Board

Vibe Coding: Promise, Peril, and Policy

10 min read

Vibe coding — creating software through natural language prompts rather than manually writing code — was named Collins Dictionary Word of the Year 2025. It has moved from developer meme to boardroom agenda. The governance question is no longer whether to allow it. It is how to manage it.

The term originated in the developer community as a playful description of letting AI write code while the human "vibes" with the output — accepting what works, discarding what does not, iterating through conversation rather than compilation. What started as a weekend hack culture has rapidly become a production workflow, and the implications for security, quality, and organisational governance are profound.

This article maps the landscape for boards and senior leaders: where the genuine promise lies, where the risks are most acute, and what governance frameworks organisations should implement now — before the consequences of ungoverned adoption become irreversible.

The Promise

Shift from Implementation to Specification

The most fundamental shift that vibe coding introduces is the inversion of the traditional development bottleneck. For decades, the constraint was implementation — the time and skill required to translate a product vision into working software. With AI-assisted code generation, implementation is approaching near-instantaneous for a growing range of tasks.

The bottleneck has shifted to specification — the ability to clearly articulate what needs to be built, for whom, and why. This is not a trivial shift. It means the most valuable skill in a product team is no longer the ability to write code. It is the ability to think clearly about problems, define requirements precisely, and evaluate whether the output actually solves the problem it was designed to address.

For boards, this has strategic implications. The organisations that benefit most from AI-assisted development will not be those that adopt the tools fastest. They will be those whose product teams are best at specification — at understanding customers, defining problems, and evaluating solutions. This is precisely the capability that the product model has always emphasised.

Democratisation of Prototyping

The second major promise is democratisation. Product managers can now build working prototypes in hours rather than weeks. Founders can prototype features in a weekend. Designers can test interaction patterns with functional code rather than static mockups. The compressed time from idea to prototype allows richer customer discovery and validation — more iterations, more experiments, faster learning.

This is genuinely transformative for early-stage product development. The ability to put a working prototype in front of customers within days of identifying a hypothesis fundamentally changes the economics of discovery. Instead of committing engineering resources to build something that might be wrong, teams can validate assumptions with functional software at a fraction of the cost.

The Peril

The Security Risk

~40–45%

of AI-generated code contains potential security vulnerabilities. This is not a theoretical concern. It is a measured reality across multiple independent studies, and it represents the single most significant risk that vibe coding introduces into production environments.

AI models generate code by predicting the most probable next token based on training data. They do not understand security contexts, threat models, or the specific compliance requirements of your industry. They produce code that works — that compiles, runs, and appears to function correctly — but that may contain injection vulnerabilities, insecure authentication patterns, improper data handling, or exposed API keys.

The problem is compounded by the fact that the people most likely to adopt vibe coding are often the least equipped to identify these vulnerabilities. A product manager who builds a working prototype in an afternoon may not recognise that the code stores passwords in plaintext, fails to sanitise user input, or exposes internal APIs without authentication.

The "Illusion of Competence"

AI-generated code often creates what researchers describe as an "illusion of competence." The code runs. The tests pass (if tests were generated at all). The output looks correct. But beneath the surface, the code may be inefficient, unmaintainable, insecure, or architecturally incoherent.

This illusion is particularly dangerous because it undermines the feedback loops that traditionally catch quality problems. In conventional development, poorly written code is often caught during code review, where experienced engineers identify patterns that will cause problems at scale. With vibe-coded output, the volume of generated code can overwhelm review capacity, and the code may be structured in unfamiliar patterns that are harder to evaluate.

The Technical Debt Crisis

AI can now accumulate technical debt faster than ever before. What previously took months of hurried development to create can now be generated in days. The consequence is organisations drowning in code that nobody fully understands, that was never designed to be maintained, and that becomes progressively more expensive to modify.

The Compliance Nightmare

GDPR, HIPAA, SOC 2, PCI DSS — regulatory compliance frameworks require specific technical controls that vibe coders typically lack the depth to audit for. An AI model generating a user registration form may not implement GDPR-compliant consent mechanisms. A healthcare prototype may not encrypt data at rest. A payment flow may not meet PCI requirements for tokenisation.

For boards, this is not an engineering detail. It is a liability exposure. If AI-generated code enters production without compliance review and a data breach occurs, the regulatory and reputational consequences fall on the organisation — not on the AI model that generated the vulnerable code.

The "Spaghetti Code" Explosion

Fragmented, inefficient, insecure code is entering production at an accelerating rate. Senior engineers describe inheriting AI-generated codebases as worse than inheriting human-written legacy code, because the original "developer" — the AI model — cannot explain its reasoning. The code that runs but is not maintainable creates a compounding liability that grows with every sprint.

The "Accept All" mentality is the single greatest risk in vibe coding. Some practitioners adopt a tendency to trust AI suggestions wholesale, clicking "Accept All" on proposed changes without line-by-line review, under the rationale that the AI can fix any subsequent breaks in the next iteration. This is how security vulnerabilities enter production.

The Policy: What Boards Should Mandate

The governance question is not whether your teams are using AI to generate code. They are. The question is whether that usage is governed, visible, and safe. Here are the five policy pillars that boards should mandate.

