Vibe Coding and Citizen Development

/0 Comments/in , , , /by

Introduction

The emergence of vibe coding has captivated the software development community with its promise of democratized application creation. Coined by Andrej Karpathy in early 2025, this approach allows users to describe their desired functionality in natural language while artificial intelligence generates the underlying code. For organizations struggling with developer shortages and mounting IT backlogs, vibe coding appears to offer an attractive solution. Yet beneath this seductive simplicity lies a fundamental tension that enterprises cannot afford to ignore. While vibe coding represents an important evolution in how we create software, the evidence overwhelmingly suggests it cannot stand alone as the foundation for citizen development. The challenges span security vulnerabilities, quality degradation, contextual limitations, and governance requirements that demand a more sophisticated approach. Understanding these limitations is essential for organizations seeking to harness AI-powered development while maintaining the stability, security, and scalability that enterprise systems demand.

The Security Vulnerability Crisis

Security represents perhaps the most pressing concern with vibe coding as a standalone approach to citizen development. Research reveals a disturbing pattern of vulnerabilities in AI-generated code that stems from fundamental limitations in how large language models operate. These systems learn from vast repositories of public code, inevitably absorbing not just best practices but also the security failings that pervade these codebases. The specific vulnerabilities that emerge are both common and dangerous. SQL injection flaws, insecure file handling, and improper authentication mechanisms appear regularly in AI-generated code. Even more concerning, vibe-coded applications frequently include hardcoded API keys visible directly in webpage code, authentication logic implemented entirely on the client side where it can be easily bypassed, and missing authorization checks in handlers that verify only that users are authenticated but not whether they have permission to access specific resources.

Security represents perhaps the most pressing concern with vibe coding as a standalone approach to citizen development

Systematic studies of AI-generated code have identified the most prevalent security issues as code injection, OS command injection, integer overflow, missing authentication, and unrestricted file upload. These are not theoretical concerns. The compromise of the Nx development platform through a vulnerability introduced by AI-generated code demonstrates the real-world consequences of these security gaps.The core challenge is that AI tools lack awareness of organization-specific security policies and requirements. When developers implement vibe coding without proper security oversight, they create authentication gaps, expose data inadvertently, and introduce injection vulnerabilities that LLMs are not inherently designed to prevent. For citizen developers who typically lack security expertise, the likelihood of missing these problems before deployment becomes dangerously high.

Quality Degradation

The code often works just well enough to pass initial tests but proves brittle and poorly organized beneath the surface.

Beyond security, vibe coding introduces significant code quality challenges that compound over time. Research examining millions of lines of code reveals troubling trends in how AI-assisted development affects the software we create. The most striking finding is an eightfold increase in duplicated code blocks during 2024. While duplicated code may function correctly initially, it represents a marker of poor quality that adds bloat, suggests lack of clear structure, and increases the risk of defects when the same code requires updates in multiple locations.The accuracy statistics for AI code generation paint a sobering picture. ChatGPT produces correct code just 65.2% of the time, GitHub Copilot manages 46.3%, and Amazon CodeWhisperer achieves only 31.1% accuracy. More than three-quarters of developers report encountering frequent hallucinations and avoid deploying AI-generated code without human review. One quarter of developers estimate that one in five AI suggestions contains factual or functional errors. The problem intensifies dramatically with complexity. While AI tools can generate simple login forms or single API calls with reasonable precision, accuracy declines sharply as projects become more intricate. The mathematical reality is stark: even assuming an impressive 99% per-decision accuracy rate, after 200 successive decisions the probability of making no mistakes drops to approximately 13%. This compounding probability means that minor errors accumulate rapidly in complex tasks, significantly diminishing accuracy precisely when enterprises need it most.AI-generated code also tends to be harder to maintain and scale as projects grow. The code often works just well enough to pass initial tests but proves brittle and poorly organized beneath the surface. Developers working on vibe-coded projects later typically find inconsistent structure, minimal comments, ad hoc logic, and a complete absence of proper documentation. This technical debt becomes a burden that organizations must eventually address, often at significant cost.

