Introduction

Almost every engineering team is using AI tools now. The 2025 DORA report found that roughly 90% of developers report using some form of AI assistance, with a median of two hours per day spent working directly with these tools. That’s not a pilot program. That’s a structural shift in how software gets built.

But adoption and readiness are two different things. Most teams adopted the tools before they redesigned the workflows around them. The gap between those two realities is where a significant and growing category of engineering problems lives.

This article is not an argument against AI-assisted development. It’s an argument for building the right structure around it, because without that structure, the speed AI delivers becomes a liability that compounds over time. Continue reading.

The velocity gap

Before AI tools became standard, the pace of code production was naturally constrained by human typing speed, cognitive load, and the friction of looking things up. Those constraints were inefficiencies, but they also served as a natural form of pacing. A developer writing code manually was also thinking through it, encountering edge cases, and making small decisions that accumulate into system-level coherence.

AI tools removed much of that friction. A well-prompted model can generate in minutes what used to take hours. Pull request volumes at teams using AI tools have roughly doubled according to Faros AI’s telemetry data, while task completion rates improved by over 20%. The individual productivity gains are real and measurable.

The problem is that the downstream infrastructure was designed for the old pace. Code review processes, testing pipelines, security audits, architectural governance: none of it scaled when code generation doubled. 

When output grows but review capacity stays flat, something has to give. In most cases, what gives is depth of review. PRs get approved faster. Tests get written less carefully. Architecture decisions get deferred. And the codebase starts accumulating a specific kind of debt that is hard to see until it surfaces in production.

What vibe coding actually produces

The term "vibe coding" entered the developer lexicon in early 2025, coined by Andrej Karpathy to describe a workflow where developers describe what they want in natural language, accept AI-generated output without deep review, and use follow-up prompts to address problems rather than reasoning through the code directly. Collins English Dictionary named it their Word of the Year for 2025, which is a reasonable signal of how quickly the concept spread.

For prototypes, MVPs, and exploratory work, the vibe coding approach is genuinely useful. Speed is the priority, and the stakes are low enough to absorb the structural imprecision. The danger is when that same approach migrates into production systems, because it carries very specific failure patterns with it.

API security firm Escape.tech scanned over 1,400 vibe-coded production applications and found that 65% had security issues. 58% contained at least one critical vulnerability, including over 400 exposed secrets and 175 instances of exposed personally identifiable information. 

A separate December 2025 analysis by security firm Tenzai examined 15 production applications built with major AI coding tools. Every single one lacked CSRF protection, and every single one contained server-side request forgery vulnerabilities. These are not sophisticated attack vectors. They’re the OWASP Top 10, the failures that structured code review catches routinely.

The structural explanation for this pattern is straightforward. AI models optimize for code that runs without errors. They don't optimize for code that handles edge cases correctly, integrates cleanly with existing systems, or maintains the security posture the rest of the application depends on. That gap between "works in the demo" and "works in production" is exactly where vibe-coded systems accumulate risk.

The scale of what's already in production

The vibe coding wave was not limited to side projects. According to reporting by TechStartups based on analysis of the startup ecosystem, roughly 10,000 startups attempted to build production applications with AI assistants during 2025. More than 8,000 of them now need rebuilds or rescue engineering. Remediation budgets range from $50,000 to $500,000 per project.

Alex Turnbull, founder of Groove, spent 12 months building two enterprise-grade AI products and was direct about what he found: vibe coding got him to a demo. It didn’t get him to production. Real engineering did. 

His summary of the experience was blunt enough to circulate widely on LinkedIn: the promise of shipping complex AI products without experienced engineers is, in his words, a setup for catastrophic failure.

This is not isolated to startups. Pixelmojo’s analysis of enterprise AI adoption documented that 42% of companies abandoned most of their AI initiatives in 2025, more than double the rate from the previous year. RAND research found that 80% of AI projects never reach their intended outcomes. 

The pattern is consistent: early enthusiasm, rapid prototyping, then a steep drop-off when teams encounter the integration, security, scale, and governance requirements that the initial demos never touched.

