The identity risks of vibe coding

Vibe coding, a term coined by Andrej Karpathy, refers to a development approach where developers prompt AI to generate code, often resulting in functional software without a deep understanding of its implementation. While useful for rapid prototyping and experimentation, it introduces significant identity and access management risks, as the AI-generated code typically requests broader permissions than necessary, embeds hard-to-trace credentials, and creates enduring identities. This approach escalates the potential for over-privileged access, as AI tools prioritize generating working code over adhering to least-privilege principles. Consequently, security teams must adapt by implementing explicit identity governance for AI-generated outputs, ensuring that permissions are reviewed and that least-privilege principles are enforced at the deployment stage. Furthermore, organizations should maintain an up-to-date inventory of non-human identities created by AI-assisted development to manage their lifecycle effectively. This shift in development practices necessitates a focus on governance of identities, permissions, and access paths to mitigate risks and maintain security integrity.