The promise of vibe coding is straightforward. Give anyone, regardless of technical background, the ability to build functional software through natural language prompts and low-code interfaces. Platforms like Replit, Lovable and Cursor have made good on that promise. Millions of people who would never have called themselves developers are now shipping applications.
The problem is that most of those applications are insecure, and most of the people building them have no idea.
Who is actually using these tools
The user base for vibe coding platforms is not what the name might suggest. It is not hobbyist programmers experimenting at weekends. It is salespeople building client-facing tools, operations staff automating workflows, and project managers creating internal dashboards. These are people with legitimate business needs and no security training, using platforms that, until recently, have treated security as someone else's problem.
That assumption is no longer sustainable. High-profile data leaks have pushed security up the corporate agenda, and the question of who is responsible when a vibe-coded application exposes sensitive data is becoming harder to deflect.
The secure by default gap
The concept of secure by default has been discussed in software development for decades. The idea is simple: security should be the starting condition, not an optional configuration applied after the fact by someone who knows what they're doing. In practice, it has rarely been achieved.
Vibe coding platforms have a structural opportunity to change that, because they sit between the user and whatever gets built. Every application produced on the platform passes through infrastructure the platform controls.
That means guardrails can be enforced at the point of creation rather than bolted on afterwards. The tools exist. The architecture supports it. What has been missing is the commercial urgency to act.
We are now at the point where the threat, though not existential, is real. Enterprise customers, who represent the growth ceiling for these platforms, are beginning to ask questions that consumer users do not. Security certification, data handling standards and audit trails are becoming conditions of sale rather than afterthoughts.
The agent identity problem
The deeper security challenge is one that even technically sophisticated organisations are only beginning to confront. As autonomous agents take on tasks inside corporate systems, the question of identity becomes critical. When Cognition's Devin, an autonomous software engineer, writes and deploys code, what permissions did it hold? Who authorised its actions? Where is the log?
Most companies have no good answers. The frameworks for assigning identity to human users, built up over years of enterprise IT practice, do not map cleanly onto agents that operate continuously, autonomously and across multiple systems simultaneously.
Vibe coding platforms, if they are serious about enterprise adoption, will need to build identity and logging infrastructure into their core product rather than treating it as a feature for later.
The cost of moving fast
The growth of vibe coding has outpaced the security thinking around it. That gap will close, but the question is whether it closes through deliberate design or through a series of expensive failures that force the issue. For the enterprises now deploying these tools at scale, the answer to that question matters considerably more than the platforms' user growth numbers.