The cost of that drop-off is not just project failure. It’s the accumulated technical debt from every system that shipped without proper structure, sitting in production, quietly accumulating risk until something breaks.

Why the next wave will be bigger

What makes this moment particularly important is timing. Vibe coding as a concept is less than two years old. The systems built during its initial adoption wave are now reaching the age where maintenance complexity becomes visible. 

They’re growing. They’re being modified by developers who didn’t write the original code. They’re being asked to integrate with other systems and handle edge cases the original prompts never anticipated.

AI tools, it turns out, are not well-suited to fixing the problems they helped create. When a system is built through hundreds of AI-assisted iterations without a coherent architecture, asking an AI to clean it up produces surface-level changes rather than structural correction. 

The system needs reasoning about its own design, not more code generation. That reasoning requires human judgment and engineering expertise.

The boom of broken systems that needs remediation is not a future prediction. It’s already visible in the data and the project pipelines of teams that work with engineering infrastructure at scale. 

What will grow in the coming years is the volume, as more of the systems built in 2024 and 2025 reach production maturity and begin to surface the costs of the shortcuts taken in their construction.

The parallel to earlier technology waves is instructive. When WordPress made web publishing accessible to anyone, a generation of websites got built that eventually needed professional engineering to scale, secure, and maintain. 

When DevOps tools democratized deployment pipelines, a wave of fragile automation followed that more experienced teams spent years cleaning up. AI has democratized code generation at a far greater scale, and the maintenance wave that follows will be proportionally larger.

What governance actually looks like in practice

The solution is not slowing down. It’s building structure around the speed AI creates. The teams that are successfully converting AI velocity into durable production systems are not the ones that avoided AI tools. They’re the ones that redesigned their delivery workflows to govern the output of those tools.

In practical terms, that means a few things that are less glamorous than the tools themselves but significantly more important for long-term outcomes.

Code review that matches AI generation volume. When PR volume doubles, review bandwidth needs to grow proportionally, or review depth degrades. That doesn’t mean more headcount. It means smarter triage, automated pre-review, and clear ownership of what gets deep human attention versus what can be validated with automated checks.

Security review integrated into the pipeline, not appended at the end. AI-generated code has a specific set of security failure patterns, and catching them requires checking for those patterns explicitly, early in the development process rather than before a release. The vulnerabilities documented in vibe-coded production systems are not novel. They’re well-understood categories that automated scanning can catch if the scanning is part of the workflow.

Architectural oversight that survives engineer turnover. When systems are built through AI prompts rather than deliberate design, the architectural intent often exists only in the mind of the person who wrote the prompts. 

When that person moves on, the intent moves with them. Documentation and architectural decision records, maintained continuously, are what make AI-built systems maintainable by teams other than the one that built them.

Continuous operational context rather than reactive incident response. In a system where AI agents are generating changes faster than humans can track manually, operational visibility has to be automated. 

An agent that monitors infrastructure, correlates signals, and surfaces anomalies before they become incidents is not a luxury in this environment. It’s a prerequisite for stable operations.

The EZOps Cloud delivery model as a structural answer

The way we built our delivery model at EZOps Cloud reflects a specific response to this problem. We use AI extensively, because not using it would be leaving a significant productivity advantage on the table. But we built it into a structure where the output is continuously reviewed, the context is continuously maintained, and human judgment is preserved at the decision points that matter.

ACE Dev, our in-house DevOps agent, provides the operational intelligence layer: continuous monitoring, signal correlation, anomaly detection, and contextual recommendations. Every recommendation goes through engineer validation before it becomes an action. 

The agent does not operate autonomously in production environments. It operates as a layer of intelligence that keeps senior engineers informed and well-positioned to make good decisions quickly.

That combination produces outcomes that neither humans nor AI achieve alone. The agent sees patterns across the full environment that no individual engineer can track manually. 

The engineer brings the judgment about which patterns matter, what the right response is, and what the downstream implications are. The documentation is maintained because the agent keeps context current, not because engineers are expected to context-switch into documentation mode during delivery.

