AI coding tools made something genuinely new possible: a person with no engineering background describes an app in plain language, accepts whatever the model produces, and gets working software. The community named it vibe coding — coding by vibes, without reading the code. For prototypes and personal tools, it's wonderful. The trouble starts when that demo is sold to a company as a product.
Why the demo always works
A demo lives in the kindest possible world: one user, clean data, the happy path, no attacker. Vibe-coded software is optimized for exactly that world, because its only quality check was "does it look right when I click through it." Production is the opposite world — concurrent users, malformed input, third-party outages, and a security scanner probing every endpoint within hours of deployment.
Where it breaks
- Security — generated code routinely ships with the classics: secrets committed to the repository, missing authorization checks on individual endpoints, SQL built by string concatenation, no rate limiting. The person who can't read code can't review for any of these.
- Edge cases — what happens on a double-click on "Pay", an empty file upload, a timezone boundary, a user deleted mid-session? Senior engineers design for these because they've been paged for them.
- Data integrity — the demo never loses data; the production app without transactions, constraints and migrations quietly corrupts it. This failure is invisible until it's expensive.
- Maintainability — vibe-coded systems grow by re-prompting until it compiles. Six months in, nobody — including the model — can change one behavior without breaking three others.
The twist: we use AI heavily too
The conclusion is not "avoid AI tools." We use them daily, and they have changed how fast we deliver. The difference is what the AI's output meets when it arrives: an architecture chosen for the problem, code review by people who have operated systems for decades, tests that encode requirements, and a deployment pipeline with monitoring and rollbacks. AI is a multiplier — it multiplies the judgment of whoever wields it. Multiply zero and you get zero, faster.
Twenty-plus years of engineering doesn't show up in how the code looks. It shows up in the questions asked before any code exists: what must never fail here, who will attack this, what will this look like with a hundred times the data, who maintains it in year three. AI doesn't ask those questions on its own — someone in the room has to.
Questions to ask whoever builds your app
Whether you're hiring an agency or evaluating an internal project, these five questions separate engineering from vibes:
- How is authorization tested — per endpoint, or assumed from the framework?
- What happens when the database and a payment provider disagree? (Listen for transactions, idempotency, reconciliation.)
- Show me the test suite and what it covers.
- How do deployments roll back, and how do you learn something broke before the customer tells you?
- Who can read and modify this code in two years?
Confident, specific answers mean engineering happened. Hand-waving means you're buying a demo.
Where we stand
Roundly’s position is simple: AI-accelerated development, senior engineering judgment, and no shipping of unreviewed generated code. That’s why security audits and testing are standalone services here, not afterthoughts — quite a few of those engagements start with a vibe-coded app that met its first real users. Read more about how we work, or bring us the app you’re worried about.