Don’t mix vibe coding with vibe work

Don’t mix vibe coding with vibe work

Apr 29, 2025

|

5

min read

In the rapidly evolving landscape of software development, a new phenomenon has emerged that's reshaping how we approach coding: "vibe coding". Popularized by AI researcher Andrej Karpathy and amplified by various tech commentators, this approach leverages AI coding assistants to create software through a more intuitive, conversational process. While this represents an exciting shift in development practices, it also raises important questions about when this approach is appropriate—and when it might lead us astray.


What Exactly Is Vibe Coding?

Andrej Karpathy, former Tesla AI director and OpenAI researcher, described vibe coding in a now-viral social media post:

"There's a new kind of coding I call 'vibe coding,' where you fully give in to the vibes, embrace exponentials, and forget that the code even exists. It's possible because the LLMs (e.g. Cursor Composer w Sonnet) are getting too good."

In essence, vibe coding represents a development approach where programmers rely heavily on AI coding assistants, often communicating with them conversationally rather than writing code directly. Developers might request changes like "decrease the padding on the sidebar by half" without needing to locate the relevant code themselves. They might paste error messages without explanation, trusting the AI to interpret and fix the issues.

This approach fundamentally changes the programmer's relationship with code—from being a craftsperson who shapes every line to becoming more of a director who guides an AI assistant through the development process.


The Appeal of Vibe Coding

The attraction of vibe coding is immediately apparent for non-tech folks:

  1. Reduced cognitive load: Developers don't need to hold as much of the codebase in their working memory.

  2. Accelerated development: Tasks that once required navigating through files and understanding complex systems can now be delegated.

  3. Lower barrier to entry: People with less technical expertise can create functional software through natural language instructions.

  4. Focus on outcomes: Developers can concentrate more on what they want to achieve rather than how to implement it.

As LovableDev notes, "Vibe coding is a state of flow where you're not thinking about the code, but rather what you want the code to do." This represents a significant shift in how we conceptualize programming—potentially democratizing access to software creation.


When Vibe Coding Goes Wrong

However, as with any powerful new approach, vibe coding comes with significant pitfalls. In his detailed critique, Addy Osmani warns that vibe coding can become "an excuse for bad software development practices" when used inappropriately.

The dangers include:


1. Lack of Understanding and Ownership

When developers rely too heavily on AI-generated code without understanding its mechanics, they risk creating systems they can't properly maintain or debug. As one developer discovered in the notorious "You Are Fired Now" incident, passing responsibility to AI tools without retaining core understanding can lead to catastrophic outcomes.


2. Technical Debt Accumulation

Karpathy himself admits that with vibe coding, "The code grows beyond my usual comprehension, I'd have to really read through it for a while." While this might be acceptable for "throwaway weekend projects," as he puts it, this approach would be disastrous for mission-critical systems or long-term projects.


3. Brittle Solutions and Workarounds

The temptation to ask for "random changes until it goes away" when bugs appear can lead to brittle, poorly structured code. As Osmani notes, "Good software engineering practices are timeless"—regardless of whether AI is generating the code.


4. False Confidence

The ease of generating functional code can create a false sense of capability and understanding. A developer might believe they're mastering a framework when in reality, they're merely becoming proficient at prompting an AI—without developing the fundamental understanding necessary for career growth.


5. Privacy and Security Vulnerabilities

Perhaps the most concerning aspect of vibe coding is its potential to create significant privacy and security risks. When developers casually interact with AI coding assistants, they may inadvertently share sensitive information like API keys, secret tokens, database credentials, or personally identifiable information (PII).

These risks manifest in several ways:

  • API Key Exposure: In the flow of vibe coding, developers might paste entire configuration files or code snippets containing API keys directly into their prompts, potentially exposing these secrets to the AI service provider.

  • Sensitive Data Leakage: When asking for help with data processing or debugging, developers might include sample data containing sensitive information without proper sanitization.

  • Third-Party Access: As noted in privacy policies like Dualite's, information shared with AI coding assistants may be accessible to third-party services and used for various purposes, including training future models.

  • Code Training Concerns: Code shared with AI assistants might be used to train future versions of these tools, potentially making your proprietary algorithms or unique approaches available to competitors.

The casual nature of vibe coding can exacerbate these risks, as developers might not apply the same scrutiny to their AI interactions that they would to traditional code commits or pull requests.


The Critical Distinction: Vibe Coding vs. Vibe Work

This brings us to the central thesis: the critical distinction between vibe coding and what we might call "vibe work." Vibe coding has its place—particularly for prototyping, learning, and non-critical projects. However, "vibe work" represents the dangerous extension of this approach to professional contexts where reliability, maintainability, and deep understanding are essential.


When Vibe Coding Is Appropriate

Vibe coding shines in certain contexts:

  1. Rapid prototyping: When exploring ideas quickly matters more than code quality

  2. Learning new frameworks: Using AI as a guide to understand unfamiliar technology

  3. Personal projects: When you're the only stakeholder and understand the limitations

  4. UI tweaks and styling: Where visual feedback provides immediate validation

  5. Generating boilerplate: For repetitive, formulaic code structures


When Professional Engineering Practices Must Prevail

By contrast, several scenarios demand a more disciplined approach:

  1. Mission-critical systems: Where failures could have serious consequences

  2. Security-sensitive applications: Where vulnerabilities could compromise user data

  3. Team projects: Where others will need to understand and maintain your code

  4. Performance-critical components: Where optimization requires deep understanding

  5. Long-lived codebases: That will require maintenance for years to come

  6. Applications handling sensitive data: Where privacy concerns are paramount


Finding the Balance: Integrating AI Without Surrendering Understanding

The key to leveraging AI coding assistants effectively lies in finding the right balance. Here are strategies for integrating AI tools into professional workflows without surrendering understanding:


1. Use AI as an Accelerator, Not a Replacement

AI coding assistants shine when used to accelerate tasks you already understand. They can help you implement patterns you comprehend but don't want to type out manually. The core principle: you should be able to explain what the AI-generated code does and why it works.