This technical debt becomes a burden that organizations must eventually address, often at significant cost.

Context Awareness Limitation

One of the most fundamental limitations of vibe coding as a complete solution stems from AI’s inability to truly understand context. While large language models can generate syntactically correct code, they lack deep understanding of business context, domain-specific requirements, and the broader architectural landscape within which their code must function. This contextual blindness manifests in multiple ways. AI coding assistants cannot grasp the “big picture” of complex projects. They operate on pattern recognition rather than genuine comprehension of the problem space, treating each prompt in relative isolation. When tasks require integrating with existing systems, understanding organizational workflows, or aligning with long-term strategic goals, AI tools consistently fall short because they lack access to the tacit knowledge and institutional understanding that guides human decision-making.The context window limitations of large language models create additional problems. As conversations become longer and more context-heavy, models begin to “forget” earlier information, leading to degraded performance and hallucinations. Forty-five percent of developers report that debugging AI-generated code takes more time than initially expected. Research shows that even advanced models like GPT-4o see accuracy drop from 99.3% at baseline to just 69.7% in longer contexts.For enterprise applications, this context limitation proves particularly problematic. AI cannot understand how its generated code interacts with broader system architecture, what security controls exist in the deployment environment, or how runtime configurations might expose vulnerabilities in production.

The resulting “comprehension gap” between what gets deployed and what teams actually understand increases the likelihood that serious issues will go unnoticed.

Governance

Effective governance requires multiple elements that vibe coding alone cannot provide

The governance challenges surrounding citizen development become exponentially more difficult when vibe coding enters the equation. Research reveals that 73% of organizations using low-code platforms have not yet defined governance rules. When AI-generated code proliferates without oversight, the risks of shadow IT, security blind spots, and compliance violations multiply dramatically.Without robust governance frameworks, organizations face a cascade of problems. Citizen developers may create applications in isolation, leading to data silos that hinder cross-departmental collaboration. When different teams build separate applications without aligning data models or integration strategies, the result is duplicated efforts, inconsistent data, and operational inefficiencies. Applications may fail to integrate with existing enterprise systems, reducing their strategic value and creating friction rather than enabling efficiency. The lack of traceability in vibe coding creates particular challenges for regulated industries. Without structured processes to track who wrote what code, when, and why, organizations struggle to meet audit requirements and demonstrate compliance. Security vulnerabilities introduced by rapid, intuition-driven development can increase the attack surface in production environments. Developers may bypass formal approval processes, creating u-nmonitored services or integrations that put organizational data at risk.Effective governance requires multiple elements that vibe coding alone cannot provide. Organizations need clear roles and responsibilities defining who oversees development, ensures compliance, and manages application lifecycles. Governance policies must cover security, data protection, access controls, regulatory compliance, and application lifecycle management from development through retirement. Regular monitoring and reporting are essential to track platform activity, identify security incidents, and demonstrate compliance. Training and support programs must ensure users understand governance policies, procedures, and best practices.

The Role of Professional Developers

The complexity of these challenges reveals why professional developers remain essential even as citizen development expands. The notion that vibe coding can eliminate the need for technical expertise fundamentally misunderstands the multifaceted nature of enterprise software development. Professional developers provide the architectural vision, security expertise, integration capabilities, and governance oversight that citizen developers typically lack. The business technologist role represents an important bridge in this ecosystem. These professionals, who possess both business acumen and technical expertise, translate business requirements into technical solutions, guide enterprise system selection and implementation, and ensure technology initiatives remain aligned with business goals. Their 35% reduction in requirement changes and 24% lower implementation costs compared to traditional approaches demonstrates the value of combining domain knowledge with technical understanding

