Art of Code
Back to Blog
ai

Vibe Coding in 2026: What It Is and How to Not Break Everything

Andrej Karpathy coined it in 2025. Now it is everywhere. Here is what vibe coding actually is, where it works, and how to avoid shipping security disasters with it.

Curious Adithya8 min read

Andrej Karpathy coined the term in February 2025 and it became Collins English Dictionary's Word of the Year. In 2026, vibe coding is everywhere. And so are the disasters people create with it.

Here is what nobody tells you before you start: vibe coding is not just "using ChatGPT to write code." It is a specific shift in how you think about programming, and if you do not understand that shift, you will waste a lot of time cleaning up messes the AI made for you.

Let me break down exactly what vibe coding is, where it actually works, where it quietly destroys your project, and how to do it right.

What Vibe Coding Actually Means

Vibe coding is when you describe what you want, let an LLM generate the code, and move forward without deeply reviewing everything the AI wrote. Karpathy described it as "fully giving in to the vibes, embracing exponentials, and forgetting that the code even exists."

That last part is both the appeal and the danger.

The appeal is obvious. You ship faster. You prototype in hours instead of days. You spend more time thinking about what to build instead of how to build it.

The danger is that you are running code you do not fully understand. And that has consequences.

From Vibe Coding to Agentic Engineering

Karpathy has already moved the conversation forward. His newer framing is "agentic engineering." The idea is that AI does the implementation work 99% of the time, but you stay in the driver's seat. You own the architecture, the quality checks, and the final call on what gets accepted.

The shift from vibe coding to agentic engineering is the shift from YOLO to professional oversight.

Vibe coding: describe it, accept it, move on. Agentic engineering: describe it, review it, run checks, approve or reject, then move on.

The second approach still uses the same AI tools. The difference is what happens between the AI finishing and you clicking accept.

With tools like Cursor, Windsurf, and GitHub Copilot Workspace, agents can now touch multiple files at once, run commands, scaffold entire features, and propose changes across your whole codebase. The scope is bigger. The responsibility of reviewing is bigger too.

The Real Numbers on AI-Generated Code Safety

Here is the part that should make you slow down.

45% of AI-generated code introduces security vulnerabilities. That is not a fringe statistic. That comes from security researchers who tested five major vibe coding tools across 15 applications and found 69 security vulnerabilities in the generated code.

In one test, LLMs failed to secure code against cross-site scripting in 86% of cases. Missing input sanitization was the most common issue. Hardcoded credentials showed up constantly because the AI would insert API keys or placeholder strings directly into the generated snippet.

By 2026, AI agents write roughly ten times more code than humans do. If 45% of that code has security problems, the scale of the problem compounds fast.

This does not mean you should not use AI for coding. It means you should not use AI for coding without a review process.

Where Vibe Coding Actually Works

There are legitimate, powerful use cases where vibe coding is the right approach.

New apps and side projects. If you are building something from scratch to validate an idea, vibe coding lets you get a working prototype in front of real users in a fraction of the time. The risk is low because nothing is in production yet and you can iterate fast.

Scaffolding and boilerplate. Setting up project structure, configuring tooling, generating CRUD endpoints. These are predictable patterns the AI handles well. Review it once, ship it, move forward.

CLI tools and scripts. Lower attack surface. Easier to test. Easy to see exactly what the code does.

UI prototypes. Generating a UI from a description works remarkably well. Tweak the output, adjust styling, and you have a real interface without hand-writing every component.

Demos and internal tools. If this is never going to hit production or it lives behind auth that you control, the security surface is small enough that speed wins.

Where Vibe Coding Will Hurt You

Production-critical paths are not the place for code you have not read.

Payment processing, authentication flows, data access logic, API endpoints exposed to the internet. These are areas where one hallucinated function call or one missing validation check has real consequences for real users.

AI agents sometimes confidently introduce patterns that look correct and are not. They borrow from their training data, which includes both secure and insecure code, and they pattern-match without actually understanding security principles.

The CurXecute vulnerability that emerged in 2025 allowed attackers to make the Cursor AI agent execute arbitrary commands on a developer's machine through an active MCP server. A vulnerability in Claude Code allowed data to be exfiltrated through DNS requests using prompt injection. These were not theoretical risks. They were real vulnerabilities in widely used tools.

If you vibe code production logic without reviewing it, you are trusting a pattern-matching system to make security decisions it is not equipped to make.

How to Vibe Code Without Creating Disasters

The good news is that vibe coding and safety are not mutually exclusive. You just need a process.

Start with a clear spec. Before you give the AI anything, write down exactly what you need. What inputs does this take? What should it output? What edge cases matter? A clear spec produces better code and gives you something to check the output against.

Turn on every automatic check you have. Linters, type checkers, formatters. Let them run on everything the AI generates. If the AI's code cannot pass a basic lint check, you know immediately that something is wrong.

Run tests before you accept. If you have a test suite, run it after every batch of AI changes. This is your fastest way to catch when the AI broke something it did not know existed.

Review every edit before accepting. This is the single biggest habit that separates professionals from vibe coders in the bad sense. Read the diff. Understand what changed. Approve or reject. Every time.

Keep a revert point. Before any significant AI-generated change, make sure you can roll back. Commit first, then let the agent work. If the result is a mess, you can get back to clean state in seconds.

Use spec-driven development. Give the agent a well-defined project outline at the start of each session. The more context it has about your project structure, your patterns, your constraints, the better the output will be. Agents that know your codebase make fewer mistakes than agents working blind.

Review security-sensitive changes manually. Anything involving auth, payments, data access, or user input should get your eyes on it. Do not accept that one blindly.

The Mindset Shift That Actually Helps

The developers who get the most out of AI coding tools are not the ones who let the agent do everything. They are the ones who treat the agent like a very fast junior developer.

A fast junior developer can write a lot of code quickly. You still review it. You still catch the things they got wrong. You still own the final product.

That mental model keeps you in the right posture. You are not abdicating responsibility. You are scaling your output while staying in control of quality.

Vibe coding works when you are the architect making fast decisions and the AI is implementing them under your supervision. It breaks down when you hand over the architecture too.

What the Spec-Driven Approach Looks Like in Practice

Here is a workflow that works.

Before you open your AI coding tool, write a project outline. What is this feature doing? What files does it touch? What are the inputs and outputs? What patterns does it need to follow?

Share that outline with the agent at the start of the session. Let it plan before it writes. Review the plan before it executes.

As the agent makes changes, approve or reject each batch. Run your checks after each batch. Keep your commits clean so you know exactly what state you are in.

When you hit a wall because the agent made a mess, revert to your last clean commit and give clearer instructions. Do not try to patch the mess. Starting fresh with better context almost always produces better results faster.

Key Takeaways

  • Vibe coding means letting an LLM generate code you trust without deeply reviewing. It works for speed. It creates risk when applied to production-critical paths.
  • Agentic engineering is the more professional version: AI does the implementation, you stay in oversight and own the architecture.
  • 45% of AI-generated code has security vulnerabilities. Missing input validation and hardcoded credentials are the most common issues.
  • Great use cases: new apps, scaffolding, CLI tools, UI prototypes, demos, internal tools.
  • Risky use cases: authentication, payment processing, public-facing API endpoints, anything with user data.
  • The review habit is everything. Read every diff. Run your checks. Approve or reject consciously.
  • Treat the AI like a fast junior developer. You are still the architect. Do not outsource that part.

Written by Curious Adithya for Art of Code.