What used to be an Excel file with macros is today a complete web application – built in two hours by a business unit without any software engineering experience. Vibe Coding, the AI-assisted software development by non-developers, is fundamentally changing the IT landscape in companies. This article is a guide for IT leaders and CIOs who now need a strategy not just to tolerate this development, but to integrate it productively and securely into their organization.
Key Takeaways
- Vibe Coding describes software development by non-developers using AI assistants like ChatGPT, Claude, or GitHub Copilot. Humans describe what they need in natural language; the AI generates working code.
- Main risk for enterprises: Shadow IT 2.0 – productively used web applications without SSO, logging, security scans, or controlled hosting.
- Solution pattern: Central AI platform (e.g. CompanyGPT) + GitHub as the code hub + GitHub Copilot as an AI reviewer with skills + CI/CD pipeline on managed cloud infrastructure (Azure App Service, Static Web Apps, or Kubernetes) + app catalog with maturity model.
- Role of IT: Platform operator and quality guarantor – not a gatekeeper, not a developer.
The Starting Point: A Real-World Example from the German Mittelstand
Recently, we received an inquiry from a mid-sized family-owned manufacturing company with around 500 employees. The IT department was facing a scenario we now see regularly: a business unit had begun developing HTML-based web tools using the company’s internal AI platform. These were calculation and helper tools related to the company’s own products and services – essentially applications that had previously existed as Excel calculations.
The pressure on the IT department was high. In the short term, these tools were to be made available internally for testing. Looking ahead, even a public release with a login area for external partners and customers was planned. The IT department had neither experience in web development nor in web hosting and faced the question: How do we build a solid foundation that brings these new artifacts into production safely and professionally?
This scenario is not an isolated case. It is the new normal.
What Is Vibe Coding – and Why Is It Happening Now?
The term Vibe Coding was coined by AI researcher Andrej Karpathy and describes a development approach where people use AI tools such as ChatGPT, Claude, Cursor, or GitHub Copilot to create software by describing in natural language what they need. The developer becomes a conductor orchestrating the AI rather than writing code themselves.
The barrier to creating functional software has effectively dropped to zero. What used to require a frontend developer, a backend developer, and a DevOps engineer can now be produced in a few hours by a product manager, a controller, or a sales employee using an AI chatbot. The results are often astonishing: functional web applications with forms, calculation logic, database connections, and even authentication mechanisms.
Adoption is rapid. According to Stack Overflow, 76 percent of all developers already use AI tools in their workflow. Even more significant: these tools are increasingly being used by non-developers. What used to be considered “power users with Excel” is now manifesting as “business unit builds web application.”
The Risks: Why IT Departments Must Act Now
The productivity gains from vibe coding are real. Studies show 55 percent faster task completion and high user satisfaction. But this speed masks significant risks that IT leaders must understand and address.
Shadow IT 2.0
What used to be uncontrolled Excel files and Access databases on department drives are today fully functional web applications running on private cloud accounts, local machines, or free hosting services. This new generation of shadow IT is potentially more dangerous, because unlike an Excel file, a web application has an attack surface on the network or even on the internet.
CTO advisor Keith Townsend put it well when drawing the historical parallel to Lotus Notes: decentralized departmental workflows initially accelerated productivity but ultimately led to significant operational complexity and technical debt. Vibe coding has the potential to repeat this pattern with turbo-charged tooling.
Security Risks and Data Protection
Vibe coding apps are typically created without security awareness. The AI generates working code, but it often contains vulnerabilities: missing input validation, SQL injection susceptibility, hardcoded credentials, missing encryption, unvetted dependencies. According to the Snyk AI Code Security Report, nearly 80 percent of developers bypass security policies when using AI tools, while only about 10 percent of organizations automatically scan the majority of AI-generated code.
It becomes especially critical when these apps have external access: as a customer portal, as an API endpoint for partners, or as a tool that sends data via email. Without security review, such applications can leak company data unnoticed.
Technical Debt and Lack of Maintainability
AI-generated code is often functionally correct but rarely architecturally sound. Logging, error handling, clean separation of configuration and code, automated tests, and documentation are missing. This technical debt accumulates quickly and only becomes visible when the application needs to be maintained, extended, or migrated to another environment.
Lack of Integration with the IT Landscape
Vibe coding apps are isolated solutions. They use their own authentication instead of central SSO, store data in local SQLite files instead of managed databases, have no monitoring, no central logging, and no defined deployment process. Each app becomes a special case that must be managed manually.