The Low-Code Platform Advantage

Low-code platforms provide governance, security, and structure that pure vibe coding cannot match. These platforms offer enterprise-grade capabilities specifically designed to balance rapid development with organizational control. Understanding the distinctions between vibe coding and low-code approaches reveals why enterprises need both rather than relying solely on AI generation. Low-code platforms provide visual development tools that allow users to build applications with minimal hand-coding while maintaining guardrails that vibe coding lacks. They include role-based access control defining who can build, review, and deploy applications. Environment separation keeps development, testing, and production workloads appropriately isolated. Built-in monitoring and audit trails provide visibility into who created what, when, and how. Data loss prevention policies prevent sensitive information from flowing to unapproved connectors or destinations.The scalability and integration capabilities of low-code platforms address another critical gap in pure vibe coding approaches. Enterprise low-code tools support high availability, handle performance under load, and scale gracefully as usage grows. They provide reusable components, version control, and multiple development environments that help teams manage and grow their applications effectively. Built-in connectors and support for custom API integrations make it easier to synchronize new applications with legacy systems, CRMs, ERPs, and external databases.

Built-in connectors and support for custom API integrations make it easier to synchronize new applications with legacy systems, CRMs, ERPs, and external databases.

Security features embedded in low-code platforms include encryption, access controls, and compliance certifications that vibe coding alone cannot provide. These platforms undergo rigorous security reviews and maintain compliance with regulations like GDPR and HIPAA. This built-in security posture reduces the burden on citizen developers while providing IT teams confidence that applications meet organizational standards.

The Hybrid Path Forward

The future of citizen development lies not in choosing between vibe coding and structured platforms but in thoughtfully combining them. Leading organizations are discovering that vibe coding and low-code platforms serve complementary purposes when integrated strategically. Vibe coding excels at creative exploration, rapid prototyping, and generating initial functionality. Low-code platforms provide the structure, governance, and production-readiness that enterprises require.This hybrid approach allows organizations to leverage the strengths of each method. Teams can use vibe coding for idea generation and prototyping unique features, then integrate those concepts into low-code workflows for broader implementation. Vibe coding speeds up creation while low-code platforms sustain and scale the solutions. The result is faster innovation without sacrificing the control and quality that production systems demand. Implementing this hybrid model requires clear frameworks and processes. Organizations should establish sandbox environments where vibe coding can occur safely, separate from production systems. Code generated through vibe coding should undergo security reviews, testing, and refinement before integration into enterprise platforms. Professional developers and business technologists should guide the transition from prototype to production, ensuring that innovative ideas become robust, maintainable solutions.The governance framework for hybrid development must balance empowerment with control. Centers of excellence can provide standards, review applications, and mentor new builders while allowing experimentation within appropriate boundaries. Clear policies should define when vibe coding is appropriate for exploration versus when structured low-code development becomes necessary. Automated testing, security scanning, and code review processes should apply regardless of how code originates, ensuring consistent quality standards.

The Path to Responsible Innovation

Moving forward, organizations must embrace a more nuanced approach to citizen development that recognizes both the potential and limitations of AI-powered code generation. Vibe coding represents a valuable tool in the developer toolkit, but it cannot carry the full weight of enterprise application development. The path to responsible innovation requires integrating vibe coding within governance frameworks that ensure quality, security, and alignment with organizational goals. This integration begins with establishing clear policies defining when and how vibe coding is appropriate. Organizations should create designated environments where AI-assisted development can occur with appropriate oversight. Security scanning, code review, and testing processes should apply to all code regardless of origin, ensuring consistent standards. Professional developers should guide citizen developers in understanding when prototypes need hardening before production deployment and which use cases suit rapid AI generation versus structured development.

Moving forward, organizations must embrace a more nuanced approach to citizen development

Training programs must equip citizen developers with the knowledge to recognize security vulnerabilities, understand basic architectural principles, and know when to seek professional guidance. Business technologists should serve as bridges between business needs and technical implementation, helping citizen developers frame problems effectively while ensuring solutions align with enterprise architecture. Regular governance reviews should retire unused or outdated applications and identify promising projects for further investment. The technology platforms organizations choose should reflect this balanced approach. Rather than pure vibe coding environments or traditional low-code platforms alone, enterprises need integrated solutions that combine AI assistance with governance controls. Platforms that embed security by design, provide automated testing and validation, support structured workflows, and enable collaboration between citizen and professional developers offer the best path forward.

