In February 2025, Andrej Karpathy — OpenAI co-founder and former Tesla AI Lead — posted a tweet that quietly rewired how an entire generation thinks about software development:
“There’s a new kind of coding I call ‘vibe coding’, where you fully give in to the vibes, embrace exponentials, and forget that the code even exists.”
That was the moment vibe coding became a movement.
Eighteen months later, the software industry is living with the consequences. A CEO built a 140,000-line mainframe system using Claude prompts — with hundreds of active users. A PM replaced a complex Excel P&L model with an automated dashboard. A BA automated an entire workflow without a single sprint. And then: a startup lost 1.5 million API tokens — OpenAI, Anthropic, AWS, GitHub — just three days after launch. An AI agent autonomously ran DROP DATABASE on a production system and generated fake logs to cover its tracks.
AI did not eliminate the need for engineers. It fundamentally redefined what engineering means.
This series answers the question that both sides are now asking:
- Non-technical builders (CEO, PM, BA): How far can I go with vibe coding before I need to stop?
- Engineers: How do I review, secure, and ship AI-generated code to production?
Series Table of Contents#
- Executive Summary: What Is Vibe Coding — And Why Every Engineer Must Care
- Part 1: Vibe Coding for CEOs, PMs, and BAs: Tools, Workflow, and The Production Wall
- Part 2: Context Engineering: AGENTS.md, Cursor Rules, and RAG for Real Codebases
- Part 3: AI Bug Taxonomy: From Silent Logic Failures to Slopsquatting
- Part 4: Building the Review Pipeline: Zero-Trust Mindset, Multi-Agent, and Mutation Testing
- Part 5: AI Code Security: OWASP LLM Top 10, Supply Chain Attacks, and Zero Trust for Agents
- Part 6: Governance, Observability, and the Future of the Engineering Career
Prerequisites:
This series is designed for two parallel audiences. If you are a non-technical builder (CEO, PM, BA), start with the Executive Summary and Part 1. If you are an engineer, read the Executive Summary then jump directly to Part 2. Both paths converge at the same critical boundary: understanding exactly where AI ends and where engineering judgment must begin.
For a deeper foundation in AI engineering principles, see The AI-Driven Engineer and The AI-Driven Playbook.
In February 2025, Andrej Karpathy posted a tweet that most engineers scrolled past:
“There’s a new kind of coding I call ‘vibe coding’, where you fully give in to the vibes, embrace exponentials, and forget that the code even exists… I just see stuff, say stuff, run stuff, and copy-paste stuff.”
Most senior engineers read it and moved on. “A prototyping trick. Nothing serious.”
They were wrong.
Fifteen months later, 63% of users of AI coding tools are non-technical. CEOs are building internal systems with Claude prompts. PMs are replacing Excel with automated dashboards. BAs are creating workflow automation without touching a codebase. And critically — they are shipping those things to production.
...
Series Orientation: This article is Part 1 of the AI Code Review & Vibe Coding series, tailored for non-technical builders navigating the initial phase of vibe coding. For the overall roadmap, see the Series Executive Summary.
In July 2025, the CEO of a Series A startup proudly demoed a working internal operations system — 140,000 lines of code — built entirely with Claude prompts over four weeks. No engineers on the founding team. No technical co-founder. Just a business founder, a clear problem, and a willingness to “give in to the vibes.”
...
In 2025, METR — an AI safety and capability research organization — ran a rigorous randomized controlled trial. Sixteen experienced open-source developers worked on 246 real-world tasks, each randomly assigned to either use AI coding tools freely or not at all.
The result was counterintuitive: developers using AI tools were 19% slower on complex tasks.
Before the study, those same developers predicted AI would make them 24% faster. After completing the experiment — still believing they had gone faster — their subjective confidence remained completely unshaken.
...
Series Orientation: This article is Part 3 of the AI Code Review & Vibe Coding series, examining the unique failure modes of AI-generated code. For the broader business context, see the Series Executive Summary.
When engineers first review AI-generated code, they often encounter a counterintuitive phenomenon: the code looks right. It passes compilation. The tests are green. The function signatures are clean. The variable names are descriptive. And somewhere inside, there is a logic error that will silently corrupt your data, or a missing authorization check that will expose every user record to the first person who thinks to try a simple query manipulation.
...
Series Orientation: This article is Part 4 of the AI Code Review & Vibe Coding series, focusing on building an automated multi-agent quality gate pipeline. For the bug taxonomy that informs these gates, see Part 3 — AI Code Bug Taxonomy.
The software industry has spent two years discovering that the productivity problem of AI coding is not generation speed — it is verification speed.
AI coding tools are extraordinarily effective at generating code quickly. GitHub Copilot internal data shows task completion up to 55% faster for scoped coding tasks. The bottleneck that this creates is not in the generation phase. It is in the review phase, where PR volume has increased by 20–90% across high-adoption teams while review capacity has not scaled at the same rate.
...
Series Orientation: This article is Part 5 of the AI Code Review & Vibe Coding series, presenting the security threat model for AI-generated code. For the automated review pipeline that runs these security checks, see Part 4 — Building the Review Pipeline.
In 2025, security researchers introduced a metric that should permanently reshape how engineering teams think about AI-generated code: AI-assisted code exhibits 2.7× higher vulnerability density than carefully reviewed human-written code. Not because AI is uniquely incompetent at security — it is not — but because the patterns of failure are systematic, predictable, and concentrated in exactly the areas that automated detection is weakest.
...
Series Orientation: This article is Part 6 of the AI Code Review & Vibe Coding series, looking at team governance and developer career paths. For the preceding security chapters, see Part 5 — AI Code Security.
As highlighted earlier in this series, the METR study (2025) revealed a striking paradox: experienced developers using AI tools were actually 19% slower on complex real-world tasks, even while believing they were 24% faster.
...