Design Principles: What Production-Ready Vibe Coding Apps Must Fulfill
The good news: most vibe coding apps are technically web applications. For web applications, proven standards and design principles have existed for years in the microservices world. IT departments don’t need to invent a new rulebook – they just need to apply existing principles to this new category of applications.
Here are the key design principles every vibe coding app must meet before going into production:
1. Central Authentication via SSO
No production app may bring its own user management. Authentication must run through the company’s central identity provider – in most cases Microsoft Entra ID (formerly Azure AD). This applies to internal users as well as external access via guest accounts. This keeps user management centralized, permissions consistently managed, and ensures that all access is automatically revoked when an employee leaves.
2. Central Logging and Monitoring
Every production app must send its logs to a central system. Whether ELK Stack, Azure Monitor, Google Cloud Logging, or another solution: without central logging, error analysis in production is impossible. This includes structured log messages in JSON format, correlation IDs for request tracing, and automatic alerts for unusual behavior.
3. Central Deployment on Managed Infrastructure
Vibe coding apps must not run on an employee’s laptop or on a private cloud account. They belong on centrally managed infrastructure – whether a shared Kubernetes cluster, Azure App Service, Azure Static Web Apps, or a comparable managed service. The choice depends on the existing setup. For Microsoft-heavy organizations, Azure Static Web Apps (for simple frontend apps) and Azure App Service (for apps with backend logic) are good fits. For organizations with existing container infrastructure, a shared Kubernetes cluster is the most scalable solution.
4. Externalized Configuration and Secrets Management
Credentials, API keys, and environment-specific configurations must never live in source code. They belong in a central secrets management system such as Azure Key Vault, HashiCorp Vault, or Kubernetes Secrets. The application reads its configuration at runtime from environment variables or a configuration service.
5. API Gateway and Security Perimeter
If vibe coding apps are to be accessible externally – for customers, partners, or mobile access – the access must go through a central API gateway or reverse proxy. There, authentication, rate limiting, DDoS protection, and TLS termination are managed centrally, instead of every individual app having to implement these security aspects on its own.
6. Automated Tests and Code Quality
Before a vibe coding app goes into production, a minimum level of testing must be in place. This includes at least basic functional tests and an automated security scan (SAST/DAST). AI tools can also generate these tests themselves when integrated into the prompt. The challenge is to anchor this expectation as a default requirement – not an optional bonus.
The Engineering Bridge: GitHub, GitOps, and CI/CD
The most critical point in the entire vibe coding strategy is the transition from “app on the laptop” to “production system under IT control.” This transition must be as simple and frictionless as possible so that it is also accepted and practiced by non-developers. GitHub and GitHub Actions are the ideal anchor point.
GitHub as the Central Platform
Every vibe coding app gets a repository on GitHub (or a comparable platform such as GitLab or Azure DevOps). This is the first engineering touchpoint: the code is versioned, traceable, and centrally stored. Even if a business unit employee has no Git experience, the initial push can be performed by the IT department or a partner. GitHub Desktop and the integration in editors like VS Code or Cursor make the entry low-threshold.
CI/CD with GitHub Actions
Once the code is in a repository, automated pipelines kick in. A standard pipeline for vibe coding apps should include these steps:
- Build: The application is automatically built and checked for syntax errors.
- Security Scan: An automated SAST scan (e.g. with CodeQL, Snyk, or Trivy) checks the code for known vulnerabilities.
- Tests: Existing tests are executed.
- AI Code Review (see next section): GitHub Copilot reviews the pull request automatically against company-specific skills.
- Deployment to Staging: The app is automatically deployed to a staging environment where it can be tested.
- Manual Gate: Before deployment to production, manual approval by the IT department or a designated reviewer is required.
- Deployment to Production: After approval, the app is automatically deployed to the production environment.
This pipeline approach is the key to scaling. It automates the recurring checks and reduces the IT department’s manual effort to review and approval. At the same time, it ensures that no app goes into production without security review and quality control.
GitHub Copilot as an AI Reviewer with Company-Specific Skills
The logical next step: where code is created with AI, part of the review should also be done by AI – with a clear mission and clear guardrails. GitHub Copilot Code Review has been able to automatically review pull requests since 2024, comment improvement suggestions inline, and can be trained on company-specific standards via Custom Instructions and Copilot Skills.
