Georgia Tech's Vibe Security Radar just scanned over 43,000 security advisories and confirmed what CISOs have suspected: AI-generated code is introducing vulnerabilities at scale, with AI-assisted commits exposing credentials at double the rate of human-written code. This post examines the governance gap and the practical framework Australian enterprises need right now.
Georgia Tech's Vibe Security Radar published new findings yesterday scanning more than 43,000 security advisories across the web. The research confirmed a pattern security teams had been observing but not yet formally quantifying: vibe coding, the practice of generating large blocks of code from natural language prompts using AI tools like Claude Code, GitHub Copilot and Cursor, is introducing vulnerabilities into enterprise production systems at a pace governance frameworks were not designed to handle.
The numbers are specific and current. AI-assisted commits expose credentials at 3.2% compared to a 1.5% baseline across all public GitHub commits, roughly doubling the baseline credential exposure rate. Georgetown's Center for Security and Emerging Technology found cross-site scripting vulnerabilities in 86% of AI-generated code samples tested across five major language models. And between December 2024 and June 2025, monthly security findings at Fortune 50 enterprises rose tenfold, from approximately 1,000 to more than 10,000 per month, coinciding directly with AI coding tool adoption.
This is not a developer productivity story. It is an AI governance story. And the governance gap is significant: only 37% of organisations have a formal AI policy that covers AI-generated code, according to the Cloud Security Alliance's 2026 State of AI Cybersecurity report, published two days ago.
Vibe coding is not a fringe practice. A JetBrains survey from early 2026 found that 35% of enterprise development teams are already using AI to generate large code blocks from natural language prompts. A February 2026 study by Laura Tacho at AWS found that 92.6% of developers use an AI coding assistant at least once a month. The adoption curve is steeper than most security and governance teams anticipated.
The governance problem is structural. AI-generated code passes superficial review because it is syntactically correct and functionally appears to work. The vulnerabilities are in the patterns underneath: improper input validation, over-permissive IAM role assignments and hardcoded credentials that appear legitimate. Standard static analysis tools were built for human-written code and miss these patterns. And developers, research consistently finds, apply less scrutiny to AI-generated code than to code they wrote themselves, precisely because it looks authoritative.
The result is what the Cloud Security Alliance calls vibe coding security debt: technically functional, professionally presented, production-deployed code carrying vulnerabilities that standard tooling does not detect and that review processes do not catch because reviewers trust the AI output. In a large-scale scan by Escape.tech of 5,600 publicly deployed vibe-coded applications, researchers found 2,000 highly critical vulnerabilities, 400 exposed secrets including API keys and access tokens, and 175 instances of personally identifiable information including medical records and payment data. These were production applications, not test environments.
Security researchers across multiple independent studies consistently identify three recurring vulnerability patterns in AI-generated code that require specific governance responses.
Improper input validation. AI tools generate code that handles inputs the way a training dataset suggests inputs are typically handled, not the way a security-focused developer would validate them. Cross-site scripting vulnerabilities appear in 86% of AI-generated code samples (Georgetown CSET). Injection vulnerabilities appear at similar rates. These are not exotic attack vectors: they are the most consistently exploited vulnerability classes in the OWASP Top 10.
Over-permissive IAM role assignments. AI coding agents generate infrastructure-as-code with permissions that work for the task at hand. They do not apply least-privilege principles by default. A December 2025 study by Tenzai testing five major AI coding agents found that every single one introduced server-side request forgery vulnerabilities when generating a specific type of feature. Five out of five, one hundred percent. The attack vector allows an attacker to use the application as a proxy to access internal metadata services including cloud credentials.
Hardcoded credentials. GitGuardian's State of Secrets Sprawl 2026 report documented 28.65 million new hardcoded secrets in public GitHub commits during 2025, a 34% year-on-year increase and the largest single-year jump ever recorded. AI-assisted commits expose secrets at twice the rate of human-written code. Developers pasting API keys, database connection strings and access tokens into prompts, and receiving code with those credentials embedded, is the mechanism. The AI is working as intended. The governance process to prevent credential exposure in prompts and generated outputs simply does not exist in most organisations.
Most enterprise AI governance frameworks were built for a specific model of AI risk: an AI system that a technology team builds and deploys, against which a governance team assesses risk before go-live. The shadow AI problem, where employees use unsanctioned AI tools, was the extension of that model. Vibe coding is a different category again.