2. Review and Refactor AI-Generated Code

Never accept AI-generated code without review. Take time to understand what the code does, why it was structured that way, and whether it aligns with project standards. This review process is a learning opportunity that strengthens your understanding.


3. Maintain a Learning Mindset

Use interactions with AI tools as learning opportunities. When an AI assistant solves a problem in an unexpected way, take time to understand the approach rather than simply accepting the solution. This transforms the AI from a crutch into a mentor.


4. Establish Team Protocols for AI Usage

Development teams should establish clear guidelines for how AI tools are used in their workflows. This might include requirements for code review, documentation of AI-assisted components, or limitations on which parts of the codebase can be developed using more conversational approaches.


5. Combine AI with Traditional Learning Resources

Balance AI assistance with traditional learning resources. Reading documentation, following tutorials, and understanding fundamental concepts remains essential. AI tools complement rather than replace these learning approaches.


Enhancing Privacy and Security in AI-Assisted Development

To address the unique privacy and security challenges presented by vibe coding, both developers and companies need to implement specific safeguards:


For Developers:

  1. Sanitize Your Prompts: Before sharing code with an AI assistant, redact all API keys, tokens, passwords, and other sensitive information. Replace them with placeholder values like "API_KEY_PLACEHOLDER".

  2. Use Dedicated Development Environments: Create separate development environments with dummy data and revocable API keys specifically for AI-assisted development.

  3. Implement .gitignore Practices for AI Tools: Just as you would exclude sensitive files from git repositories, develop habits to exclude sensitive information from AI interactions.

  4. Adopt Secret Management Solutions: Use tools like HashiCorp Vault, AWS Secrets Manager, or environment variables to keep credentials separate from your code.

  5. Verify Security of AI-Generated Code: Carefully review any security-related code generated by AI tools, particularly authentication mechanisms, input validation, and data handling routines.

  6. Create Aliases and Snippets: Develop command-line aliases or code editor snippets that automatically redact sensitive information when copying code for AI tools.

  7. Use Local-First AI Tools When Possible: When working with particularly sensitive code, consider local-first AI coding assistants that don't send your code to external servers.


For Companies:

  1. Develop Clear AI Tool Usage Policies: Create explicit guidelines for which AI tools are approved for use and how they should be used with company code.

  2. Provide Private AI Instances: For highly sensitive work, consider deploying private instances of AI coding assistants that don't share data with external parties.

  3. Conduct AI-Specific Security Training: Train developers specifically on privacy and security considerations when using AI coding assistants.

  4. Implement Scanning Tools: Deploy tools that can scan for accidentally committed API keys or tokens, and extend these to monitor AI tool usage.

  5. Negotiate Data Usage Terms: When selecting AI coding assistant vendors, negotiate terms regarding data retention, usage, and ownership of code shared with the service.

  6. Limit Sensitive Codebase Access: Restrict AI tool usage to non-sensitive parts of the codebase when working with particularly confidential systems.

  7. Regular Security Audits: Include AI tool usage in regular security audits and penetration testing to identify potential vulnerabilities.

  8. Privacy-Preserving Feedback Mechanisms: Create anonymous channels for developers to report privacy concerns or incidents related to AI tool usage without fear of reprisal.

  9. Provide Clear Privacy Assurances: As demonstrated by Dualite's privacy policy, companies offering AI development tools should provide transparent information about:

    • How user data is stored and processed

    • Which third parties might access the data

    • How long data is retained

    • What rights users have regarding their data

    • What security measures are in place to protect sensitive information


The Future of Development: Augmented, Not Automated

The emergence of vibe coding doesn't signal the end of software engineering as a discipline—rather, it represents an evolution. The most successful developers will be those who can leverage AI tools effectively while maintaining the fundamental understanding and engineering discipline that makes software reliable, maintainable, and secure.

As these tools evolve, we'll likely see the development of best practices that help us integrate them into professional workflows without sacrificing quality. The key will be recognizing when to "vibe" and when to apply rigorous engineering practices.


Conclusion: Embrace the Tool, Not the Temptation

AI coding assistants represent powerful tools that are reshaping how we approach software development. The temptation to fully embrace "vibe coding" in all contexts is understandable—it feels like a glimpse of a future where programming is more accessible and intuitive.

However, the distinction between vibe coding as a technique and "vibe work" as a professional approach remains crucial. By understanding the appropriate contexts for different development approaches, we can leverage these powerful new tools without sacrificing the discipline and understanding that make great software possible.

The privacy and security implications of AI-assisted development add another layer of consideration. As we move forward with these tools, a thoughtful approach that balances innovation with protection of sensitive information will be essential.

The future belongs not to those who surrender their craft entirely to AI, but to those who learn to dance with these tools—knowing when to lead and when to follow, when to vibe and when to engineer, and always keeping privacy and security at the forefront of their practice.

Are you finding the right balance between AI assistance and fundamental engineering in your development work? How do you handle privacy concerns when using AI coding tools? Share your experiences in the comments below.

Keywords: vibe coding, AI coding assistants, software development best practices, LLM programming, Andrej Karpathy, code quality, AI augmented development, professional coding standards, technical debt, programming workflows, API security, privacy in development, secure coding practices