This matters for a vibe coding strategy for three reasons:
1. Scaling reviews without a human bottleneck When ten business units build apps in parallel, a small IT department cannot manually review every pull request. Copilot handles the first pass: it detects missing input validation, hardcoded secrets, poor error handling, missing logging calls, insecure dependencies, and inadequate tests. The human reviewer only checks what Copilot couldn’t decide unambiguously.
2. Custom Instructions as a code constitution
A .github/copilot-instructions.md is placed in every repository. It describes the company-specific requirements that Copilot must consider on every review. Examples:
- “Authentication must always go through Entra ID. Local user tables are forbidden.”
- “Logs are only sent in structured form (JSON) to our central log endpoint.
console.logwithout a wrapper is not allowed.” - “Secrets are loaded via Azure Key Vault, never from
.envfiles in the repo.” - “Every new route must have an OpenAPI specification and at least one integration test.”
This file is defined once by the IT department and inherited via a template repository to all new vibe coding repos. This gives business units an AI-supported code constitution without having to think about architectural principles themselves.
3. Copilot Skills as modular review logic With Copilot Skills, specialized review steps can be assembled modularly – for example, a security skill that specifically checks for OWASP Top 10, a compliance skill for GDPR-relevant data flows, an architecture skill that controls adherence to the internal reference architecture, and a test coverage skill. Each skill can be activated per repository, depending on the maturity level and risk class of the app.
Important: Copilot does not replace a human reviewer for security-critical or customer-facing apps. For the maturity level “external production”, the four-eyes principle by an experienced engineer remains mandatory. But Copilot handles the legwork, raises the baseline quality of every pull request, and ensures that the human reviewer is confronted with significantly fewer trivial findings.
GitOps as an Operating Model
For organizations relying on Kubernetes, GitOps offers the next maturity level. The desired state of infrastructure and applications is described declaratively in Git. Tools like ArgoCD or Flux automatically synchronize the actual state of the cluster with the state in the repository. Configuration changes are made exclusively through pull requests that are reviewed and approved. This creates a complete audit trail and a consistent, reproducible deployment process.
Enabling Business Units
A central success factor is enabling the vibe coders in business units. This doesn’t mean controllers have to become software developers. But they need a basic understanding of:
- How code gets into a repository (Git basics, GitHub Desktop).
- Why configuration and secrets don’t belong in the code.
- What information the AI needs to produce secure and maintainable code (structured prompts, defining security standards).
- How the review and approval process works.
This enablement is an investment that pays off quickly: the better the business unit understands the basic principles, the less rework the IT department has to do.
Governance and Organizational Model: The Enterprise-Wide App Catalog
Operational implementation requires clear structures. We recommend our customers establish a central app catalog that serves as the organizational and technical backbone for all vibe coding apps.
The Idea of the App Catalog
The app catalog is a central registry of all vibe coding apps developed within the company. For each app, the following are defined:
- Purpose and business area
- Owner from the business unit
- Technical contact in IT or with the external partner
- Maturity level (prototype, internally tested, internal production, external production)
- Data classification (no personal data, internal data, customer data)
- Access model (internal only, external with login, public)
Maturity Model
Not every vibe coding app must meet the same standards. A maturity model helps with prioritization.
| Maturity Level | Description | Requirements |
|---|---|---|
| Prototype | Local use by the creator, no production use | No special requirements, but documentation of purpose |
| Internally Tested | Available to a limited test group within the company | Repository on GitHub, basic security scan, hosting on managed infrastructure |
| Internal Production | Used by employees in regular operations | SSO authentication, central logging, CI/CD pipeline, code review, automated tests |
| External Production | Access for customers, partners, or the public | All internal requirements plus: penetration test, data protection review, API gateway, SLA definition, professional code review with security focus |
Roles and Responsibilities
The IT department takes on the role of platform operator and quality guarantor in this model. It provides infrastructure (Kubernetes, App Service, CI/CD pipelines), defines standards and guardrails, performs or commissions code reviews for higher maturity levels, manages the app catalog, and operates monitoring.
The business unit remains the functional owner of the app. It defines requirements, creates the initial code with AI support, and is responsible for functional tests and acceptance.
An external partner like innFactory can close the technical gap: performing code review and quality assurance, setting up and managing the cloud infrastructure, defining and maintaining the CI/CD pipelines, training business units in vibe coding best practices, and accompanying the transition from prototype to production app.
Avoiding Shadow AI: CompanyGPT as a Central AI Platform
One aspect often overlooked in the vibe coding discussion: many vibe coding activities today take place via private AI accounts. Employees use ChatGPT, Claude, or other tools with their personal accounts, enter company data into the prompts, and produce code on uncontrolled systems. We have described this phenomenon in detail under the term Bring Your Own AI – see our article BYOAI: Challenges for Mid-Sized Companies.
