Where AI-assisted delivery fails in practice.
These are the failure modes we see when teams "vibe code" without constraints. Each one is preventable with explicit specs and review.
Authentication hallucinations
AI mixes auth patterns (JWT vs cookies vs sessions) and can ship insecure defaults. Lock the auth contract first.
API mismatch
Generated endpoints often ignore existing contracts, idempotency rules, pagination, or error models.
Implicit data exposure
Logging, error traces, and telemetry can leak secrets or PII when AI adds verbose debug output.
Tooling gaps
Agents may claim to write files or run tests when they cannot. Require explicit proof and diffs.
Write collisions
Multi-agent flows can overwrite files or regress security controls without detection. Use file boundaries.
Prevention checklist
- Define an auth spec: flows, storage, CSRF, rotation, logout, and audit logging.
- Lock API contracts and error schemas before code generation.
- Require security linting and dependency scanning on every AI output.
- Restrict AI edits to known files and enforce PR review.
- Capture AI prompts and outputs as audit artifacts.