AI coding assistants are no longer experimental. According to Gartner’s May 2025 report, “Why Vibe Coding Needs to be Taken Seriously,” by 2028, 40% of new enterprise production software will be created using vibe coding techniques. At the same time, Software Analyst Cyber Research (SACR) reports that AI already generates up to half of enterprise code today. 

The opportunity is clear: faster development, less friction, and more innovation. 

The risk is becoming just as clear: security and remediation workflows were never designed for code that no human fully authored or reviewed. 

Analysts are converging on a shared conclusion – traditional AppSec assumptions no longer hold in an AI-first development model. 

What Gartner Really Means by “Vibe Coding” 

Gartner defines vibe coding as a methodology where developers focus on intent and outcomes, not implementation details. Engineers stay in a state of “flow” while AI agents generate, modify, and repair code autonomously. This shift delivers meaningful benefits including: 

• Faster prototyping and iteration 

• Reduced cognitive load 

• Greater experimentation 

• Improved developer experience 

But Gartner also issues a clear caution: today’s vibe-coded software is not yet production-ready. Gartner’s guidance is explicit: vibe coding should be piloted thoughtfully, governed carefully, and constrained by guardrails. 

The Security Gap Analysts Are Calling Out 

SACR’s research explains why this new development model breaks existing security workflows. Traditional AppSec assumes the code was authored by a human with clear intent and fully traceable rationale for decision made. AI-generated code disrupts this model entirely. 

According to SACR, organizations face structural challenges including: 

• Context-blind logic that passes static checks but violates policy in production 

• Excessive dependencies automatically introduced by AI agents 

• Incomplete validation, where fixes solve one issue but introduce others 

In one cited study, repeated AI refinement cycles increased critical vulnerabilities by 37%, even as development speed improved. 

This is why analysts increasingly describe the problem as contextual, not volumetric.  

Why Detection Alone Is No Longer Enough 

Both Gartner and SACR point to the same inflection point: 

Finding vulnerabilities is no longer the hard part. Fixing them – correctly, confidently, and at scale – is. 

SACR describes a shift toward agentic remediation, where AI systems don’t just flag issues but: 

• Propose fixes 

• Validate them through multiple testing layers 

• Explain their reasoning in clear and understandable terms 

This matters because developers are often reluctant to modify AI-generated code they didn’t write. Without context, even simple fixes require reverse engineering, which slows remediation and increases risk. 

Validation, provenance, and explainability are becoming the new control plane for application security. 

Where do AppSec teams go from here? 

Rather than banning vibe coding and AI-assisted coding or waiting for full maturity, analysts recommend measured adoption with explicit controls. Key guidance includes: 

• Treat AI-generated code as a distinct risk class 

• Track where AI is used and which models generate code 

• Measure remediation time for AI vs. human-written code 

• Pilot autonomous remediation in low-risk systems 

• Require validation and traceability for AI-generated fixes 

The message is consistent: AI isn’t replacing developers, but security must adapt to how software is now created. 

The Bigger Picture 

Vibe coding isn’t a fad. Analysts expect it to reshape the roles of developers, software architecture overall, and the role of AppSec and development in owning accountability for security. The teams that succeed won’t be the ones that slow development down, but the ones that restore balance between speed and assurance. 

As SACR notes, the future of AppSec isn’t about finding every flaw. It’s about proving that the right ones were fixed, with reasoning that stands up to audit. 

That shift has already begun. 

Read the Gartner report here. 

Read the SACR report here.  

*** This is a Security Bloggers Network syndicated blog from Legit Security Blog authored by Dave Howell. Read the original post at: https://www.legitsecurity.com/blog/vibe-coding-is-moving-faster-than-security-market-research-agrees