There's a category of conversation I've been having a lot lately. Someone comes in wanting a new website or web app, mentions they already tried building it themselves with an AI tool, and then explains — sometimes sheepishly, sometimes in genuine bewilderment — why they're talking to a real developer now.

The stories vary. A contact form that silently dropped submissions for three months. A checkout flow that applied discount codes in the wrong order and quietly gave away margin. An "admin dashboard" accessible to anyone who typed /admin in the URL. The problems are specific, the consequences are real, and the common thread is always the same: the code looked right, it felt right, and nobody who understood what they were looking at had ever actually looked at it.

This is the vibe coding moment we're living in.

What Vibe Coding Actually Is

Vibe coding — a term coined by AI researcher Andrej Karpathy in early 2025 — is the practice of building software by describing what you want in plain language and letting an AI generate the code. Tools like Lovable, Cursor, Bolt, and a dozen others have made this genuinely accessible. You don't need to know PHP from Python. You just describe the thing.

And to be clear: it works. For internal tools, throwaway prototypes, landing pages with no sensitive data, and demos you'll never put in front of real users, vibe coding is legitimately useful. The problem isn't that AI generates bad code — it's that the people using these tools often can't tell when it has.

According to a 2026 study from Hostinger, 92% of US developers now use AI coding tools daily, and 41% of all global code is AI-generated. That's a lot of code produced by tools that can't be held responsible for what they ship.

The Part Nobody Talks About in the Marketing

Security firm Escape.tech scanned 5,600 publicly deployed vibe-coded applications and found 2,000 highly critical vulnerabilities, 400 exposed secrets (API keys, access tokens, database credentials), and 175 instances of personally identifiable information sitting in plaintext — including medical records and payment data.

That's not a theoretical risk profile. That's a scan of real, live, production applications that real business owners pushed to the internet and told their customers to use.

The Moltbook breach is the sharpest example. A vibe-coded social network launched in early 2026 and was breached within three days. The culprit: a misconfigured Supabase database with no row-level security, which exposed 1.5 million API authentication tokens and 35,000 email addresses. The founder publicly stated he "didn't write one line of code."

There's no particular malice in that statement. That's just someone who trusted a tool to handle things it wasn't designed to be accountable for.

The Lovable platform — valued at $6.6 billion, serving eight million users — had a BOLA vulnerability left open for 48 days after the company closed a bug bounty report without escalating it. Anyone with a free account could read other users' credentials, chat history, and source code. Their public explanation kept changing, eventually landing on blaming the bug bounty platform. This is a company with real engineering resources. The problem isn't incompetence — it's structural. When code is generated faster than it can be reviewed, accountability gaps form in the seams.

The Technical Debt You're Taking on Without Knowing It

Beyond security, there's a quieter problem: maintainability.

AI-generated code is often functional on the surface and incoherent underneath. Variables named without context. Functions that do three things at once. Business logic scattered across files with no discernible pattern. Database queries that work fine for 50 rows and fall apart at 5,000.

Georgia Tech's Vibe Security Radar logged 35 CVEs in March 2026 alone — up from 6 in January. The acceleration isn't because AI is getting worse. It's because the volume of AI-generated code in production is growing faster than the tooling to review it.

Over 40% of junior developers admit to deploying AI-generated code they don't fully understand. When something breaks in that code six months later — when a client asks you to add a feature, or traffic spikes, or a dependency updates — the cost of untangling it often exceeds the cost of having built it correctly the first time.

There's a name for this in software engineering: technical debt. Vibe coding doesn't eliminate it. It just accelerates the accrual.

Where This Fits for Business Owners

Here's the framing I find useful: vibe coding tools are optimized for speed-to-prototype, not fitness-for-production.

For a landing page that collects email addresses via a third-party form widget? Probably fine. For a web application that stores customer data, processes payments, integrates with your CRM, or runs any kind of business logic that touches money or personal information? The math changes.

The question isn't "can AI generate this?" — it can, with impressive speed. The question is "who is responsible when it fails?" and "who will maintain this when requirements change?"

Right now, the honest answer to both is usually "nobody obvious."

That's a business risk, not just a technical one. GDPR fines don't care whether your data breach came from hand-written code or a prompt. Your customers don't care whether your checkout bug was a human error or a hallucinated conditional. The accountability is still yours.

What Practitioners Actually Think

The Pragmatic Engineer's 2026 analysis is worth reading if you want the developer perspective unvarnished: the shift in the industry isn't from "developers" to "no developers" — it's from developers writing code line-by-line to developers orchestrating, reviewing, and taking ownership of AI-generated output.

The skill that matters now isn't typing speed. It's judgment. Knowing what to trust, what to test, what to throw away. Knowing when the AI has produced something that looks right but has a fundamental design flaw three layers down.

That's still a technical skill. It's just a different one than it was five years ago.

The Honest Bottom Line

Vibe coding is a real tool with real uses. I'm not here to tell you AI is bad or that the future of web development looks exactly like the past. It doesn't.

But "I built this with Lovable" and "this is production-ready" are not the same sentence. And right now, a lot of businesses are treating them as interchangeable.

At Pixelworx, we've spent 25+ years building software that business owners don't have to worry about — not because we distrust AI tools, but because we understand what "production-ready" actually requires. Code review. Security audits. Architectural decisions that hold up when requirements change. Tests that catch failures before customers do.

That work doesn't disappear when the first draft is AI-generated. If anything, it becomes more important — because the gap between "generated" and "verified" is exactly where things go wrong.

If you've got a vibe-coded project that needs a second set of eyes before it goes live, or you're starting something where the stakes are too high to find out later, let's talk.