All Blogs
AI December 2025 5 min read

What Vibe-Coding Gets Right (and Dangerously Wrong)

The "just ship it with AI" movement has produced some genuinely impressive products. It's also shipped some spectacular failures into production. The difference isn't the tool — it's understanding what AI handles well and what it silently gets wrong.

What Vibe Coding Gets Right

"Vibe coding" — the practice of building products primarily through natural language prompts to AI, often without deeply reading the output — has become the dominant way a certain class of founder builds software. The results are genuinely mixed in ways that aren't being discussed honestly.

The successes are real: products that would have taken a team months built by one person in a weekend. Demos that land investment. MVPs that find product-market fit faster because they shipped before the money ran out. The speed argument is not a lie.

But the failures are also real, and they're less visible because they often don't announce themselves with a dramatic crash. They accumulate quietly: in security vulnerabilities nobody audited, in performance debt that compounds into user churn, in codebases that become unmaintainable after the first three months.

What AI Gets Right

AI code generation is genuinely excellent at certain things — and understanding what they are is how you use it responsibly:

  • Boilerplate and scaffolding — Setting up project structure, configuration files, standard CRUD operations, form validation logic. Fast, reliable, and low-risk to accept without deep review.
  • Known patterns in well-represented frameworks — If you're building something in React, Next.js, or Rails that resembles things that already exist on the internet, AI will generate competent code that usually works.
  • Explaining and documenting existing code — AI is often better at reading code than writing it. Use it to generate documentation, write test descriptions, or understand an unfamiliar codebase.
  • Iteration speed on UI — Going from "make this look more premium" to a working implementation in minutes. This is where vibe coding genuinely shines.

What AI Gets Silently Wrong

High-risk areas

  • Authentication & session management
  • Payment processing & webhooks
  • File upload & storage handling
  • Database query construction
  • API key & secret handling
  • Rate limiting & abuse prevention

Why they're dangerous

  • Looks correct, fails under edge cases
  • Missing signature verification
  • Path traversal vulnerabilities
  • SQL injection in dynamic queries
  • Keys exposed in client bundles
  • Easy to DDoS without protection

The pattern in all of these: AI generates code that works for the happy path, but misses the adversarial paths. A signup form that creates an account perfectly but doesn't handle duplicate emails, expired tokens, or concurrent requests. A file upload that works for JPGs but allows arbitrary script execution via a crafted filename.

The danger of vibe coding isn't that AI writes bad code. It's that AI writes plausible-looking code that a non-expert can't identify as bad. The bugs hide in confidence.

The Standard We Hold Ourselves To

At RYC, we use AI heavily in our development workflow. We're not apologetic about it — it's why we can deliver in weeks instead of months. But we have a non-negotiable layer of senior review that vibe coding skips.

The rule is: AI drafts, humans own. Every security-relevant code path is read line by line by a developer who understands what it's doing and why. Every database interaction is reviewed for injection risk. Every authentication flow is tested against a threat model, not just a happy-path demo.

This adds time compared to pure vibe coding. It adds significantly less time than the alternative, which is discovering a security incident six months after launch.

Who Should Vibe-Code (and Who Shouldn't)

Pure vibe coding is appropriate for: demos, internal tools, prototypes that will be rebuilt before they scale, and products where the data is low-sensitivity and the user base is small enough that a breach isn't catastrophic.

It's not appropriate for: anything handling payment data, health data, or personal information. Anything that will scale to real user volumes. Anything where a security vulnerability could cause serious harm to users or the business.

The honest version of the vibe coding conversation is this: it's an extraordinary tool for exploration and speed, and it requires a senior layer of judgment to be used safely in production. Both things are true. Pretending only one is true is how products get shipped with vulnerabilities that shouldn't have made it past review.