Vibe coding is an AI-assisted development method where a developer describes a problem in natural language and lets an AI tool generate the code. The term was coined by AI researcher Andrej Karpathy in early 2025 and was named Collins Dictionary's Word of the Year 2025. In practice, it describes a spectrum from AI autocomplete assistance to fully delegating feature development to an AI agent.

Is vibe coding safe for production?

Vibe coding in production requires active security review. AI-generated code produces approximately 1.7x more issues than human-written code, and 45% of AI-generated code samples fail OWASP Top-10 security benchmarks. The main failure points are edge cases, error handling, and security boundary conditions rather than happy-path functionality.

How much faster is vibe coding?

Projects using vibe coding report up to 55% faster completion times. However, productivity gains vary significantly by experience: senior developers (10+ years) report 81% productivity gains, while junior developers show no statistically significant improvement. The gains come from compressing time between knowing what to write and having written it — which requires already knowing what to write.

How popular is vibe coding?

As of 2025, 92% of US developers use AI coding tools daily and 41% of all code written that year was AI-generated. The trend has moved from experimental to mainstream across the industry.

Vibe Coding in Production: What the Statistics Don't Tell You

Andrej Karpathy named it. Collins Dictionary canonised it. And somewhere between “just vibing” and “41% of all code being AI-generated,” vibe coding stopped being a joke and became a description of how a significant portion of the industry actually works.

I have been doing this for eight months on real projects — a subscription SaaS, an internal admin tool, a client e-commerce integration. Here is an honest reckoning with what the data says and what the data misses.

The numbers first

The statistics on vibe coding in 2025 are genuinely difficult to hold in your head because they are simultaneously impressive and alarming:

92% of US developers now use AI coding tools daily
41% of all code written in 2025 was AI-generated
Projects using AI-assisted development report up to 55% faster completion times
Senior developers (10+ years) report 81% productivity gains
Junior developers report no statistically significant productivity improvement
AI-generated code produces approximately 1.7x more issues than human-written code
45% of AI-generated code samples fail OWASP Top-10 security benchmarks
Developer trust in AI code output dropped from 40% to 29% in a single year

These numbers are from Second Talent’s 2026 vibe coding report and Hostinger’s developer survey. They paint a picture that the “AI will 10x your productivity” camp and the “AI code is dangerous” camp are both partially right and both missing context.

What vibe coding actually looks like at work

The term has become baggage. When Karpathy coined it in early 2025, he was describing a specific mode of working: describe the problem in natural language, let the AI generate the code, run it, iterate. Fully surrendering the keyboard, essentially.

Most working developers are not doing that. What they are actually doing is a spectrum:

Light vibe coding: Autocomplete on steroids. You write the structure, the AI fills in the implementation. Cursor’s 72% autocomplete acceptance rate suggests this is genuinely useful — developers are keeping nearly three quarters of what the AI suggests.

Medium vibe coding: Delegating complete functions or components. “Write a debounced search hook that handles cancellation.” You review the output, adjust, integrate. This is where the 81% productivity gain for senior developers comes from — they have the judgment to review AI output quickly.

Heavy vibe coding: Delegating entire features or subsystems. “Build the checkout flow.” The AI writes most of it, you review and correct. This is where the 1.7x bug rate shows up, because reviewing unfamiliar AI-generated code for subtle correctness is genuinely hard.

Why junior developers are not seeing the gains

The data point that deserves more attention is the one nobody in the “AI will democratise coding” camp wants to discuss: junior developers show no measurable productivity improvement from AI tools.

This is not a small sample size finding. It shows up across multiple surveys. And the reason is obvious once you think about it: AI tools make you faster at the tasks you could already do. They compress the time between “knowing what to write” and “having written it.” They do not help you figure out what to write.

A senior developer can review a 200-line AI-generated authentication flow in three minutes because they can immediately see whether the session management is correct, whether the token rotation is right, whether the CSRF handling matches the threat model. A junior developer reading the same code has no reliable way to know if it is correct — it looks plausible, it runs, it might be subtly wrong in ways that only appear at 3am six months later.

This is also why overall programmer employment fell 27.5% from 2023 to 2025 while senior roles remained stable. AI took the entry-level work.

The security problem is real

45% of AI-generated code failing OWASP security benchmarks should be alarming. It largely has not triggered the alarm it deserves, possibly because most of the failures are in subtle categories — insecure defaults, insufficient logging, missing input validation on edge cases — rather than obvious SQL injections that tooling catches automatically.

The pattern I have seen in my own work: AI-generated code handles the happy path securely. It validates the expected inputs. Where it fails is at the boundaries — what happens when the input is null, when the external API returns 429, when the database connection drops mid-transaction. These are the cases that humans who have been burned before instinctively harden against. The AI has not been burned before.

What actually works

After eight months, my workflow is this:

Delegate the scaffolding, own the edges. Let the AI write the structure. Review it specifically for the failure modes that are not in the happy path. Add tests for the edge cases the AI missed. This is faster than writing everything yourself and safer than trusting AI output uncritically.

Keep your mental model. The 81% productivity gain for senior developers comes with a hidden cost: you spend less time reading code, so your mental model of your own codebase slowly degrades. I now deliberately read AI-generated code I could have just run, because understanding what is in my codebase is not optional.

Security pass everything. Run every AI-generated pull request through a security linter before it gets to review. Semgrep is free and catches the most common OWASP failures. It takes thirty seconds and has saved me twice.

The honest verdict

Vibe coding works. The 55% speed improvement is real, at least for experienced developers on well-defined tasks. The productivity gains are real. But they come with an invisible cost: a codebase you understand less deeply than one you wrote yourself, and a security surface area that requires active management.

The developers who are getting the most out of these tools are treating AI-generated code the way a senior engineer treats code from a capable but inexperienced colleague: useful as a starting point, requires review, not something you ship without reading carefully.

The ones struggling are either refusing to use the tools at all, or using them without adequate review. Both groups are leaving value on the table, in different ways.

Collins naming vibe coding Word of the Year was a cultural moment. The real story is more mundane: this is a tool, it has tradeoffs, and using it well requires judgment that you can only build by actually building things.