Artificial intelligence is changing the way software is written. One of the newest trends gaining attention is “vibe coding”, where users describe what they want in plain English and AI tools generate the code for them. Instead of manually writing functions, databases, or APIs line by line, developers can now ask tools like OpenAI ChatGPT, Anthropic Claude, or AI-powered IDEs to create working applications in minutes.
For staff, the appeal is obvious. They get the tools they feel they need, right now. Small businesses that previously could not afford custom software are suddenly experimenting with internal apps, websites, workflows, and automation systems built almost entirely through AI prompts.
The problem is that speed and convenience rarely come without risks.
Vibe coding often encourages rapid experimentation rather than structured software engineering. A user might ask an AI tool to “build a customer portal with login functionality” or “create a booking system connected to a database”, receive working code, and deploy it immediately without properly understanding what has actually been created underneath.
That is where security concerns start to appear.
AI-generated code can absolutely produce secure applications, but it can also introduce vulnerabilities that inexperienced users may never notice. In many cases, the code works perfectly from a functionality perspective while still containing serious weaknesses behind the scenes.
One common issue is poor authentication handling. AI tools sometimes generate login systems that store passwords incorrectly, fail to validate sessions properly, or miss important protections such as rate limiting and multi-factor authentication support. To a business owner testing the system, everything appears functional. To an attacker, it may be an easy target.
Another growing concern is accidental exposure of sensitive information. During vibe coding, users often paste API keys, passwords, database details, or internal documentation directly into AI prompts. If organisations are not careful about which AI platforms they use and how data is processed, confidential business information could end up stored externally or used in future model training.
There is also the issue of dependency management. AI-generated applications frequently rely on open-source packages and libraries. Some of these dependencies may already contain known vulnerabilities or may no longer be maintained. A traditional development process would normally include security reviews and dependency scanning, but many vibe-coded projects skip those steps entirely because the focus is on speed.
The rise of “shadow IT” is another challenge for businesses. Staff members can now build surprisingly capable applications without involving the IT department at all. Marketing teams might create customer data tools. HR teams may automate onboarding processes. Operations staff could build dashboards connected to live business systems. While this innovation can improve productivity, it also creates environments where unapproved applications are handling sensitive company data without proper governance or oversight.
For managed IT providers and cybersecurity teams, this trend creates a difficult balancing act. Blocking AI tools entirely is unrealistic and often unpopular with staff. At the same time, allowing unrestricted use without policies introduces significant risks.
Businesses adopting vibe coding should treat AI-generated software exactly the same way they would treat traditionally developed software. Security reviews, testing, access controls, backups, logging, and ongoing patch management still matter. AI can accelerate development, but it does not remove the need for proper IT governance.
The businesses likely to succeed with vibe coding will be the ones that combine AI speed with human oversight and management. Staff can use AI to accelerate repetitive tasks while still applying security knowledge and best practices. IT teams can introduce approval workflows and policies that allow innovation without losing control of company systems plus control the systems used.