An AI coding assistant does not deploy a system. It generates code that a human commits to a repository, which a CI/CD pipeline deploys to production, passing through code review processes designed for human-authored code. The AI is an invisible contributor to every piece of code it helps write, without appearing in the audit trail, without being assessed in the governance process and without being covered by the AI acceptable use policy that most organisations have restricted to conversational and productivity tools.
The governance gap is not in the AI governance framework alone. It is at the intersection of AI governance, developer security policy and software supply chain security. An organisation can have a mature AI governance programme and still have no controls over what its developers are generating with AI coding assistants and deploying to production.
ISACA documented a 36% reduction in remediation time in a 2026 framework study, without meaningful reduction in developer velocity, among organisations that implemented controls at three layers. Those three layers are the minimum viable governance response for vibe coding.
Policy and tool governance. Establish an approved AI coding tool list and a corresponding AI acceptable use policy for developers that covers: which tools are authorised, what data categories can be included in prompts, what review obligations apply to AI-generated code and how credentials and sensitive information are handled. Trusenta's AI Governance platform provides the use-case intake and policy framework infrastructure to register AI coding tools alongside other AI systems in the enterprise inventory, applying consistent risk classification.
Code security controls specific to AI-generated outputs. Standard static analysis (SAST) tool configurations miss AI-generated vulnerability patterns. AI-specific rule sets are required for the three vulnerability classes identified above. Secret scanning must be extended to cover AI coding tool integrations and repository commit pipelines. Trusenta's Risk Management module supports the documentation of AI-specific security risks, including vibe coding vulnerabilities, with treatment plans linked to specific technical controls.
Review process governance. The core enterprise risk is not that AI writes bad code. It is that developers trust AI-generated code more than manually written code, reducing the scrutiny applied at review time. Governance policies must mandate security review tiers based on code risk level regardless of authorship. Human-in-the-loop review requirements for AI-generated code touching authentication, data access, external communications and payment flows are the minimum standard for regulated environments in Australia.
For Australian enterprises operating in financial services, healthcare and government, the vibe coding governance gap has specific regulatory implications that go beyond general security practice.
The Privacy Act automated decision-making obligations arriving on 10 December 2026 apply to any AI system making or substantially contributing to decisions affecting individuals. If an AI coding assistant generates a recommendation engine, a risk scoring algorithm or an eligibility assessment system, and that system is deployed to production without adequate governance documentation, the organisation may have a Privacy Act exposure it was not aware of because the AI-generated origin of the system was never registered.
APRA prudential standards require regulated entities to understand and manage the operational risks of systems they deploy. AI-generated code that introduces vulnerabilities into systems handling customer financial data creates an operational risk exposure that the current vibe coding governance gap is leaving undocumented.
At Trusenta, the vibe coding governance question is arriving from two directions simultaneously. Security teams are discovering AI-generated vulnerabilities in code review and production monitoring, and asking what governance controls should have prevented them. AI governance teams are being asked whether their frameworks cover the AI tools developers are using, and finding that they do not.
The practical response is extending the AI governance framework to explicitly cover AI coding tools as a specific category of AI use, with the three-layer control set described above. This is not a separate programme. It is a configuration of the existing governance infrastructure that most organisations have already begun building.
AI Governance: Trusenta's AI Governance platform extends the use-case intake and AI system registry to cover AI coding tools as a specific risk category, ensuring vibe coding tools are governed alongside other enterprise AI systems rather than operating in a separate ungoverned space.
Risk Management: Trusenta's Risk Management module provides the AI-specific risk taxonomy to document vibe coding security risks, including credential exposure, IAM over-permissioning and injection vulnerability patterns, with treatment plans linked to specific technical and process controls.
AI Governance Maturity Uplift: For organisations that have AI governance frameworks in place but have not yet extended them to cover AI-generated code, this engagement designs and implements the policy, review process and technical control extensions that close the vibe coding governance gap.
Vibe coding is already in your enterprise. The question is not whether your developers are using AI coding assistants. Thirty-five percent of enterprise development teams are using them, and 92.6% of developers use AI coding tools at least monthly. The question is whether your governance framework covers what those tools are producing. For most organisations, it does not. The governance extension required is not complex. It is a decision to treat AI-generated code as a governed output of an AI system, applying the same intake, risk assessment and control disciplines that responsible AI governance requires for any AI system operating in your environment.