The solution to this problem is providing a central, GDPR-compliant AI platform. With CompanyGPT, we offer exactly that platform: an enterprise fork of LibreChat that makes all relevant AI models (Claude via AWS Bedrock, GPT via Azure OpenAI, Gemini via Vertex AI) available through a unified interface – running entirely within the company’s own cloud tenant. For a deeper look at model and data protection aspects, see our article CompanyGPT: Using Your Own AI Models in a Data-Protection-Compliant Way.
For the vibe coding strategy, CompanyGPT is relevant for several reasons:
- Controlled AI access: All employees use the same platform with central authentication via Entra ID. There are no private accounts and no uncontrolled data flows.
- Audit trail: All AI interactions are traceable. This is particularly relevant when AI-generated code is moved into production systems.
- Prompt libraries and templates: Companies can provide standard prompts that already contain security requirements, coding standards, and architectural guidelines. This raises the quality of AI-generated code from the start.
- Data integration via CompanyRAG: Internal documentation, guidelines, and technical standards can be connected as a knowledge source so that the AI automatically considers the company’s own specifications during vibe coding.
For more on CompanyGPT and the difference between model APIs and the app experience, see our article Claude vs. ChatGPT: Why Cloud Models Are Not the Apps.
Decision Matrix for IT Leaders
| Situation | Recommended Action |
|---|---|
| Business unit has built a tool with AI and wants to use it internally | Add to the app catalog, create a GitHub repository, run security scan, host on managed infrastructure, integrate SSO |
| Tool is to be made accessible to customers or partners | Additionally: professional code review, penetration test, data protection review, API gateway, SLA definition |
| IT department has no web development know-how | Engage an external partner for infrastructure setup, CI/CD pipeline, code review, and training of business units |
| Employees use private AI tools for code generation | Provide a central AI platform (e.g. CompanyGPT), communicate clear policies, ensure audit trail |
| Multiple business units create apps without coordination | Establish a governance model with app catalog, define maturity levels, position IT as the central platform operator |
| Fast deployment for testing required, standards not yet defined | Provide a staging environment on managed infrastructure, define standards in parallel, no production rollout without minimum guardrails |
| IT department worries about too many pull requests from business units | Activate GitHub Copilot Code Review with custom instructions so trivial findings are detected automatically and the human reviewer is freed up |
| Apps constantly deviate from architectural guidelines | Place guidelines in .github/copilot-instructions.md as a binding code constitution and inherit via template repository to all repos |
Checklist: The First 12 Steps to a Vibe Coding Strategy
- Inventory: Which vibe coding apps already exist in the company? Where are they hosted? What data do they process?
- Centralize the AI platform: Provide a GDPR-compliant AI platform like CompanyGPT so employees no longer have to use private accounts.
- Set up a GitHub organization: Create a central GitHub organization where all vibe coding repositories are managed.
- Define a template repository: Provide a template repo with a standard CI/CD pipeline,
.github/copilot-instructions.md, example tests, and a standardREADME. - Define a standard CI/CD pipeline: Create a template pipeline with build, security scan, test, AI review, and deployment stages that is automatically available for new repositories.
- Activate GitHub Copilot Code Review: Integrate Copilot as an automatic reviewer for every pull request and equip it with company-specific custom instructions.
- Set up hosting infrastructure: Provide a managed hosting service (Azure App Service, Static Web Apps, or Kubernetes) that serves as the target environment for all vibe coding apps.
- Make SSO integration the default: Provide a template for Entra ID integration that is included in the standard prompt for vibe coders.
- Create the app catalog: Establish a central registry of all apps with owner, maturity level, and data classification.
- Communicate the maturity model: Define clear criteria for which requirements apply to which maturity level, and communicate them within the company.
- Launch a training program: Train business units in vibe coding best practices, Git basics, and the company’s own standards.
- Establish a review process: Define a clear process for moving apps from prototype to production – including AI review by Copilot, human code review, and final approval.
Conclusion
Vibe coding is not a fad but a fundamental shift in how software is created in companies. The ACM Technology Policy Council warns that AI-supported vibe coding lacks central safeguards. Forbes puts it even more directly: the real risk is not in the technology itself, but in whether a company has the judgment to govern what AI can now build.
