocks flow, experimentation, and faster throughput. Teams can test ideas and move from application concept to execution in hours, not weeks. In fact, CEO Satya Nadella reported in early 2025 that up to 30% of Microsoft's code is written by AI.
But the same characteristics that make vibe coding powerful can also create new risks. So, it's essential for leaders and their organizations to be deliberate in how vibe coding is adopted, governed, and scaled across the business. Without the right guardrails and a sustainable strategy, vibe coding can quickly shift from competitive edge to operational liability.
Use case is king for internal vs. external applications
In my experience, the risk profile for vibe coding depends heavily on where and how it’s applied. I’ve seen teams leverage vibe coding for internal tools or workflows and be amazed at how much faster they can iterate. In these cases, the downside is relatively limited. This allows teams to create artisanal, bespoke solutions tailored to their specific architecture or needs. Ultimately, it provides a level of customization not available on the market today.
In this case, because the tools live behind the firewall and are only accessible by users within the organization, vibe coding is a powerful accelerator that can help teams move faster, experiment more, and create custom integrations that genuinely improve productivity without introducing major organizational risk.
That said, the stakes are higher when building customer-facing products with vibe coding. Generating a new tool or feature in hours instead of weeks sounds great in theory, but mistakes can have serious consequences. For instance, a widely used AI coding platform recently made changes to a live production database despite explicit instructions to halt, resulting in significant data loss and fabricated records for thousands of users. This raises questions: Who’s accountable if a hidden vulnerability becomes a breach, or if a client’s business is disrupted by code that wasn’t thoroughly reviewed?
Unlike internal tools, external applications live in the wild, where bugs and vulnerabilities can quickly escalate into trust, compliance, and brand reputation issues. This is where the risks are highest, and where oversight, governance, and disciplined review processes become non-negotiable.
External-facing code must be subject to more rigorous testing and validation, not just to catch functional bugs but to identify hidden security flaws or compliance gaps before they reach customers.
This means layering in code reviews from multiple stakeholders, enforcing standardized testing protocols, and adopting practices like threat modeling, penetration testing, and dependency scanning to minimize exposure. The goal is consistency and repeatability to reduce reliance on individual judgment and ensuring that every release meets the same baseline for quality and security.
Without this level of rigor, small oversights can not only disrupt the user experience but also erode customer trust, invite regulatory scrutiny, and damage the organization’s reputation in ways that are far harder to recover from than an internal misstep.
Putting vibe coding to the test
A real-world example comes from my own experiment with DECEIVE, an AI-enabled honeypot proof of concept. The idea was simple: honeypots are valuable for analyzing attacker behavior, but they traditionally take significant time and effort to configure. I wanted to see how quickly AI could change that equation and whether someone without deep AI expertise could stand up a credible, functioning system. Instead of spending days building out a traditional Linux server honeypot, I was able to simulate one from a single prompt and immediately begin analyzing attacker activity automatically.
At first, I built the prototype by hand, but as the project evolved, vibe coding became the faster path forward. The real challenge wasn’t whether the AI could deliver, it was the manual development work that usually creates delays. Vibe coding removed that barrier by turning time-consuming implementation work into rapid iteration.
What began as asking the co-pilot, “Why isn’t this working?” quickly shifted into, “Fix it for me,” accelerating progress in a way that freed me to focus on outcomes rather than mechanics.
The result was a working honeypot stood up in a fraction of the time, producing meaningful attacker telemetry far faster than a manual approach would have allowed — giving the team a head start on understanding attacker behavior. For a security team, this means the difference between experimenting in theory versus testing in practice.
The emerging risks leaders need to consider
So, how do you avoid the risks of vibe coding that undermine long-term stability while still capturing its upside?
Security and operational risks
Security and operational risks come with unchecked speed. Moving too fast can create brittle architectures and hidden vulnerabilities within an application, and small oversights can compound quickly at scale. Additionally, you have to be careful about the tool itself. While many vibe coding tools have controls for guardrails like access, identity controls, and data protection in generated code, those safeguards are often left to the discretion of the individual, rather than enforced at the organizational level.
This creates uneven practices across teams — what one developer locks down diligently, another may leave exposed. The result is a patchwork of standards that makes it harder to ensure compliance, introduces blind spots in oversight, and increases the risk of misconfigurations that only surface once the code is deployed. At scale, the lack of organizationally enforced standards means security and quality depend too heavily on individual choices rather than on consistent, repeatable processes.
Oversight and quality control
Operational risks open the question of oversight and quality control. Traditional review processes weren’t designed for the sheer volume of code AI can generate, they were designed around human output — tens of lines of code a day and changes that are smaller in scope and easier to track back to an individual developer. Vibe coding shifts that equation: Instead of modest, incremental contributions, AI can produce entire modules, integrations, or thousands of lines in a single session. If quality checks can’t keep pace with that scale, organizations risk accountability gaps, eroded trust with customers, and limited visibility into what’s actually running in production. Addressing this means rethinking review at scale, and finding new ways to sample, stress-test, and monitor AI-driven code so oversight grows in proportion to output.
Talent risks
Over-reliance on copilots could cause core engineering and security skills to atrophy. If developers lose touch with foundational practices, organizations may end up with teams who can generate prompts but can’t diagnose failures, troubleshoot root causes, or design resilient systems from the ground up. That’s not a workforce you want to depend on when systems are compromised or breached.
On the upside, vibe coding democratizes code for all. This enables teams to scale output by doing more quickly, allowing for experimentation at scale. Teams can fail fast, refine quickly, and uncover innovative solutions that might not emerge with traditional time and budget constraints.
Guardrails and guidance for vibe coding
Security leaders can create the conditions for vibe coding at a safe speed by investing in automated guardrails, clear governance policies, and structured access models that align with developer experience levels.
For example, do not ship vibe-coded products to customers without rigorous code review and testing. The quality bar cannot slip. Leaders should think of stress testing vibe-coded systems as more than just running automated checks. One way to do this is to plant subtle vulnerabilities intentionally: small misconfigurations, minor logic errors, or unusual input cases that mimic the types of issues a malicious actor or real-world use case might expose. This approach reveals weaknesses in oversight, exposes hidden blind spots, and helps teams understand where AI-generated code might introduce fragility. Ultimately, while vibe coding can save time upfront, capturing its full benefits requires leaders to invest extra scrutiny on the back end to prevent compromises to security, resilience, and long-term trust.
Intentional innovation for the win
Vibe coding is neither a silver bullet nor a looming catastrophe. It’s a new reality in how code is created. The challenge for leaders isn’t whether to allow it, but how to shape its use so it strengthens rather than weakens the enterprise. That means distinguishing between low-risk internal experimentation and high-stakes customer-facing applications, and putting the right guardrails around each.
Innovation will accelerate, but so will complexity and accountability. The leaders who succeed will be those who treat vibe coding not as a shortcut, but as a capability that demands the same rigor, oversight, and strategic intent as any other enterprise technology.
Subscribe to the Perspectives by Splunk newsletter and get actionable executive insights delivered straight to your inbox to stay ahead of trends shaping security, IT, engineering, and AI.
Related Articles
About Splunk
The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.
Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.
