Shadow IT has always been a concern for the IT department. The problem used to be users introducing unauthorized SaaS subscriptions or applications to make their job easier, while initiating new security and management headaches for IT. With advances in generative AI, a new shadow IT threat has emerged. Employees aren’t just using unauthorized software; they’re building their own tools.
Vibe coding is emerging as a way for users to create their own applications using natural-language prompts. Using readily available AI platforms, anyone can write a program to perform business tasks. The problem, of course, is that this kind of unauthorized roll-your-own software hasn’t been properly tested for bugs or security gaps, lacks an explicit architecture, and certainly has no documentation. The immediate benefits don’t outweigh the risks that traditional DevOps practices aren’t equipped to detect.
Shadow IT is now taking the form of homegrown, rogue applications that may have unpredictable impacts on enterprise systems.
Vibe Coding is Gaining Momentum
Vibe coding is not a formal development methodology like agile software development. Vibe coding is a behavior pattern gaining ground as powerful AI coding tools help teams meet delivery deadlines.
There is nothing inherently wrong with vibe coding. Using AI for coding is not a sign of incompetence; it often occurs when deadline pressure and weak or slow governance coincide. Vibe coding behavior emerges naturally as developers start seeking shortcuts.
Vibe coding is becoming part of the developers’ toolkit. A 2025 study shows that 80% of developers use AI in their workflows, yet 72% say vibe coding isn’t part of their professional work. However, AI coding is empowering non-developers as well.
Now, finance managers can spin up an unapproved workflow, a marketing team can build a customer tracking app, or an operations manager can connect systems using automated scripts. Anyone can create working software using natural language prompts.
The DevOps Blind Spot
Vibe coding has many benefits and solves real problems. Using AI coding makes it easy to prototype new ideas without straining overtaxed engineering resources. Experienced developers can use vibe coding to accelerate routine tasks. Even non-developers can start building their own solutions.
Vibe coding prioritizes speed, immediate functionality, and generating output that “looks right.” Where it falls short is in ignoring critical factors such as architecture decisions, security considerations, scalability, maintainability, and documentation. With vibe coding, you are creating software that works until it doesn’t. Then it’s impossible to troubleshoot.
For DevOps teams, the challenge of vibe coding is that it allows the creation of critical systems outside of established development protocols. AI-created rogue software lacks source control, continuous integration/continuous deployment (CI/CD), automated testing, monitoring and observability, and security review.
While vibe coding apps may be invisible to DevOps, they are not isolated. Many of these applications connect to production systems, such as financial platforms, customer databases, and operational tools. As a result, vibe coding creates dependencies that the DevOps team can’t manage or ever fully understand.
The bigger shadow IT problem isn’t just that AI is generating unsanctioned tools, but unsanctioned systems.
Why Working Apps Aren’t Enough
There is a misconception that when AI-generated code runs, it’s ready to deploy. There is a clear distinction between the requirements for functional and non-functional software. Functional software must not only perform the task but also be secure, reliable, and scalable.
Vibe coding takes shortcuts and compresses the conventional coding process. Applications written with AI pass basic checks, deliver immediate results, and appear properly structured. What AI-written apps lack is testing resilience under load, error handling, secure data practices, and maintainability.
In the Stack Overflow 2025 Developer Survey, 66% of developers report that AI-generated code is frequently “almost right,” but requires additional refinement and debugging. Non-developers don’t even see the shortfalls, let alone how to close the gaps.
Security is the biggest weakness in using vibe coding for enterprise applications. Enterprise software is designed to enforce security and access controls, including access permissions, code reviews, dependency management, deployment safeguards, and audit trails. Vibe coding bypasses these controls, sacrificing security for expedience.
When software is created using AI prompts, critical questions have no clear answers:
- Who validated the code?
- What data was exposed during generation?
- How were vulnerabilities assessed?
- Can the system be audited or explained?
When something goes wrong, such as a data leak, logic error, or system failure, code ownership becomes murky. Often, the person who created the code may not understand how it works because they used AI to create it. They simply described the desired functionality and let AI fill in the gaps.
When the AI Becomes the Application
There is a new trend that goes beyond vibe coding, where there is no application, but the workflow is in the AI. Rather than generating application code, users interact directly with large language models (LLMs) to define rules, execute tasks, and generate output in real time. Rather than embedding business logic in application code, the AI interprets plain language prompts on the fly.
Initially, this appears to be a safer approach since there is no rogue codebase to secure and maintain. In practice, this is a more insidious form of shadow IT.
Code executes predictably, but AI does not. Instructions may be misinterpreted, inconsistently applied, or even contradicted. Without any structured guardrails, the same input could yield different results. Externally hosted AI tools also require sensitive company data to be transmitted outside the organization, with limited visibility and little or no auditability.
Using AI to execute workflows creates a new class of shadow IT with no code review, no system for inspection, and no clear means to govern.
Seeking Frictionless Structured Development
How do you deal with shadow AI-written apps in the enterprise? The first inclination is to clamp down. Restrict the use of AI tools. Limit enterprise access. Force all software development through traditional channels. Banning AI tools altogether seldom works.
Shadow IT has always thrived, despite bans and crackdowns. Tell employees they can’t use AI apps, and they will find a workaround. The harder you make it to use their own AI-written apps, the more determined they become.
Rather than stopping vibe coding altogether, channel it.
Structured no-code and low-code platforms offer a different approach to AI-generated software. Instead of allowing AI-written apps to emerge in isolation, make them part of sanctioned low-code/no-code development.
By incorporating low-code/no-code platforms into the enterprise, you can build an infrastructure that supports vibe coding with defined data structures, built-in access controls, centralized management, and traceability. It’s also integrated into existing workflows.
By providing a ready-made platform for home-grown AI-written apps, you preserve the speed and accessibility of modern software development while maintaining governance. You aren’t eliminating the flexibility of vibe coding. You’re merely ensuring it operates within a controlled framework.
Casting Light on Shadow IT
The growing, inevitable prevalence of unauthorized vibe-coding software requires a shift in DevOps mindset. It’s no longer enough to manage the pipeline. DevOps needs to extend governance to accommodate AI software development.
A practical approach to controlling rogue AI apps includes:
- Bring AI into the system – Assume that teams will use AI tools to make their jobs easier. Invite them to use those tools in approved environments.
- Establish lightweight guardrails – Create clear guidelines and expectations for software security, data use, and deployment. Impose checks without creating friction.
- Expand validation, not just automation – Use AI to support testing, code review, and documentation. AI is more than a code generator, so use it to your advantage.
- Adopt platforms that enforce structure – Leverage low-code/no-code platforms that have built-in infrastructure and governance rather than relying on ad hoc solutions.
- Invest in AI literacy – Show teams how to look beyond generating code. Teach them how to evaluate and manage the software they create.
Vibe coding is not a passing trend and, like shadow IT, it’s here to stay. The difference with vibe coding is the scale and impact it can have on enterprise systems. What used to be simple workarounds are becoming full-fledged systems embedded in business operations, creating potential points of failure across the enterprise.
The organizations that succeed won’t be the ones that try to eliminate vibe coding—they’ll be the ones that bring it into the light. DevOps teams must evolve from pipeline managers to governors of how software is created, regardless of who creates it. That means enabling speed while enforcing structure, giving teams the tools to build quickly within systems that ensure security, traceability, and control. In the end, the competitive advantage won’t come from how fast you can generate software—it will come from how confidently you can trust it.

