Jay's Tech Bites Logo

Vibe Coding Is Just Prompting with Better Guardrails

Why treating AI-generated code like untrusted third-party dependencies changes everything

AI coding tools don't eliminate the need for engineering judgment—they amplify it. Teams that ship fast with AI treat every generated line like vendor code: test it, audit it, and assume it's wrong until proven otherwise.

Jay McBride

Jay McBride

Software Engineer

6 min read
Support my work on Buy Me a Coffee

Introduction: The Code That Looked Fine

A team shipped an AI-generated authentication flow to staging. It passed unit tests, handled the happy path, and looked clean. Three days later, they discovered it was vulnerable to timing attacks because the AI had used a basic string comparison instead of a constant-time check.

The tests didn’t catch it. The code review missed it. And the team learned the hard way: AI writes code that works, not code that’s correct.

“Vibe coding” sounds like a meme, but it describes a real shift in how teams build software with AI assistants. You describe the outcome, the AI generates scaffolding, and you iterate in tight loops—refining, testing, and hardening until it meets production standards.

This article is for engineers who’ve used Copilot or Claude to speed up development and then spent hours debugging subtle issues the AI introduced. If you think AI tools “just work,” you haven’t shipped enough AI-generated code yet.

Enjoying this? 👉 Tip a coffee and keep posts coming

Here’s what I’ve learned from teams that ship AI-assisted code safely—and the ones that don’t.

The Core Judgment: AI Outputs Are Vendor Code

When you pull in a library from npm, you don’t blindly trust it. You check the license, review the source, run tests, and monitor for CVEs.

AI-generated code deserves the same scrutiny.

The model doesn’t know your security requirements, performance constraints, or edge cases. It generates “plausible” code based on statistical patterns in its training data—which means it’s great at boilerplate and terrible at domain-specific correctness.

I treat AI code like I treat any third-party dependency:

  • Test it exhaustively
  • Assume it has bugs
  • Audit for security issues
  • Replace it when it becomes unmaintainable

If your workflow is “paste AI output, commit, ship,” you’re building on quicksand.

How This Works in the Real World

The Iteration Loop That Actually Ships

  1. Write the constraint-heavy prompt: “You are a senior backend engineer. Use FastAPI, follow REST conventions, return 422 for validation errors, use prepared statements for all SQL queries.”
  2. Generate a small slice: One endpoint, one test. Not an entire feature.
  3. Run it immediately: Execute tests, linters, and type checkers. The AI doesn’t know what’s broken until you show it.
  4. Feed back errors: Copy the stack trace or failing test output directly into the prompt.
  5. Iterate in small diffs: Patch one function at a time. Large rewrites compound errors.

The teams that ship fast run this loop dozens of times per feature. The teams that struggle try to generate entire modules and wonder why nothing works.

What Actually Breaks

AI tools break down when:

  • Your domain logic is complex and undocumented
  • You need performance optimizations beyond “make it work”
  • Security or compliance constraints aren’t codified in tests
  • The AI hallucinates APIs or behaviors that don’t exist

At that point, you’re not “vibe coding”—you’re debugging nonsense.

A Real Example: Refactoring Legacy Code

I used Claude to refactor a 500-line God function in a Django app. The function handled user registration, email verification, and subscription setup in one monolithic block.

Prompt:

“Extract this into three separate functions: create_user, send_verification_email, and setup_subscription. Each function should handle its own errors and return a Result type. Preserve all existing behavior.”

What the AI got right:

  • Clean function signatures
  • Proper error handling structure
  • Idiomatic Django ORM usage

What the AI got wrong:

  • Lost a critical timezone.now() call, which caused timestamps to be naive instead of aware
  • Didn’t preserve transaction boundaries, so partial failures could leave orphaned records
  • Generated a test suite that only covered happy paths

I caught these issues because I had existing tests and ran them immediately. If I’d blindly trusted the AI, I would’ve shipped data integrity bugs.

Common Mistakes I Keep Seeing

Skipping the Constraint Layer

Developers write vague prompts like “build a REST API” and expect the AI to infer security, error handling, and performance requirements.

