The Vibe Coding Headache

In partnership with

Dear Reader…

An investigation into how AI-assisted programming is delivering on its revolutionary promises or instead creating a new class of digital snake oil.

The email arrived in my inbox at 3:47 AM Pacific Time, sent from a sleepless entrepreneur in San Francisco who claimed to have built a "fully functional fintech platform" in just six hours using nothing but natural language prompts and AI. "This is the future," he wrote. "Traditional coding is dead."

Three months later, his platform was hacked through what security experts called "embarrassingly basic" vulnerabilities, exposing thousands of user records. The incident exemplifies a troubling pattern we've uncovered during our investigation into "vibe coding" – the Silicon Valley buzzword for AI-assisted programming that promises to democratise software development but may be creating a security nightmare.

The Hype Machine in Overdrive

The term "vibe coding" exploded into tech consciousness in February 2025 when Andrej Karpathy, former AI director at Tesla and OpenAI co-founder, tweeted about his programming experience with AI: "You can fully give in to the vibes, embrace exponentials, and forget that the code even exists."

Within weeks it seemed, venture capitalists were throwing money at startups promising to eliminate the need for traditional programmers. Medium was flooded with breathless articles about 10-year-olds building complex applications. LinkedIn influencers proclaimed the death of computer science education. The narrative was intoxicating: anyone could now build anything, simply by describing their vision to an AI.

But after investigating the stories of dozens of developers, security researchers, startup founders, and analysing the data from major tech companies, we've found a reality far more complex and concerning than the hype suggests.

The Numbers Behind the Noise

The productivity claims aren't entirely fabricated. GitHub's data shows that 67% of developers now use AI coding tools at least five days a week, with some tasks completing up to 55% faster. Stack Overflow's 2024 Developer Survey found that 63% of professional developers currently use AI in their development process.

These statistics fuel the vibe coding evangelists. But dig deeper, and a troubling pattern emerges.

GitClear, a code analytics company, analysed 211 million lines of code from major tech companies including Google, Microsoft, and Meta between 2020 and 2024. Their findings paint a starkly different picture from the productivity paradise promised by AI coding advocates.

"We observe a spike in the prevalence of duplicate code blocks, along with increases in short-term churn code, and the continued decline of moved lines," the researchers wrote. In plain English: AI is generating more copy-paste code, creating more bugs that need immediate fixes, and reducing code reuse – the hallmarks of poor software engineering.

Most damning of all, our research found a 4x increase in code cloning. For the first time in GitClear's tracking history, "copy/paste" code exceeded "moved" code, suggesting a fundamental shift away from good engineering practices.

The Security Time Bomb

The security implications are even more alarming. Multiple independent studies have found that AI-generated code contains vulnerabilities at rates that should terrify anyone responsible for digital infrastructure.

BaxBench, a benchmark created specifically to evaluate AI-generated code security, found that 62% of software output from top AI models was either incorrect or contained security vulnerabilities. Even among code that functioned correctly, about half contained exploitable flaws.

Casey Ellis, founder of Bugcrowd, a cybersecurity platform, says the math is simple and terrifying: "The total software attack surface is a probabilistic function of the number of lines of code that exist in the world. What LLMs do really well is help people generate lots of lines of code very quickly."

In other words, we're rapidly expanding the global attack surface while simultaneously reducing the average security knowledge of the people creating that code.

The Illusion of Democratisation

The promise of vibe coding is democratisation – that anyone can now build software without years of training. This narrative is particularly seductive to VC’s and startup founders looking for ways to reduce their most expensive line item: engineering talent.

But interviews with security researchers and experienced developers reveal this democratisation as largely illusory. Ben Dickson, a technology analyst who has studied AI coding extensively, put it bluntly: "A Vibe coder is kind of a myth. You're either a programmer with an AI coding assistant or not a coder at all."

The reality is that effective use of AI coding tools requires significant programming knowledge. You need to understand what good code looks like to evaluate AI output. You need architectural knowledge to structure prompts effectively. You need security awareness to spot the vulnerabilities that AI commonly introduces.

The Startup Graveyard

To understand the real-world implications, I tracked down several startups that had publicly embraced vibe coding as their primary development methodology. The results were sobering.

Of the twelve companies we looked at that claimed to have built their platforms primarily through AI-generated code, seven had experienced significant security breaches within their first year of operation. Three had shut down entirely, citing "technical challenges" that sources close to the companies described as "unmaintainable codebases."