1. Mandatory Security Scanning and Human Code Review

All AI-generated code entering production must pass automated security scanning (SAST, DAST, dependency analysis) and human code review by a qualified engineer. No exceptions. This must be enforced at the infrastructure level — not through policy documents that developers can ignore. Automated scanning catches known vulnerability patterns. Human review catches architectural coherence, maintainability, and context-specific risks that automated tools miss. Both are necessary. Neither is sufficient alone.

2. Sandboxed Environments for Prototyping

Vibe-coded prototypes must be built in sandboxed environments that cannot touch production data, production APIs, or production infrastructure. This allows the speed and creativity benefits of AI-assisted prototyping while containing the security and quality risks. The sandbox is where experimentation happens. Production is where governance applies.

3. Clear Handover Protocol

When a "vibe prototype" is ready to be "productionised," there must be a defined handover protocol. Senior engineers audit the AI-generated code, refactor for production standards, implement proper error handling, add monitoring and observability, and ensure compliance with relevant regulatory frameworks. The prototype is a proof of concept. The productionised version is the actual product.

This handover is not optional, and it is not a rubber stamp. It is a genuine engineering activity that may involve rewriting significant portions of the prototype. Boards should expect and budget for this step — it is the cost of responsible AI adoption. The organisations that skip this step in the name of speed will pay for it in security incidents, compliance failures, and maintenance costs that dwarf the time saved.

4. AI Literacy Programmes

Teach teams not just how to use AI, but how to evaluate its output. This means understanding what AI models are good at (boilerplate generation, pattern completion, syntax translation) and what they are poor at (security reasoning, architectural design, compliance awareness). AI literacy is not a one-time training session. It is an ongoing capability development programme that must evolve as the tools evolve.

5. Governance as Code

Implement automated guardrails that prevent deployment without passing security gates. This means CI/CD pipelines that reject code without passing security scans, mandatory approval workflows for production deployments, automated dependency auditing, and infrastructure-level controls that make insecure deployment physically impossible rather than merely policy-prohibited.

The Five Policy Pillars

  1. Security scanning + human review for all AI-generated code entering production
  2. Sandboxed environments for prototyping — cannot touch production data
  3. Clear handover protocol when prototypes move to production
  4. AI literacy programmes that teach evaluation, not just usage
  5. Governance as code — automated guardrails that prevent insecure deployment

The Evolving Senior Engineer: From Builder to Auditor

The role of the senior engineer is undergoing a fundamental transformation. In a world where AI can generate functional code at scale, the senior engineer's value shifts from building to auditing — from writing code to evaluating code, from implementing solutions to reviewing solutions for security flaws, architectural coherence, and long-term maintainability.

This is not a diminishment of the role. It is an elevation. The "Trusted Advisor" model positions senior engineers as the quality and security layer between AI-generated output and production systems. They review for hallucinations — code that appears functional but contains logical errors or impossible assumptions. They evaluate architectural coherence — whether the generated code fits within the existing system design or introduces fragmentation. They assess security posture — whether the code meets the threat model requirements of the specific deployment context.

Cutting senior engineering headcount because "AI writes the code now" is precisely backwards. You need more senior judgement, not less, when the volume and velocity of code generation increases. The organisations that successfully navigate the vibe coding transition will be those that invest in senior engineering capability, not those that eliminate it.

For boards, this means hiring rubrics and compensation structures need to evolve. The most valuable engineers will be those who combine deep technical expertise with the judgement to evaluate AI output — who can distinguish between code that works and code that is production-ready. These are rare skills, and the market is already pricing them accordingly.

The career path implications are significant. Junior engineers who only implement face the same pressure as product managers who only coordinate: AI automates both. The premium is on people who can think clearly about what to build and why, and who can evaluate whether AI-generated output meets the standard required for production. Organisations should be investing in upskilling their engineering teams for this new reality, not reducing headcount.

The Board's Three Questions

AI coding governance is a board-level concern — not because boards need to understand the technical details, but because the risks are material. A codebase riddled with security vulnerabilities is a business continuity risk. A compliance failure caused by AI-generated code that did not adhere to regulatory standards is a liability risk. An IP dispute over code generated by training on copyrighted material is a legal risk.

Boards should be asking three questions at every meeting: Does the company have an AI coding policy? Who is responsible for ensuring AI-generated code meets security and compliance standards? What percentage of the codebase is AI-generated, and what is the governance framework around it?

The companies that treat AI governance as an engineering detail rather than a strategic concern will be the ones that face the consequences first. The board does not need to write the policy — but it does need to ensure the policy exists, is enforced, and is reviewed regularly.

The vibe coding revolution is real, and its benefits are genuine. But like every powerful tool, it requires governance proportional to its power. The boards that establish these frameworks now will be the ones whose organisations capture the upside while managing the downside. Those that treat it as "just a developer tool" will discover the consequences in their next security audit — or their next data breach notification.

AI governance belongs on the board agenda.

The Product Leadership Chasm briefing provides the strategic framework for boards overseeing product-led organisations — including AI adoption, technical debt governance, and the evolving role of engineering leadership. Schedule a confidential conversation to discuss your specific context.

Explore the Board & Advisors hub Schedule a Confidential Conversation

Does Your Board Have a Vibe Coding Policy?

Schedule a confidential conversation. We will discuss AI governance frameworks and what structured oversight looks like for your organisation.

Schedule a Conversation