The right answer is neither a ban nor uncontrolled permissiveness. IT departments must take on the role of platform operator and quality guarantor – providing infrastructure and standards that make the transition from vibe coding app to production system as frictionless as possible, and enabling business units to work independently within clear guardrails.
The parallel to microservices architectures is no coincidence: the same design principles that apply to production-grade distributed systems – central logging, SSO, containerization, externalized configuration, API gateways – also apply to vibe coding apps. The difference lies in the audience: instead of experienced developers, these standards must be made accessible and applicable for business units without an engineering background.
Those who establish a thoughtful vibe coding strategy now win twice: the innovative power of business units is preserved, and IT retains control over security, compliance, and operations. Those who don’t risk a new generation of shadow IT that is significantly more dangerous than Excel files ever were.
Are you facing exactly this challenge? Talk to us about building your vibe coding strategy, the right cloud architecture, and introducing CompanyGPT as your central AI platform.
FAQ
What is Vibe Coding?
Vibe Coding is a term coined by AI researcher Andrej Karpathy for the creation of software using AI tools such as ChatGPT, Claude, or GitHub Copilot. Instead of writing code themselves, the user describes in natural language what the application should do, and the AI generates the corresponding code. This enables even people without programming knowledge to create functional applications.
Why is Vibe Coding a problem for IT departments?
Vibe coding apps typically emerge outside of IT control: without central authentication, without logging, without security review, and without managed hosting. When such apps process company data or are externally accessible, security risks, data protection issues, and a new form of shadow IT arise.
Should vibe coding be banned?
No. A ban would be counterproductive and would block the innovative power of business units. The right strategy is channeling: define clear standards, provide infrastructure, and establish a review process that governs the transition from prototype to production system.
Which cloud services are suitable for hosting vibe coding apps?
For Microsoft-centric organizations, Azure Static Web Apps (for pure frontend apps) and Azure App Service (for apps with backend logic) are good options. Both services support SSO via Entra ID and integrate easily into CI/CD pipelines. For organizations with container experience, a managed Kubernetes cluster (AKS, GKE, EKS) is the most flexible solution.
What does CompanyGPT have to do with Vibe Coding?
CompanyGPT solves the shadow AI problem: when employees use private AI accounts for vibe coding, company data flows uncontrolled into external systems. CompanyGPT provides a central, GDPR-compliant AI platform that runs in the company’s own cloud tenant. Additionally, prompt libraries and connected knowledge bases (CompanyRAG) can automatically inject coding standards and security policies into AI-generated code.
How much effort does building a vibe coding strategy require?
The initial effort depends on the existing infrastructure. For an organization with an existing Microsoft/Azure setup and Entra ID, the technical foundation (hosting, CI/CD, SSO templates) can be implemented in a few weeks. The organizational framework (app catalog, maturity levels, training) grows in parallel. We recommend a step-by-step approach: start with a pilot application, validate the process, and then roll out to additional apps.
Do I need web development know-how in my IT department?
Not necessarily. Many organizations, especially in the Mittelstand, do not have in-house web developers. An external partner can set up and manage the technical infrastructure, perform code reviews, maintain the CI/CD pipelines, and train business units. The IT department focuses on governance and integration with existing infrastructure.
What role does GitHub Copilot play in a vibe coding strategy?
GitHub Copilot serves two roles: first, as a coding assistant for the vibe coders themselves; second, as an automated code reviewer in the pull request process. Via .github/copilot-instructions.md and Copilot Skills, company-specific standards (mandatory SSO, log format, secrets handling, test coverage) can be defined so that Copilot automatically checks every pull request against them. This scales code review massively and frees the IT department from trivial findings.
What is the difference between Vibe Coding and Citizen Development?
Citizen Development used to refer to applications built by business users with low-code/no-code platforms like Microsoft Power Apps. Vibe Coding goes one step further: instead of visual editors, natural language is used, and the result is real source code (HTML, JavaScript, Python, …) instead of platform-bound configuration. This makes vibe coding apps significantly more flexible, but also more demanding in terms of operations and governance.
How do I prevent vibe coders from putting company data into private AI tools?
Three building blocks: (1) Provide a central, GDPR-compliant AI platform like CompanyGPT that bundles all relevant models and is secured via Entra ID. (2) Clear policy and training: private AI tools are forbidden for company data. (3) Technical controls: DLP rules and network monitoring on typical endpoints (api.openai.com, claude.ai, etc.). Experience shows that point 1 is the most effective lever – when the internal tool works well, the appeal of using private accounts drops almost completely.