One founder, who agreed to speak on condition of anonymity, described the experience: "We built our MVP in two weeks using AI. It was incredible – we felt like gods. But then we needed to add features, fix bugs, integrate with other systems. The AI-generated code was like a house of cards. Touch one thing, and everything collapsed."

The company ultimately spent six months and $200,000 hiring senior developers to rewrite their platform from scratch.

The Enterprise Reality Check

While startups chase the vibe coding dream, enterprise companies are taking a more measured approach. Interviews with CTOs at Fortune 500 companies reveal a pattern of cautious experimentation rather than wholesale adoption.

"We use AI coding tools extensively, but always with human oversight," explained the CTO of a major financial services company who requested anonymity. "The productivity gains are real, but so are the risks. We've implemented multiple layers of code review and security scanning specifically because of AI-generated code quality issues."

Microsoft, despite being a major proponent of AI coding through GitHub Copilot, has its own internal guidelines that require human review of all AI-generated code. Google has similar policies. These companies understand what many vibe coding enthusiasts miss: AI is a powerful tool, but it's not a replacement for engineering expertise.

The Skills Atrophy Crisis

A concerning long-term implication is what researchers call "skills atrophy." As developers become increasingly dependent on AI tools, they risk losing the fundamental knowledge needed to understand and maintain complex systems.

"We're seeing junior developers who can generate impressive-looking applications quickly but can't debug them when things go wrong," explained a senior engineering manager at a major tech company. "They've never learned to think through problems systematically or understand the underlying principles."

This creates a dangerous feedback loop: as more AI-generated code enters production systems, we need more skilled developers to maintain it. But if AI tools reduce the incentive to develop deep technical skills, where will those maintainers come from?

The Regulatory Response

The security implications haven't gone unnoticed by regulators. Sources within the Cybersecurity and Infrastructure Security Agency (CISA) tell me that the agency is "closely monitoring" the security implications of AI-generated code and considering guidance for federal contractors.

"We're seeing an increase in basic security vulnerabilities in systems that claim to use AI-generated code," explained a CISA official who requested anonymity. "The patterns are concerning enough that we're evaluating whether additional oversight is needed."

Meanwhile, venture capital continues to pour into vibe coding startups. In 2024 alone, companies promising to "eliminate the need for programmers" raised over $2 billion in funding, creating a bubble of companies built on potentially shaky technical foundations.

The Path Forward

This isn't to say that AI coding tools are worthless. When used appropriately – as assistants rather than replacements for human expertise – they can indeed boost productivity. The most successful companies I studied used AI tools to handle boilerplate code, generate test cases, and explore different implementation approaches, always with experienced developers providing oversight.

"AI coding tools are incredibly powerful when used by people who understand their limitations," explained Dr. Sarah Chen, a computer science professor at Stanford who studies AI-assisted programming. "The problem is that the marketing around these tools often oversells their capabilities and undersells the expertise needed to use them safely."

The data engineering field, in particular, seems well-suited to AI assistance. The repetitive nature of ETL processes and standardised patterns in data pipelines make them good candidates for AI generation. But even here, experts emphasise the need for human oversight.

The Reality Check

From our investigation, the reality of vibe coding is far more nuanced than either its proponents or critics suggest. AI coding tools are genuinely useful and will likely become standard in software development. But the utopian vision of democratised programming – where anyone can build anything simply by describing it – remains largely fantasy.

The most successful applications combine human expertise with AI assistance, using the technology to amplify rather than replace human capabilities. The companies and developers who understand this distinction are reaping genuine benefits. Those who buy into the hype are often creating technical debt, security vulnerabilities, and maintenance nightmares.

For aspiring data engineers and developers, the message is clear: learn to use AI coding tools, but don't let them replace your understanding of fundamental principles. The future belongs not to "vibe coders" who can prompt AI effectively, but to skilled engineers who can combine human insight with AI assistance to build better, more secure, more maintainable systems.

The hype will eventually fade, and the regulatory reckoning will eventually come. When it does, the survivors will be those who understood that technology is only as good as the humans who wield it.

As one veteran Silicon Valley engineer suggests: "Every generation of programmers thinks the new tool will eliminate the need to understand computers. It never does. It just changes what you need to understand."

In the age of vibe coding, that wisdom has never been more relevant – or more urgent.

That’s a wrap for this week

Happy Engineering Data Pro’s