Over the last few years, artificial intelligence-assisted coding, known as vibe coding, has established itself as a widely adopted practice in software development and security processes. According to Palo Alto Networks’ State of Cloud Security Report 2025, 99% of organizations already use AI agents in their development processes. However, the latest report from Unit 42, the threat intelligence unit of Palo Alto Networks, warns that this new way of programming can generate significant security risks if it is adopted without adequate controls and without a correct evaluation of the associated risks.

These tools allow programming and development professionals, and also Citizen Developers or profiles without advanced technical knowledge in code review or security, to generate large volumes of functional code in a short time. However, the generated code may contain hidden vulnerabilities, poor security practices or insecure dependencies that introduce additional risks, which go undetected during initial testing and are only detected when they are already in production, amplifying operational and reputational risks.

From assisted development to automated risk

According to Unit 42, the main problem does not lie in the technology itself, but in the false sense of security that it can generate, hiding flaws that are difficult to detect in early stages and underestimating the real risks. Vibe coding or code created by AI usually “looks right” and does its job, but it is not natively designed to meet secure coding standards, which increases security risks from the source.

By introducing relevant changes in the way in which vulnerabilities arise, many security flaws originate directly in the development phase, when the code is generated automatically at high speed, increasing the risks of integrating different flaws into the process such as:

• Insecure application development that causes a security breach and increases the risk of data exposure.

• Insecure platform logic leading to unauthorized code execution, increasing operational risks.

• Insecure platform logic that allows authentication to be bypassed, generating critical risks of improper access.

• Improper deletion of a database resulting in data loss and serious business continuity risks.

Furthermore, these tools can become a new target for cybercriminals, who seek to exploit the risks associated with their use through techniques such as injecting instructions into programmers or using code fragments from external sources that host malicious software, further expanding the risks of attack.

Ensuring the “life of code”: a strategic priority

To address this scenario, Unit 42 has introduced the SHIELD framework, designed to reintroduce secure design principles to AI-assisted coding and reduce the risks arising from its adoption. This framework provides organizations with practical guidance to balance vibe coding productivity with effective risk management, preventing innovation from resulting in a larger attack surface:

• S – Separation of Duties: vibe coding platforms can grant excessive privileges, increasing risks. Avoid incompatible features and limit AI agents to development and test environments.

• H – Human in the Loop: requires mandatory human review and PR approval for any critical code, mitigating key risks.

• I – Input/Output Validation: Separates trusted instructions from untrusted data and applies security checks (SAST) before merging code to reduce risk.

• E – Enforce Security-Focused Helper Models: uses specialized agents to validate security, scan secrets and verify controls before deployment, controlling risks.

• L – Least Agency: applies the principle of least privilege, restricting access and destructive commands to limit risks.

• D – Defensive Technical Controls: implements SCA and disables auto-execution to strengthen oversight and minimize deployment risks.

The SHIELD framework provides organizations with practical guidance to balance vibe coding productivity with effective risk management.

Although vibe coding represents a natural evolution in software development, Palo Alto Networks warns that many organizations are abandoning established security principles, such as “least privilege,” in favor of speed and functionality, taking unnecessary risks.

Therefore, this practice should not be adopted without a thorough review of security approaches and associated risks, since protection cannot be limited to the final phases of the application life cycle, but rather be integrated from the design and initial generation of the code, guaranteeing safe, reliable development with controlled risks.

Alex Chen
Alex Chen

Alex Chen serves as the chief editor of Asia Tech Journal, bringing over a decade of experience in technology journalism. Previously writing for several globally renowned publications, Alex is celebrated for his insightful analyses and in-depth reporting on tech trends across Asia. Passionate about innovation, Alex specializes in the dynamic technology ecosystem of China and its global impacts.