May 27, 2026
Bad vibes, worse security
The VibeSec Reckoning
AI app-building got reckless fast — and the comments are basically saying ‘told you so’
TLDR: The article says AI-built apps become dangerous when people rely on friendly instructions instead of real safety controls. Commenters were brutally unsurprised, mocking the idea of pushing “vibe coded” projects into production and arguing over whether prompts, tests, or hard limits actually keep people safe.
The big warning from Martin Fowler is simple: telling an AI to “be secure” while it builds software is not enough. Thoughtworks says so-called “vibe coding” — where non-experts use AI to whip up apps fast — is great for prototypes, but risky when those apps get pushed into the real world. Their fix is less magical prompt, more boring discipline: safety instructions, safer templates, stricter permissions, and daily updates on new threats. In other words, stop trusting the chatbot to remember the rules and build guardrails around it.
But the real fireworks are in the comments, where the mood is somewhere between grim prophecy and public roasting. One user basically shrugged, “we will learn the hard way... like always,” which pretty much became the thread’s slogan. Another went full blunt-force reality check: shipping “vibe coded” apps to production? “You played yaself.” Ouch. There was also a serious split over whether stuffing safety rules into the AI’s instructions is smart or laughably flimsy. One camp says that’s like asking a distracted intern to pinky-promise not to mess up; the other argues the bigger issue is building proper walls around the AI so it physically can’t do dangerous things. Even the testing debate got spicy, with one commenter sneering that perfect test scores can still mean absolutely nothing, especially when AI is involved. The result: a classic internet pile-on with a real lesson underneath — people love the speed, but they do not trust the vibes.
Key Points
- •The article examines security problems that arise when organizations try to scale AI-generated "vibe coded" prototypes into production applications.
- •It states that AI agents often choose insecure configurations because they optimize for the easiest path rather than secure implementation.
- •The authors argue that prompting an AI to "be secure" is not sufficient to enforce secure software outcomes.
- •Recommended short-term practices include using a security context file, reviewing AI permission requests carefully, and maintaining a daily security intelligence feed.
- •The article also recommends medium- and long-term changes, including secure-by-default harnesses, templates, and broader organizational adaptations for AI-assisted development.