← All Writing
 ·  7 min read  ·  OSA Editorial

Vibe Coding and the Illusion of Working Software

AI coding tools can produce applications that look finished and run without errors. That's not the same as software that's secure, maintainable, or correct under real conditions. The difference is what programmers are for.

A new term has entered the software development conversation: vibe coding. The idea is roughly what it sounds like. Instead of writing code with deliberate understanding of what it does, a developer — or increasingly, a non-developer — prompts an AI tool, accepts what it produces, tests whether it appears to work, and ships it. The vibe is right. The code runs. Close enough.

The appeal is obvious. The speed is real. And for throwaway scripts, internal tools, or early prototypes, the approach is often perfectly reasonable.

The problem is when vibe coding gets applied to software that actually matters — production applications, customer-facing systems, anything handling real data or real money — and the people deploying it don’t understand the difference between code that runs and code that works.

What “Working” Actually Means

Software that passes a surface-level test can still be deeply broken in ways that aren’t immediately visible.

A login system might authenticate correctly in every test you run while containing a SQL injection vulnerability that lets an attacker bypass it entirely. A payment processing function might handle the happy path flawlessly while failing silently on edge cases — a currency rounding error, a duplicate transaction, a timeout that leaves a charge without a confirmation. An API integration might work perfectly until the third-party service changes a response format, at which point it fails in ways that corrupt stored data rather than throwing an error.

None of these failures show up when you prompt an AI to generate the feature and ask if it looks right. They show up in production, often at the worst possible time, and they can be genuinely difficult to trace back to their cause — especially if the person who deployed the code doesn’t fully understand what it does.

This is the core problem with vibe coding applied beyond its appropriate scope: it confuses the appearance of working software with the reality of it.

What AI Code Generation Is Actually Good At

This isn’t an argument that AI coding tools aren’t useful. They are — significantly so.

AI assistants excel at the mechanical, well-defined parts of software development: boilerplate, routine CRUD operations, translating a clear spec into a first draft, converting code between languages, generating test cases for known scenarios. For experienced developers, these tools are genuinely productivity-multiplying — they eliminate the tedious parts of the work and let engineers focus on the parts that require real judgment.

The key phrase is “for experienced developers.” The productivity gain is largest when the person using the tool understands the output well enough to evaluate it, catches the mistakes, recognizes the security implications, and knows when the generated code is taking a shortcut that will cause problems later. The tool amplifies capability. It doesn’t replace the underlying understanding.

When that understanding isn’t there, the tool doesn’t produce working software faster. It produces plausible-looking software faster, which is a different thing.

The Specific Risks

Security vulnerabilities. AI models are trained on enormous amounts of code, including a great deal of code with known vulnerabilities. Generated code frequently reproduces common security mistakes — improper input validation, insecure authentication patterns, exposed credentials, unencrypted sensitive data — because those patterns are statistically common in training data. An experienced developer reviewing the output catches these. Someone who just wanted the code to run does not.

Technical debt that compounds. Vibe-coded applications tend to accumulate architectural problems that aren’t visible in early testing but become increasingly costly to work around. Functions that do too many things. Data models that don’t reflect the actual domain. Hardcoded values where configuration belongs. Dependencies on external services without fallback logic. Each of these is a small problem that becomes a large one as the application grows.

Maintenance no one can perform. Software isn’t a deliverable — it’s a commitment. Bugs get discovered. Requirements change. Dependencies go out of date. If the person maintaining the application doesn’t understand the code, every change is a risk and every bug is a mystery. The codebase becomes something that can only be replaced, not improved, and the cost of replacement grows with every feature added on top of a foundation nobody understands.

Edge cases that matter. Real-world software encounters inputs, timing conditions, and system states that don’t appear in simple tests. Handling them correctly requires thinking through failure modes, not just success paths. This is the part of software development that requires genuine understanding of what the code does and what can go wrong — precisely the part that vibe coding skips.

Why This Matters for OSA Platforms

The vibe coding question is directly relevant to the OSA category. Platforms that generate software components as part of delivering an outcome face the same challenge at scale: AI-generated code that passes functional tests is not the same as production-quality code.

OSA platforms that take software quality seriously treat human engineering review as a required step, not an optional one. The AI generates. The engineer evaluates, identifies the gaps, and ensures that what gets deployed is actually sound — not just apparently functional.

The platforms that skip this step are shipping the vibe coding problem upstream. They’re producing software that looks finished faster, which creates a different liability than producing it more slowly with genuine quality controls.

The Judgment That Isn’t Automatable Yet

Programming has always been two things: the mechanical translation of logic into code, and the judgment about what logic is correct, complete, and safe in the first place.

AI tools are increasingly capable of handling the first part. The second part — understanding requirements well enough to know when they’re underspecified, recognizing security implications before they become incidents, designing systems that will remain maintainable as they grow — still requires the kind of contextual understanding and accountability that comes from a professional who owns what they build.

Vibe coding is a productivity tool masquerading as a craft. The distinction matters most when the software is running on something that matters.

Subscribe below for further writing on OSA — what the evidence shows and where the open questions remain.

Follow the Thinking

Subscribe for occasional writing on the OSA category — what the claims are, what the evidence shows, and what the open questions are.

Subscribe