“Should we be worried about vibe coding?”
That’s the question we hear in nearly every conversation with CISOs, CTOs, and engineering leaders.
The short answer: Yes. And for more reasons than you might think.
Here is what we heard in conversations with hundreds of security and engineering leaders in the past six months about AI code generation and AI app builders.
The AI Productivity Mandate
Inside nearly every boardroom and C-level review today, there’s a line item for AI. Every CEO and CTO we speak with has a mandate: adopt AI for productivity.
Hiring freezes are making the pressure worse. Leaders are asked to justify every new role—why can’t AI do the job instead?
Across industries, the question isn’t if AI will be adopted, it is already being used in all forms. The question is how fast it is turning from ad hoc executions to de facto role players. And with job openings for AI talent growing every quarter, the shift is accelerating.
AI-generated code is no longer experimental. It is operational, baked into daily workflows.
Developers: The Early Majority
Developers are leading the adoption wave. Officially, many companies have standardized on tools like Cursor, Claude Code, or Augment Code.
Unofficially, every developer already has their assistant of choice—ChatGPT, Claude, Gemini. The result is an explosion of output. Developers are generating more code than ever before.
But here’s the tension: security resources haven’t kept pace. Across the industry, the norm is one AppSec engineer for every 150 developers. That ratio was barely manageable before. Now, with each developer producing two to three times more code, the backlog is becoming unmanageable.
Non-Developers: The New Shadow Coders
The more surprising trend is happening outside engineering. Product managers, sales engineers, even marketers are writing code. Tools like Replit and AI app builders have made it simple enough for anyone to create applications.
Business leaders see this as innovation and ask: Can we ship these apps?
Security and development teams are left saying: No, we can’t. And then spend cycles explaining why.
The reason is simple. These apps often lack basic architectural discipline, violate company policies, and contain glaring security flaws.
This is no longer just shadow IT. It’s shadow coding, and it’s spreading across the enterprise.
The Asymmetry Breaking Security
Math has become impossible.
AI has dramatically increased the volume of code. Review processes and security have remained underprovisioned. Old SAST tools and manual review cycles simply can’t scale.
The asymmetry is widening: more code, more insecure code, and no additional reviewers. Left unchecked, this imbalance will break both engineering velocity and security posture.
A New Approach to Security
Companies don’t have to choose between AI productivity and security. But they do need a new operating model.
That model must:
- Scale with AI output – handling both developer and non-developer generated code.
- Enable productivity, not block it – help developers use coding assistants safely.
- Accelerate business velocity – help non-developers ship secure AI-generated apps.
The choice isn’t between security and speed. It’s whether your organization builds the capability to have both.
Closing Thought
AI isn’t just changing how we code. It’s changing who codes.
Security and engineering leaders can no longer measure success by catching up to the backlog. The challenge now is building systems that scale at the speed of AI.
The organizations that get this right won’t just be safer. They’ll move faster than their competitors.
About Palosade:
Palosade is the first agentic AI for software security with provable accuracy. It has context engineering for optimized results and built-in protections against hallucinations, retains knowledge and learns overtime, and integrates seamlessly into the tools teams already use — Jira, Confluence, GitHub, Slack, cloud platforms, and more.
Learn more at www.Palosade.com, follow us on LinkedIn , and join the Palosade Community on Slack.