Vibe coding — coined by Andrej Karpathy in February 2025 — has moved from a niche concept to a widely recognized workflow pattern. It's now mainstream enough for Trial, though the caveats about production use remain.
Why It Moved from Assess to Trial
In the year since Karpathy's original post, vibe coding has gone from a meme to an established practice:
- Mainstream adoption: Shopify CEO Tobi Lutke mandated that teams demonstrate a task can't be done with AI before requesting additional headcount. This isn't vibe coding per se, but it reflects the same "AI-first" workflow philosophy.
- Tool maturity: Cursor's agent mode, Claude Code, and Vercel's v0 have made the "describe and iterate" workflow genuinely productive for a wide range of tasks.
- Karpathy's own evolution: In February 2026, Karpathy coined "agent engineering" as the professional counterpart — acknowledging that the production version of vibe coding requires engineering discipline.
- Industry backlash provides balance: Rachel Andrew's "Do You Need AI for That?" and Dave Rupert's "People Are Not Friction" offer healthy pushback against over-applying the pattern.
Where It Works Brilliantly
- Prototyping: Idea to working demo in hours
- Personal projects and internal tools: Where code quality bar is lower
- Unfamiliar territory: Quickly exploring a new framework or language
- Boilerplate: Generating repetitive scaffolding
Where It Falls Short
- The productivity paradox: A METR randomized controlled trial (July 2025) found experienced OSS developers were actually 19% slower with AI coding tools, despite believing they were 20% faster. Perception and reality diverge.
- Security concerns: CodeRabbit found AI-coauthored code has 1.7x more major issues; Veracode found 45% of AI-generated code introduces security vulnerabilities.
- Production systems: AI-generated code often lacks proper error handling, observability, and security hardening
- Complex domains: Financial systems, real-time systems, complex state machines need engineering expertise
- Maintenance: Code you don't understand is hard to maintain and debug
- Code duplication: GitClear found an 8x increase in duplicated code blocks during 2024 linked to AI tool adoption — the "copy-paste instead of extend" pattern is endemic to vibe-coded codebases
The Cleanup Problem
Practitioners argue that vibe refactoring should be ~50% of your vibe coding work — not an afterthought. AI-generated code works in isolation but accumulates maintenance debt as projects scale.
Warning signs your vibe-coded app needs cleanup (from multiple practitioner sources):
- Fear of touching files — 400-line components you can't explain
- "It works" explanations — inability to articulate how a feature functions
- Copy-paste development — duplicating instead of extending
- Cascading failures — changes in one area break unrelated functionality
- Dependency rot — outdated packages accumulating as security liabilities
- Bug whack-a-mole — fixing one bug spawns multiple new ones
- Missing observability — no structured logging, no metrics, no health checks
Four quality prompt categories (Seroter, 2025) for systematically hardening vibe-coded projects:
- Code Quality & Maintainability — refactor code smells, extract hardcoded values, establish linting
- Security & Reliability — address OWASP vulnerabilities, robust error handling, dependency audit
- Performance, Scalability & Observability — query optimization, structured logging, metrics instrumentation
- Production Readiness — Dockerfile, docker-compose, CI pipeline, configuration management
Recommended cadence: 5-minute review every session, weekly duplication check, monthly structural audit.
Key principle: incremental over rewrite — "If you're touching a file anyway, clean it up while you're there." Complete rewrites of vibe-coded apps are rarely necessary and often introduce new problems.
The Balanced Approach
The most effective pattern is agent engineering — vibe coding's professional counterpart:
- Use AI to generate a first draft
- Read and understand the generated code
- Refine it with your domain knowledge and engineering judgment
- Write or review tests to verify correctness
- Periodically prompt for cleanup: dead code, security surface, error handling, observability gaps
Key Characteristics
| Property | Value |
|---|---|
| Coined by | Andrej Karpathy (Feb 2025) |
| Professional counterpart | Agentic Engineering (Karpathy, Feb 2026) |
| Best for | Prototyping, personal projects, exploration |
| Risk area | Production code without human review |
Security Radar
The security implications of vibe coding are covered in depth on the Security radar — particularly the AI-generated code vulnerability statistics and what tooling can help catch issues before they ship:
- OWASP LLM Top 10 — the canonical list of AI-specific risks, including prompt injection (#1) and insecure output handling
- Pre-commit Security Hooks — automated checks that run before every commit, catching common AI-generated vulnerabilities at the source
- Semgrep / Snyk Code — SAST tools well-suited to scanning AI-generated code at scale
Further Reading
- METR: Measuring AI coding task performance — research on AI developer productivity
- Veracode: 45% of AI-generated code contains security vulnerabilities
- Rachel Andrew: Do You Need AI for That?
- Agentic Engineering entry (this radar) — the professional counterpart Karpathy coined in 2026
- Quality-Focused Prompts for the Vibe Coding Addict — four strategic prompts covering quality, security, observability, and deployment readiness
- GitClear 2024 Coding Report — 8x increase in duplicated code blocks correlated with AI tool adoption