Vibe Coding: How companies can reduce the risks of shadow IT

More and more departments are developing their own applications using generative AI – often without clear guidelines on data, quality and operations. This so-called ‘vibe coding’ describes a new approach to software development: applications are no longer created through manual programming, but by formulating requirements in natural language and having them translated directly into code by AI. This gives rise to a new form of shadow IT that spreads more quickly and is harder to control. Why are more and more applications being developed outside the IT department?

When demand is high and established IT processes take too long, solutions are often created directly within the business unit.

In the past, these were Excel models, macros or small databases. Many of these solutions gradually became business-critical – often without proper access controls, without monitoring and without a clear operational model.

Today, essentially the same thing is happening – only much faster. With generative AI, applications, scripts or automated workflows can be created with minimal input. The barrier to entry is significantly lower, whilst the speed of development increases.

The result: more and more business-driven solutions are emerging in parallel – but without sufficient transparency and without clear guidelines for stable and secure operation.

What specific risks does vibe coding pose?

Compared to traditional individual data processing (IDP), additional risks arise that spread more quickly and are harder to control – risks that many companies still underestimate today.

A key issue is the handling of data: prompts often contain contextual information, data fragments or business logic. Without clear rules, this can quickly lead to the unauthorised disclosure of sensitive information.

Added to this is the issue of code quality. AI can generate code, but it is no substitute for thorough testing. If generated content is adopted without verification, security vulnerabilities or structures that are difficult to trace arise.

Furthermore, the technical landscape is becoming more fragmented, with inconsistent data models and data quality issues on the rise, as are data interfaces and data flows. This increases complexity whilst reducing the overview of the solutions.

Another critical issue is operations: many solutions start as prototypes but are quickly put into production. Without testing, monitoring and clear responsibilities, an operational risk arises that often goes unnoticed in day-to-day operations and only becomes apparent when problems arise.

Why are the risks associated with the use of AI often underestimated?

In many organisations, the picture is much the same: prototypes are regarded as temporary, even though they are used on a permanent basis.

In-house solutions are deemed secure without systematically checking for existing (mis)configurations.

Furthermore, the use of AI is equated with higher quality, even though it is primarily the speed of development that increases initially. These assumptions exacerbate existing risks and delay necessary countermeasures.

Ready to talk? Contact us

auto_stories

Insights into the cyber priorities for 2026

Download now

How can Vibe Coding be safely managed and monitored?

The answer is not to prevent development within the department. The key is to channel it into reliable structures.

The first step is transparency: companies need an overview of which applications are being developed, what data is being used, and who is responsible for their operation and further development. Building on this, clear rules are necessary – particularly regarding data handling, access rights and the selection of permitted tools.

Equally important is a functioning standard process. If there is an attractive, secure framework for business development, the need for uncontrolled ad-hoc solutions decreases.

In addition, minimum requirements for quality and operations are needed, for example in the form of documented changes, clear review processes and continuous monitoring.

Finally, clear lines of responsibility are crucial: business departments and IT must assume defined roles rather than leaving responsibilities implicitly open.

How do companies maintain control despite increasing speeds?

Vibe Coding is the logical evolution of IDV. More people can develop productive solutions more quickly – with measurable efficiency gains. At the same time, the risks increase if this development proceeds unchecked.

The task for companies is therefore clear: not to slow down progress, but to create a reliable, controllable framework for its use. In this way, the benefits are retained – without creating a structural weakness.