Conclusion

The emergence of vibe coding represents an important milestone in the democratization of software development, but it cannot and should not become the sole foundation for citizen development. The evidence across security, quality, governance, and sustainability reveals fundamental limitations that make vibe coding unsuitable as a standalone approach for enterprise application development. Organizations that treat vibe coding as a complete solution expose themselves to security vulnerabilities, accumulate technical debt, fail to meet compliance requirements, and ultimately undermine the very agility and innovation they seek to achieve. The future belongs not to vibe coding or traditional development alone but to thoughtfully designed hybrid approaches that leverage AI-powered code generation within governance frameworks that ensure quality, security, and strategic alignment. Low-code platforms provide essential structure, professional developers supply critical oversight and expertise, business technologists bridge business and technical domains, and citizen developers bring domain knowledge and innovation closer to business problems. This ecosystem of complementary capabilities, when properly orchestrated, delivers the speed of vibe coding with the sustainability and governance that enterprises require. As organizations navigate the rapidly evolving landscape of AI-assisted development, the imperative is clear: embrace innovation while maintaining control, empower citizen developers while providing guardrails, and recognize that the most powerful solutions emerge not from technology alone but from the thoughtful combination of human expertise and AI capabilities. The organizations that thrive will be those that resist the temptation to view vibe coding as a silver bullet and instead build comprehensive approaches that balance agility with accountability, innovation with security, and democratization with governance. Only through this balanced approach can citizen development realize its full potential while avoiding the pitfalls that unchecked vibe coding inevitably creates.

References:

