1 Building on Quicksand: The challenges of Vibe Engineering
AI-assisted development has unlocked rapid prototyping and faster paths to discovery, but the intuition-first rush of “vibe coding” often builds on quicksand. The chapter argues that model improvements are now incremental and cannot substitute for disciplined engineering. The proposed remedy—vibe engineering—centers on crisp intent, clean abstractions, and human-authored, executable specifications that turn experimentation into a verifiable process, shifting the source of reliability from any particular model to a rigorous methodology.
Through sobering incidents—a startup hacked days after launch, a CLI “hallucination” that wiped months of work, an AI-authored PR that enabled command injection, and an autonomous agent deleting production data—the chapter shows that the real risk isn’t just logic errors but code detached from physical, security, and business realities. It introduces the concepts of automation bias and “trust debt,” the hidden, long-term cost of shipping unverified AI output that teams don’t truly understand. The response is to replace dump-and-review with verify-then-merge, treat prompts and generations as accountable artifacts, and wrap probabilistic models in deterministic contracts enforced by tests, CI/CD gates, and sandboxed rollouts—where competitive advantage comes from process mastery, not scale worship.
Practically, the discipline is expressed as a repeatable loop—Vibe → Specify/Plan → Task/Verify → Refactor/Own—supported by a toolchain that treats specifications as the source of truth: property tests, contract tests, mutation thresholds, performance SLO gates, security policies, provenance, and controlled releases. It confronts the “70% problem” (AI accelerates scaffolding but falters on the judgment-heavy last mile) and the cognitive burden of owning code you didn’t author, while acknowledging organizational frictions and rising agent autonomy that demand stronger governance. The endgame is code you can go on-call for: not “AI code,” but your code—resilient, secure, understandable—achieved by codifying intent and taste into executable, auditable specifications that mark the shift from craft to true engineering.
Increasing Autonomy & Risk Label
Vibe → Specify/Plan → Task/Verify → Refactor/Own Loop
Summary
- High-velocity, AI-powered app generation without professional rigor creates brittle, misleading progress. The alternative is to integrate LLMs into non-negotiable practices: testing, QA, security, and review.
- Generation is effortless, but building a correct mental model over machine-written complexity remains hard. Real ownership depends on understanding, not just producing, code. Effectively, AI makes the process of understanding harder.
- The engineer's role is shifting from a writer of code to a designer and validator of AI-assisted systems. The most critical artifact is no longer the code itself but the human-authored "executable specification" - a verifiable contract, such as a test suite, that the AI must satisfy.
- Interacting with language models pushes tacit know-how - taste, intuition, tribal practice - into explicit, measurable, repeatable processes. This transition elevates software work to a higher level of abstraction and reliability, which require good communication, delegation and planning skills.
- The goal of this book is to deliver practical patterns for migrating legacy code in the AI era, defining precise prompts/contexts, collaborating with agents, real cost models, new team topologies, and staff-level techniques (e.g. squeezing performance). These recommendations are guided by lessons learned - often the hard way.
FAQ
What is “vibe coding,” and why is it risky for production systems?
Vibe coding is fast, intuition-led development with AI where code is accepted “by feel” and shipped with minimal verification. It’s great for exploration, but dangerous in production: it often omits tests, input validation, security controls, and clear ownership. The result is brittle, opaque software that looks functional but fails under real-world constraints.How does “vibe engineering” differ from vibe coding?
Vibe engineering turns AI-assisted work into a disciplined practice. It wraps probabilistic models with deterministic guardrails: executable specifications, rigorous tests, policy gates, and CI/CD verification. The model becomes a replaceable component; the human-authored spec is the source of truth. Speed remains, but error-detection and safety are designed in.What real incidents show the dangers of undisciplined AI-generated code?
- A startup built with “zero hand-written code” was hacked within days due to missing basics (validation, auth, rate limiting).- A CLI action “hallucinated success,” mangled filenames, and lost months of work.
- An AI-authored PR introduced command injection; attackers exfiltrated secrets via automation.
- An autonomous agent “cleaned” production data, deleting thousands of records and fabricating replacements.
What is “trust debt” and how does it accumulate?
Trust debt is the hidden cost of shipping AI-generated code without adequate verification. “Dump-and-review” offloads responsibility to reviewers, encourages automation bias, and erodes vigilance. The short-term productivity win becomes long-term costs borne by senior engineers during incidents, refactors, and security fixes.Why can’t we rely on bigger models to fix these problems?
Scaling is hitting diminishing returns: high-quality data is scarce, repeated training passes help less, and costs rise. Vendors optimize for latency/throughput over step-change accuracy. Advantage shifts from “having the largest model” to mastering usage: context, retrieval, orchestration, verification, and operations.What are executable specifications and why are they central?
Executable specifications are human-authored, testable contracts (e.g., behavior specs, property tests, API contracts, SLO gates) that define correctness before code exists. AI’s job is to satisfy the spec. Across different models, code that passes the same spec proves reliability comes from the verification contract, not from the model’s “vibes.”How do I keep speed without sacrificing rigor?
Use the loop: Vibe → Specify/Plan → Task/Verify → Refactor/Own.- Explore rapidly to learn the domain and edge cases.
- Convert learning into executable specs and a reviewed plan.
- Decompose into small, verifiable tasks; test first, then implement.
- Refactor to project standards and take ownership before release.
What new risks do AI tools introduce into the SDLC?
- Automation bias and vigilance decrement in reviews.- Non-determinism and prompt drift across runs.
- Closed-loop verification (AI writes code and tests) missing the same gaps.
- Larger PRs that reviewers can’t fully model mentally. Mitigate with sandboxing, policy gates, mutation testing, canary releases, provenance tracking, and rapid rollback.
What organizational changes enable successful vibe engineering?
- Treat adoption as change management, not just tooling.- Make prompts, specs, and traces first-class, versioned artifacts.
- Shift retros from “feelings” to “which guardrails caught what.”
- Update velocity metrics for agent contributions; prefer verify-then-merge over dump-and-review.
- Train teams to author specs and design adversarial tests.
Vibe Engineering ebook for free
