The most seductive feature of “vibe coding” is not that it writes software. It is that it seems to dissolve friction. A person with a half-formed idea can now turn a thought into a working artefact in an afternoon. That is a genuine democratic advance. It lowers the barrier between imagination and execution; it allows non-specialists to prototype, tinker and build; it gives exhausted professionals a kind of mechanical apprentice. For harmless tools, internal utilities and disposable experiments, this is often magnificent.
The danger begins when a tool that is usually right is treated as if it were reliably safe. Speed alters culture before it alters institutions. Once teams discover that software can be produced in bursts rather than increments, the pressure quickly shifts from understanding to output. The competitive logic becomes hard to resist: ship first, inspect later, if at all. In ordinary office software, that may merely create clutter and technical debt. In banking, healthcare, logistics, energy and security systems, it invites a different class of failure altogether.
This is hardly a speculative concern. Cybersecurity bodies have spent the past two years warning that AI-assisted development introduces novel risks alongside familiar ones, and that secure-by-default practices remain essential. Official guidance from Britain’s National Cyber Security Centre and government code-of-practice work on AI security rest on a simple premise: AI systems and the software built around them cannot be trusted into safety by vibes, confidence or convenience. They require testing, governance and explicit security controls. Medical regulators have reached a similar conclusion. The American FDA’s recent guidance on AI-enabled medical devices places repeated emphasis on lifecycle monitoring, risk management and post-market vigilance. In other words, the institutions closest to serious harm are already behaving as though exuberance needs containment.
There is good reason for that caution. Emerging research on AI-generated code suggests a persistent “illusion of correctness”: code that looks polished, idiomatic and production-ready while concealing vulnerabilities or dubious assumptions. Security researchers have also identified a supply-chain problem in the form of hallucinated package names, which create openings for malicious actors to publish booby-trapped libraries and wait for unsuspecting developers to import them. Old software risks are being reintroduced in a new idiom, wrapped in a sheen of fluency that can disarm scrutiny.
The deeper problem is organisational. Most catastrophes in modern systems do not arise because nobody knew what good practice looked like. They happen because incentives rewarded haste, compliance became theatrical, and warnings were treated as drag on growth. Vibe coding fits neatly into that pattern. It makes prototyping astonishingly cheap, and therefore makes caution feel expensive. A junior developer who once had to understand a subsystem can now patch around it. A manager who once accepted slower delivery as the cost of diligence can now ask why the team is behind. Every local decision appears rational. The aggregate result may be brittle infrastructure on a civilisational scale.
That does not mean the world is doomed by autocomplete. Societies do eventually learn how to govern dangerous productivity tools. Industrial machinery, aviation and pharmaceuticals all passed through periods in which exuberance outran safeguards. Software itself has long contained bugs, vulnerabilities and silent defects. The difference now lies in the probable speed and volume of introduction. If code generation compresses the time required to produce software, it may also compress the time available for thought. One can flood critical systems with plausible rubbish far faster than one can audit it.
So the real issue is not whether vibe coding is good or bad. It is whether we confine it to domains where failure is tolerable, and whether we preserve a culture in which understanding still outranks mere generation. The likeliest path to wisdom, regrettably, runs through an accident. One can only hope for the sort of accident that humiliates the industry without crippling society: large enough to shatter complacency, limited enough to remain a warning rather than an era-defining calamity. History suggests that humanity often waits for smoke before installing alarms. With AI-written code spreading into the foundations of modern life, that habit looks less like procrastination than roulette.
Citations: UK National Cyber Security Centre, “Guidelines for Secure AI System Development” (27 November 2023); UK Government, “AI Cyber Security Code of Practice” (31 January 2025); UK Government, “World-leading AI cyber security standard to protect digital economy and deliver Plan for Change” (2025); US Food and Drug Administration, “FDA Issues Comprehensive Draft Guidance for Developers of Artificial Intelligence-Enabled Medical Devices” (2023); US Food and Drug Administration, “Cybersecurity” guidance and alerts for medical devices; Ars Technica reporting on USENIX Security 2025 research into hallucinated software packages in AI-generated code; Veracode research as reported in 2025 on security flaws in AI-generated code.