  1. https://en.wikipedia.org/wiki/Vibe_coding
  2. https://www.cloudflare.com/learning/ai/ai-vibe-coding/
  3. https://www.glideapps.com/blog/vibe-coding-risks
  4. https://sola.security/blog/vibe-coding-security-vulnerabilities/
  5. https://www.kaspersky.com/blog/vibe-coding-2025-risks/54584/
  6. https://www.jit.io/resources/ai-security/ai-generated-code-the-security-blind-spot-your-team-cant-ignore
  7. https://www.superblocks.com/blog/enterprise-buyers-guide-to-ai-app-development
  8. https://devclass.com/2025/02/20/ai-is-eroding-code-quality-states-new-in-depth-report/
  9. https://www.qodo.ai/reports/state-of-ai-code-quality/
  10. https://www.techrepublic.com/article/ai-generated-code-outages/
  11. https://www.reddit.com/r/ChatGPTCoding/comments/1ljpiby/why_does_ai_generated_code_get_worse_as/
  12. https://graphite.com/guides/can-ai-code-understanding-capabilities-limits
  13. https://zencoder.ai/blog/limitations-of-ai-coding-assistants
  14. https://blog.logrocket.com/fixing-ai-context-problem/
  15. https://www.linkedin.com/pulse/where-citizen-developers-often-fail-common-pitfalls-marcel-broschk-wdpif
  16. https://www.txminds.com/blog/low-code-governance-citizen-development/
  17. https://codeconductor.ai/blog/vibe-coding-enterprise/
  18. https://ciohub.org/post/2023/05/effective-low-code-no-code-platform-governance/
  19. https://quixy.com/blog/citizen-developer-vs-professional-developer/
  20. https://clocklikeminds.com/collaboration-of-citizen-and-professional-developers-an-effective-way-to-create-an-application/
  21. https://aireapps.com/articles/why-do-business-technologists-matter/
  22. https://www.planetcrust.com/the-gartner-business-technologist-and-enterprise-systems/
  23. https://www.dhiwise.com/post/how-vibe-coding-compares-to-low-code-platforms
  24. https://singleclic.com/effective-low-code-governance/
  25. https://www.nutrient.io/blog/enterprise-governance-guide/
  26. https://questsys.com/app-dev-blog/low-code-vs-no-code-platforms-key-differences-and-benefits/
  27. https://www.superblocks.com/blog/enterprise-low-code
  28. https://quixy.com/blog/low-code-governance-and-security/
  29. https://www.rocket.new/blog/vibe-coding-vs-low-code-platforms-which-drives-better-results
  30. https://www.ciodive.com/news/vibe-coding-enterprise-CIO-strategy/750349/
  31. https://zencoder.ai/blog/ai-code-generation-the-critical-role-of-human-validation
  32. https://venturebeat.com/ai/only-9-of-developers-think-ai-code-can-be-used-without-human-oversight
  33. https://www.cornerstoneondemand.com/resources/article/the-crucial-role-of-humans-in-ai-oversight/
  34. https://www.linkedin.com/pulse/human-oversight-generative-ai-crucial-10-guidelines-jackson-phtke
  35. https://qwiet.ai/human-written-code-vs-ai-generated-code-we-still-scan-it-whats-better-whats-different/
  36. https://green.org/2024/05/24/best-practices-of-sustainable-software-development/
  37. https://distantjob.com/blog/sustainable-software-development/
  38. https://www.linkedin.com/pulse/beyond-code-confronting-technical-debt-enterprise-kumar-pmp-togaf–idsmc
  39. https://www.reddit.com/r/vibecoding/comments/1ozhp7s/vibe_coding_and_enterprise_a_frustrating/
  40. https://www.frontier-enterprise.com/vibe-coding-and-the-rise-of-citizen-developers/
  41. https://www.reworked.co/collaboration-productivity/vibe-coding-is-making-everyone-a-developer/
  42. https://fr.wikipedia.org/wiki/Vibe_coding
  43. https://talent500.com/blog/the-rise-of-the-citizen-developer/
  44. https://www.linkedin.com/posts/paulspatterson_vibe-coding-wikipedia-activity-7328400886290882560-xv-f
  45. https://enqcode.com/blog/low-code-no-code-platforms-2025-the-future-of-citizen-development
  46. https://www.newhorizons.com/resources/blog/low-code-no-code
  47. https://sdtimes.com/softwaredev/what-vibe-coding-means-for-the-future-of-citizen-development/
  48. https://www.geeksforgeeks.org/techtips/what-is-vibe-coding/
  49. https://quixy.com/blog/future-of-citizen-development/
  50. https://community.ima-dt.org/low-code-no-code-developpement-automatise
  51. https://cloud.google.com/discover/what-is-vibe-coding
  52. https://www.altamira.ai/blog/the-rise-of-low-code/
  53. https://blog.bettyblocks.com/vibe-coding-citizen-development-in-its-purest-form
  54. https://www.technologyreview.com/2025/04/16/1115135/what-is-vibe-coding-exactly/
  55. https://aufaittechnologies.com/blog/citizen-and-professional-developers-low-code-trend/
  56. https://www.reddit.com/r/dataengineering/comments/1lvyzbc/vibe_citizen_developers_bringing_our/
  57. https://fr.wikipedia.org/wiki/Vibecoding