For clients, this means full visibility into what's happening in their environment and what the engineering team is doing in it, without the overhead of managing a monitoring function separately. It means changes that are validated before they ship, not reviewed after something breaks. And it means an infrastructure that grows in complexity without requiring proportional growth in headcount, because the governance layer scales with the system.

What to do before it becomes a postmortem

If your team is already shipping with AI tools and hasn't revisited your governance model, the practical question is where to start. The answer depends on the current state of your system, but a few things are worth doing regardless of where you are.

Map what AI is touching. Not all AI-assisted code carries the same risk. Code that handles authentication, payments, data privacy, or external API integrations needs a higher level of review than internal tooling or content generation. Knowing where the exposure is concentrated is the first step toward triaging where governance attention matters most.

Measure rework rate, not just velocity. If your team is shipping faster but spending more time fixing recently shipped code, that's a signal that the pace of generation has outrun the quality of review. Velocity metrics without quality metrics are incomplete and can mask accumulating debt.

Treat AI as a capable junior engineer. Fast, broad, and useful for first drafts, but requiring oversight on anything that touches production. The teams that get the most out of AI tools are the ones that maintain that mental model clearly. It defines the review standard appropriately without either dismissing the tools or over-trusting their output.

Build context preservation into your process. Every system will eventually be maintained by someone who didn't build it. If the architecture exists only in prompts, that person starts from scratch. Architectural decision records, maintained as a living document rather than a one-time artifact, are the best insurance against the institutional knowledge problem that AI-built systems are particularly prone to.

The opportunity inside the problem

The wave of AI-built systems that will need remediation is a real problem for the teams who built them without governance. For teams that are building governance now, it's an opportunity: the demand for engineering expertise that can take over fragile, AI-generated systems and make them production-ready is already growing, and it will continue to grow as the systems built in 2024 and 2025 age into their first major scaling challenges.

2024 and 2025 age into their first major scaling challenges.

The companies that understand this are not the ones avoiding AI. They’re the ones building delivery systems where AI velocity is paired with the structural discipline to make that velocity durable. 

That combination, AI-first plus senior execution with governance embedded rather than appended, is what separates a fast prototype from a system that can actually be owned, operated, and scaled over time.

FAQ

What is vibe coding and why is it a production risk?

Vibe coding is a development approach where developers prompt AI to generate code and accept the output without deep review, relying on follow-up prompts to fix problems as they surface. 

For prototypes, this is often fine. For production systems, it creates specific failure patterns: security vulnerabilities, architectural inconsistencies, and codebases that are difficult to maintain because the design intent was never documented or even fully articulated.

How common are security vulnerabilities in AI-generated code?

Research consistently puts the figure in the range of 40 to 65% of AI-generated code containing vulnerabilities. API security firm Escape.tech found that 58% of vibe-coded production applications contained at least one critical vulnerability. 

These are not exotic attack vectors. They're standard OWASP Top 10 failures that structured code review catches routinely, which is exactly why review remains essential even when the code is AI-generated.

What is the difference between AI-assisted development and AI-governed development?

AI-assisted development means using AI tools to generate code faster. AI-governed development means building a structure around those tools: review processes calibrated to AI generation volume, security scanning integrated into the pipeline, architectural oversight that survives engineer turnover, and continuous operational context maintained by agents that monitor the environment. The tools are the same. The governance is what makes the outcomes durable.

Is a boom of broken AI-built systems actually coming?

The data suggests it's already starting. TechStartups reported that more than 8,000 of the roughly 10,000 startups that attempted to build production applications with AI assistants in 2025 now need rebuilds or rescue engineering. 

RAND found that 80% of AI projects don't reach their intended outcomes. The systems that got shipped without proper governance are aging now, and the maintenance complexity is becoming visible. The volume will grow as more of that generation of systems reaches production maturity.

Are you thinking about what it takes to build AI-governed engineering into your delivery model? Start with a discovery call with the EZOps Cloud team.