Software development is undergoing a fundamental shift toward “vibe coding,” where developers move away from the granular, manual process of writing code and instead use natural language prompts to describe a desired outcome.
They provide the “vibe,” and AI agents generate the executable code.
For organizations or teams that need to operate quickly, the ability to prompt a feature into existence is incredibly enticing. However, according to a research report from Wakefield Research on behalf of Palo Alto Networks, this surge in AI-driven development is creating a massive security problem. While companies are shipping code faster than ever, we are also accelerating the build-up of technical debt and critical security gaps.
The productivity paradox
The Palo Alto Networks report reveals a major disconnect in how software is built today. While AI assistance has allowed 53% of the 2,800 IT professionals surveyed to ship code weekly or faster, security processes haven’t kept up with this new speed. In fact, only 18% of organizations report being able to fix security vulnerabilities at that pace. Essentially, we are moving faster than we can protect ourselves.
Vibe coding makes it much easier for anyone to build complex software, but that speed often comes at the expense of understanding. When a developer relies on AI to generate code, they can push through logic they haven’t personally verified. If you don’t fully grasp how the code works, it’s impossible to be truly accountable for its security and it makes remediation of issues in the future more complex. This lack of oversight is already hurting code quality, leading to bulkier, less efficient software.
AI: The new primary attack surface
The risks of unverified AI outputs are now a reality. The 2025 Palo Alto Networks report found that 99% of organizations have encountered an attack on an AI system in the past year. As we empower AI agents to write code, we are simultaneously expanding the attack surface in the following three critical ways:
-
API surges: Because AI agents rely heavily on APIs to communicate and execute tasks, attacks on APIs have surged by 41%. Vibe coding often creates “shadow APIs”, with connections the developer may not even realize were established by the AI.
-
Prompt injection and autonomy: Giving an AI agent the power to edit files or download software libraries on its own is a massive security gamble. If an attacker tricks the AI with a malicious prompt, that independence backfires, and the AI itself effectively becomes a tool for the hacker to move through your systems.
-
The AI supply chain: AI-generated code frequently leans on open source libraries. If these dependencies aren’t rigorously vetted, organizations risk inheriting outdated or malicious packages. More dangerously, AI can hallucinate nonexistent package names. Threat actors now practice “slopsquatting”, which is when they register these fabricated names in public repositories to ensure their malicious code is pulled in by unsuspecting AI agents.
-
Exposed intellectual property: Vibe coding often involves sending proprietary logic to third-party models. Without a secure framework, your company’s most valuable intellectual property effectively enters the public domain, where it can be used to train future models
From coder to ‘AI team leader’
To survive the era of vibe coding, the role of the senior engineer must evolve. We have seen the rise of the AI team leader. In this model, the engineer’s value shifts from the volume of code they personally write to the strategic oversight of an entire ecosystem of AI agents. This isn’t about humans manually reviewing every line of AI-generated code, but instead it’s about deploying security agents to watch the coding agents.
In this “Agent-to-Agent” security model, the human leader sets the guardrails and high-level intent, while autonomous security agents perform the heavy lifting. This includes real-time vetting, automated remediation and contextual governance.
The path to engineered trust
The consensus among security professionals is clear: the “vibe” isn’t enough. According to the Palo Alto Networks report, 97% of organizations are prioritizing the consolidation of their cloud security footprint to eliminate gaps created by fragmented tools.
Speed without security is dangerous. To unlock the true promise of AI-driven productivity, enterprises must move beyond vibe coding and toward engineered trust. This means:
-
Mandating rigorous scanning: AI-generated code must be reviewed with the same (or greater) rigor as human code.
-
Consolidating platforms: Moving away from a slew of different security tools to a unified “code-to-cloud” platform.
-
Defining accountability: Ensuring that every line of code, whether written or “vibed,” has a human responsible for its integrity.
The future of the cloud is being written by AI, but it must be governed by humans. If we continue to prioritize the “vibe” of rapid innovation over the reality of secure engineering, we aren’t just building applications; we’re creating security liabilities.
