“Vibe coding” — a term coined by AI researcher Andrej Karpathy — is the practice of building software by describing what you want to an AI tool and accepting the code it generates, instead of writing it line by line. Tools like Lovable, Replit, Bolt, Cursor and v0 have made it possible to go from an idea to a running app in an afternoon, with no formal engineering background.
Why it exploded
The appeal is obvious: speed and access. You can ship a working prototype before you'd normally have finished a spec. The result is a wave of non-technical builders — by some measures, the majority of vibe-coding users aren't developers at all, and a meaningful share of new startups now run on codebases that are almost entirely AI-generated.
For prototypes, demos and internal tools, that's a genuine superpower. The trouble starts when one of those prototypes meets real users, real money and real data.
Where it breaks
1. Security
AI tools are trained on public code, including a lot of insecure patterns. Independent scans have found that a large share of AI-built apps ship with at least one critical security flaw — exposed API keys, missing authentication, no input validation. The app “works,” so the problem stays invisible until someone exploits it.
2. Cost
Generated code tends to be naive about efficiency: chatty database queries, no caching, oversized infrastructure. It's fine at ten users and brutal at ten thousand, when your hosting and database bills start climbing faster than your revenue.
3. Maintainability
When nobody on the team actually wrote the code, nobody fully understands it. Adding a feature or fixing a bug means re-prompting and hoping — which works until it doesn't, and you can't tell why.
4. The edges
Happy-path code is easy for AI. Error handling, edge cases, retries, and the unglamorous reliability work are exactly where generated code is thinnest — and exactly what separates a demo from a product.
The production gap
None of this means vibe coding is bad. It means the output is a fast, fragile first draft. Getting from “it runs on my screen” to “it survives real users” is a different discipline: securing it, hardening it, controlling costs, and making it maintainable. That gap is bridgeable — usually in weeks, not months — but it doesn't close itself.
Built something with AI and not sure it's safe to launch? IOTA audits, secures and ships vibe-coded apps to production — fixed prices, starting with a $490 audit. See how the rescue works →