The VibeSec Reckoning

When Thoughtworks' AI applications team was asked to scale a vibe-coded prototype to 10,000 employees, they discovered two near-miss security incidents: an AI recommending public cloud storage and over-permissioned service accounts. The core lesson is that prompting an AI to 'be secure' is insufficient — security must be enforced through deterministic pipeline gates, not probabilistic instructions. Practical recommendations include: creating a versioned security context file loaded into every AI coding session (covering zero trust, secrets management, supply chain integrity, and harness engineering gates), building a daily CVE/security intelligence feed for tools your team uses, questioning every permission the AI suggests, and using red-team prompts to surface vulnerabilities. Long-term, teams should integrate harness engineering into prototyping templates, provide secure-by-default starter templates, and define a shared security harness across business functions and engineering.