"Vibe coding" — the practice of describing what you want to an AI assistant and accepting its output with minimal review — has moved from novelty to mainstream workflow in under two years. GitHub Copilot, Cursor, Claude Code, and a dozen other tools now mediate a significant fraction of the code written in 2025. The productivity gains are real and measurable. The security implications are also real and almost entirely unmeasured.
The fundamental problem isn't that AI-generated code is bad. It's often good. The problem is that AI assistants optimize for functional correctness — does the code do what was asked? — and have a systematically weaker grip on security correctness — does the code do only what was asked, without side effects an attacker could exploit? These are different questions, and AI models trained primarily on "working code" rather than "hardened code" tend to produce working code.
What the Research Shows
A 2023 study from Stanford found that developers who used GitHub Copilot were significantly more likely to introduce security vulnerabilities than those who wrote code without assistance — and were also significantly more confident that their code was secure. The confidence gap is the dangerous part. Vibe coding produces code that looks finished, reads as intentional, and passes casual inspection. The developer who reviewed it assumes it was reviewed by the AI. The AI assumes it was reviewed by the developer. Neither assumption is valid.
The vulnerability patterns that appear most frequently in AI-generated code are predictable: SQL injection from string-concatenated queries, path traversal from unsanitized file paths, insecure deserialization, hardcoded credentials in generated configuration examples, and — most commonly — missing authorization checks. An AI that generates a function to "get user data" will generate a function that gets user data. Whether it should also verify that the requesting user is authorized to see that data is a question the model answers inconsistently, because authorization logic is highly context-dependent in ways that generating a function body is not.
"The AI writes the code. The developer ships the code. Nobody reviewed the code. This is the vibe coding security model in its current form."
What Responsible Vibe Coding Looks Like
The solution isn't to stop using AI coding tools. The productivity gain is too significant to unilaterally surrender. The solution is to treat AI-generated code the way you'd treat code from a talented but junior developer who has never shipped to production: assume it works, assume it's insecure, and build review processes that specifically target the security gaps AI generates most reliably.
Practically, this means: running AI-generated code through SAST tools before it merges, making authorization and input validation explicit in prompts rather than assuming the model will add them, and treating security review as a distinct phase from functionality review rather than combining them. The organizations that figure out how to capture the speed of AI coding while adding back the security hygiene that vibe coding skips will have a significant advantage. The organizations that just ship the vibes will eventually face the bill.