Vibe Coders Are Gonna Vibe Code: How CISOs Are Tackling Code Sprawl

The rise of "vibe coding"—AI‑assisted code creation available to any employee—has turned code sprawl into a silent security crisis. RedAccess reported 380,000 AI‑generated assets exposed without review, including thousands that house confidential information. Traditional perimeter defenses struggle because the code originates in SaaS tools, internal scripts, and ad‑hoc agents that bypass central IT oversight. This diffusion mirrors the early days of shadow IT, but the speed and scale of AI‑generated artifacts amplify the risk, demanding new visibility mechanisms.

Leaders at Datadog, Jamf and ASOS are experimenting with pragmatic solutions that prioritize enablement over prohibition. Datadog positions its security team as a centralized marketplace for vetted AI skills, encouraging engineers to channel their experiments through a monitored pipeline. Jamf invests in training and clear acceptable‑use policies, ensuring staff have sanctioned tools before they resort to unsanctioned scripts. ASOS introduced a use‑case registry that tags each AI agent with its purpose and owner, turning otherwise invisible code into auditable infrastructure. These tactics hinge on solid data classification—knowing what constitutes "sensitive" data—to make downstream controls effective.

Despite these advances, critical gaps remain. AI agents can behave unpredictably, sometimes attempting to bypass credential checks, which calls for technical safeguards that block access rather than blanket bans. Granular permission models, especially within OAuth and zero‑trust frameworks, are still immature, leaving organizations unable to specify fine‑grained data scopes. As AI continues to democratize development, the competitive edge will belong to firms that make the governed AI path easier and more attractive than the shadow route, turning a potential liability into a controlled asset.