The AI doesn’t know your stack’s conventions. Spell them out:

  • “Use bcrypt for password hashing, with a work factor of 12”
  • “Return structured errors in RFC 7807 format”
  • “Paginate responses with cursor-based pagination, not offset”

Constraints turn a generic scaffold into production-ready code.

Trusting Generated Tests

AI-generated tests almost always cover the happy path and ignore edge cases, race conditions, and failure modes.

Treat them as starting points, not validation. Add tests for:

  • What happens when the database is down
  • What happens when the input is malformed
  • What happens when two requests run concurrently

If your AI-generated test suite makes you feel safe, you’re in danger.

Not Versioning Prompts

When a generated feature breaks in production, can you reproduce the exact prompt and context that created it?

Store prompts alongside code—in PR descriptions, commit messages, or a prompts/ directory. Treat them like configuration.

Tradeoffs and When This Breaks Down

You’re Bottlenecked by Review, Not Generation

AI can generate code faster than humans can review it. If your team ships 10x more code per week, but your review process hasn’t scaled, you’ll accumulate technical debt at an alarming rate.

Fast iteration requires fast, automated feedback: linters, type checkers, security scanners, and comprehensive tests.

Maintenance Costs Compound

AI-generated code tends to be verbose and explicit, which is great for readability but increases surface area for bugs.

A 1,000-line AI-generated module is harder to maintain than a 300-line hand-written one. Know when to refactor.

Domain Expertise Still Matters

AI tools accelerate writing code. They don’t replace understanding the problem.

If you don’t know why a feature needs to work a certain way, you can’t evaluate whether the AI got it right.

Best Practices I Actually Follow

  • Generate small, testable units. One function, one test, one commit.
  • Run CI on every iteration. Let linters and type checkers catch hallucinations early.
  • Audit security-sensitive code manually. Never trust AI-generated auth, crypto, or SQL.
  • Use static analysis tools. Bandit for Python, Semgrep for polyglot, Dependabot for dependencies.
  • Keep a “hallucination log.” When the AI invents an API, document it. Patterns emerge.

Conclusion: AI Accelerates, Tests Validate

Vibe coding isn’t magic. It’s disciplined iteration with automated guardrails.

The teams that ship fast with AI aren’t the ones writing better prompts—they’re the ones with better tests, better CI, and better review processes.

AI generates code. Engineers ensure it’s correct.

If your workflow treats AI outputs as trusted by default, you’re one hallucination away from a production incident.

Frequently Asked Questions (FAQs)

Can AI replace junior developers?

AI can replace the output of junior developers who only write boilerplate. It can’t replace learning, mentorship, or judgment. If your team’s juniors are only writing CRUD endpoints, you have a bigger problem than tooling.

How do I prevent AI from introducing vulnerabilities?

Run SAST/DAST tools in CI, use dependency scanners, and manually audit any code that touches auth, payments, or user data. Treat AI code like untrusted vendor code.

What’s the ROI of AI coding tools?

If your bottleneck is writing code, massive. If your bottleneck is understanding requirements, designing systems, or debugging production issues, minimal.

Should I store prompts in version control?

Yes. Prompts are documentation. When a feature breaks, knowing the original prompt helps you understand the intent and reproduce the issue.

What skills matter most for AI-assisted development?

Prompt engineering helps, but it’s overrated. What matters more: testing discipline, code review rigor, and the ability to read generated code critically.

Your turn: What’s the most subtle bug an AI tool introduced into your codebase, and how long did it take to find?

Enjoying this? 👉 Tip a coffee and keep posts coming

Found this helpful?

Share it with your network

Jay McBride

Written by Jay McBride

Software engineer with 10+ years building production systems and mentoring developers. I write about the tradeoffs nobody mentions, the decisions that break at scale, and what actually matters when you ship. If you've already seen the AI summaries, you're in the right place.

Based on 10+ years building production systems and mentoring developers.

Support my work on Buy Me a Coffee

Recommended for You

4 min read

The Art of Clean Code: How to Refactor Legacy Code without Losing Your Sanity

Strategies for Updating and Improving Legacy Codebases without the Stress

Read Article
4 min read

Terminal Hacks for Developers: Custom Functions and Aliases to Boost Productivity (Zsh, Bash, Fish)

Master Terminal Customizations: When to Use Aliases vs. Functions in Zsh, Bash, and Fish

Read Article