  58. https://kissflow.com/citizen-development/challenges-in-citizen-development/
  59. https://www.tanium.com/blog/what-is-vibe-coding/
  60. https://owasp.org/www-project-citizen-development-top10-security-risks/
  61. https://www.lawfaremedia.org/article/when-the-vibe-are-off–the-security-risks-of-ai-generated-code
  62. https://aisel.aisnet.org/cgi/viewcontent.cgi?article=1601&context=misqe
  63. https://www.reddit.com/r/SoftwareEngineering/comments/1kjwiso/maintaining_code_quality_with_widespread_ai/
  64. https://www.aikido.dev/blog/vibe-coding-security
  65. https://multimatics.co.id/insight/nov/5-challenges-of-growing-citizen-development-initiatives
  66. https://www.infoworld.com/article/3844363/why-ai-generated-code-isnt-good-enough-and-how-it-will-get-better.html
  67. https://www.wired.com/story/vibe-coding-is-the-new-open-source/
  68. https://www.quandarycg.com/citizen-developer-challenges/
  69. https://drive.starcio.com/2022/03/low-code-tech-debt-innovation/
  70. https://www.linkedin.com/pulse/power-collaboration-why-working-citizen-developers-local-adair-ace-uz4ic
  71. https://shiftasia.com/column/top-low-code-no-code-platforms-transforming-enterprise-development/
  72. https://mitsloan.mit.edu/ideas-made-to-matter/why-companies-are-turning-to-citizen-developers
  73. https://www.ulopenaccess.com/papers/ULIRS_SV01/ULIRS2022SI_001.pdf
  74. https://www.reddit.com/r/lowcode/comments/vb24gq/most_scalable_lownocode_platform/
  75. https://www.softwareseni.com/technical-debt-prioritisation-and-planning-strategies-that-work/
  76. https://www.blaze.tech/post/no-code-low-code-platform
  77. https://kissflow.com/citizen-development/citizen-developers-vs-professional-developers/
  78. https://www.youtube.com/watch?v=DkCXz3Sbkng
  79. https://www.reddit.com/r/SaaS/comments/1gcseoh/which_lowcodenocode_platform_is_best_for_building/
  80. https://www.olympe.io/blog-posts/the-myth-of-citizen-developers-why-it-and-business-will-always-have-to-collaborate
  81. https://vfunction.com/blog/architectural-technical-debt-and-its-role-in-the-enterprise/
  82. https://thectoclub.com/tools/best-low-code-platform/
  83. https://dev.to/softyflow/the-future-of-work-will-we-all-become-citizen-developers-13f6
  84. https://jfrog.com/learn/grc/software-governance/
  85. https://www.3pillarglobal.com/insights/blog/importance-of-good-governance-processes-in-software-development/
  86. https://www.index.dev/blog/vibe-coding-vs-low-code
  87. https://www.legitsecurity.com/aspm-knowledge-base/devops-governance
  88. https://www.nucamp.co/blog/vibe-coding-nocode-lowcode-vibe-code-comparing-the-new-ai-coding-trend-to-its-predecessors
  89. https://www.infotech.com/research/ss/governance-and-management-of-enterprise-software-implementation
  90. https://www.nocobase.com/en/blog/no-code-or-vibe-coding
  91. https://arxiv.org/html/2508.07966v1
  92. https://www.kiuwan.com/blog/software-governance-frameworks/
  93. https://dev.to/nocobase/no-code-or-vibe-coding-9-tools-to-consider-7li
  94. https://www.createq.com/en/software-engineering-hub/ai-code-generation
  95. https://zylo.com/blog/saas-governance-best-practices/
  96. https://www.reddit.com/r/sharepoint/comments/1kq9kvo/do_you_think_vibe_coding_may_kill_low_code_no/
  97. https://www.wedolow.com/resources/vibe-coding-ai-code-generation-embedded-systems
  98. https://www.linkedin.com/pulse/rise-citizen-developers-balancing-innovation-governance-spunf
  99. https://www.vktr.com/ai-upskilling/citizen-development-the-future-of-enterprise-agility-in-ais-era/
  100. https://www.planetcrust.com/how-do-business-technologists-define-enterprise-systems/
  101. https://www.cflowapps.com/citizen-development/
  102. https://quixy.com/blog/101-guide-on-business-technologists/
  103. https://quixy.com/blog/agile-enterprise-starts-with-citizen-development/
  104. https://www.mendix.com/glossary/business-technologist/
  105. https://www.columbusglobal.com/insights/articles/governance-the-missing-but-critical-link-in-no-code-low-code-development/
  106. https://www.business-affaire.com/qu-est-ce-qu-un-business-technologist/
  107. https://www.superblocks.com/blog/low-code-governance
  108. https://kissflow.com/citizen-development/citizen-development-statistics-and-trends/
  109. https://www.larksuite.com/en_us/topics/digital-transformation-glossary/business-technologist
  110. https://zenity.io/resources/white-papers/security-governance-framework-for-low-code-no-code-development
  111. https://www.zartis.com/sustainable-software-development-practices-and-strategies/
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *