Originally published at kunalganglani.com — read it there for inline code, hero image, and live links.
The 30-Second Version
Vibe coding — using natural language to prompt AI into writing your code — went from novelty to industry standard in under 18 months. But the technique's own creator now says it's outgrown its usefulness. The practices that actually work long-term look nothing like "just prompt and ship." They involve context priming, iterative scaffolding, aggressive review, and knowing exactly when to stop vibing and start engineering. Here's what separates sustainable AI-assisted development from a tech debt time bomb.
Vibe coding is the practice of building software by describing what you want in natural language and letting an AI generate the code — often without deeply reviewing the output. Andrej Karpathy coined the term in February 2025, describing it as "fully giving in to the vibes" and forgetting the code even exists. By year's end, Collins Dictionary named it their Word of the Year. Today, 85% of professional developers use AI coding tools at least weekly, according to a JetBrains survey of over 24,000 developers across 194 countries. About 41% of all code being written is now AI-generated.
Here's the thing nobody's saying about vibe coding best practices: the person who invented the term already thinks it's obsolete. In February 2026, Karpathy published an essay declaring vibe coding "passé" and introducing a successor concept he calls "agentic engineering." That tension — between the viral popularity of vibe coding techniques and the growing evidence that undisciplined AI-assisted development creates catastrophic tech debt — is exactly where this post lives.
I've shipped AI-assisted features across multiple production systems over the past two years. Some of those workflows saved weeks of effort. Others created messes that took longer to clean up than building from scratch would have. The difference wasn't the AI tool. It was the technique.
What Is Vibe Coding and Why Did It Explode?
Vibe coding came from a simple observation: modern large language models are good enough at code generation that you can describe features in plain English and get working implementations. Instead of writing code line-by-line, you have a conversation with an AI, iterating through prompts until the output works.
A Microsoft Research study by Advait Sarkar and Ian Drosos found that vibe coding follows "iterative goal satisfaction cycles" — developers alternate between prompting, scanning generated code, testing the application, and making manual edits. Their key finding: effective prompts aren't purely natural language. They blend vague, high-level directives with detailed technical specifications. That hybrid approach is what separates productive vibe coding from the "just ask it to build an app" fantasy that keeps going viral on Twitter.
The adoption numbers are wild. GitHub Copilot alone accounts for an average of 46% of code written across programming languages, rising to 61% in Java. Jared Friedman, Managing Partner at Y Combinator, reported that 25% of startups in YC's Winter 2025 batch had codebases that were 95% or more AI-generated. Garry Tan amplified this stat widely.
But here's what happened: adoption speed outpaced discipline. Teams got hooked on the velocity without building the guardrails. I've watched this play out in real time across multiple organizations, and the pattern is always the same — fast start, messy middle, painful reckoning.
The Vibe Coding Best Practices That Actually Work
After working with AI coding tools daily for well over a year, and watching teams across multiple organizations adopt them, I've narrowed the actually-sustainable vibe coding best practices down to seven. These aren't the ones that sound impressive in tutorials. They're the ones that still hold up after you've shipped to production and you're maintaining the code six months later.
1. Context Priming Before Every Session
This is the single highest-leverage technique in vibe coding, and most beginners skip it entirely. Context priming means feeding the AI relevant code files, architecture documents, or examples before asking it to generate anything new.
According to Vibe Code Wiki's analysis, context priming produces 2-5x faster feature development for standard CRUD operations and a 40-60% reduction in boilerplate code. The reason is straightforward: without context, the AI is guessing at your patterns, your naming conventions, your data structures. With context, it's extending an existing system.
In practice, this means using a CLAUDE.md file (for Claude Code) or an equivalent configuration file that loads at session start. Anthropic's official documentation details seven methods for steering Claude Code's behavior — CLAUDE.md files, rules, skills, subagents, hooks, output styles, and system prompt modifications. The CLAUDE.md at your project root loads at session start and stays in context for the entire session.
As Vinit Mehta of Nanonets puts it: "Every Claude Code or Cursor session starts with the agent having seen nothing about your project before." If you're not priming context, you're starting every conversation from zero. That's not a workflow. That's amnesia.
I keep a living CLAUDE.md in every serious project now. It includes the tech stack, key architectural decisions, naming conventions, and — critically — a list of things not to do. That "don't" list? It saves more rework than the "do" list. By a lot. After building out three production services with Claude Code, my CLAUDE.md files have gotten longer, not shorter. Every painful debugging session teaches me a new constraint worth documenting.
2. Iterative Scaffolding (Not One-Shot Generation)
The viral demos that rack up 30K views show someone typing one long prompt and getting a complete app. Great for demos. Terrible for anything you'll maintain.
Sustainable vibe coding uses iterative scaffolding: build the skeleton first, validate it, then flesh out features one at a time. Each step is small enough to review meaningfully. This lines up with what the Microsoft Research team found — effective practitioners don't send one massive prompt. They work in cycles, validating at each step.
Here's my usual progression for a new feature:
- Describe the data model and have the AI scaffold it — review and commit
- Ask for the API layer with explicit error handling requirements — review and commit
- Request the UI components with specific interaction patterns — review and commit
- Have the AI write tests for the feature — review and commit
- Ask for edge case handling, referencing the tests — review and commit
Each step produces a reviewable, revertable unit of work. If step 4 reveals that step 2 has a fundamental flaw, you've lost hours, not days.
I learned this the hard way. Early on, I tried generating an entire API service in one shot. The AI produced something that looked impressive. It also had three competing patterns for error handling, two different approaches to database connections, and a middleware chain that contradicted itself. Took me longer to untangle it than to rebuild. Now I never skip the scaffold-validate-extend loop. It connects directly to the context engineering discipline emerging around AI agents more broadly — the quality of your output is determined by the quality of your input context.
3. Aggressive Diff Review at Every Commit
This is one of those things where the boring answer is actually the right one. Review every diff before committing. Not a quick glance — an actual review.
Ankur Tyagi at freeCodeCamp identifies four risk categories in vibe-coded output you need to actively scan for:
- Context gaps: The AI doesn't know what it doesn't know about your system
- Integration blind spots: Generated code works in isolation but conflicts with existing modules
- Security by omission: The AI rarely adds security measures you don't explicitly request
- Thin testing evidence: Generated tests often test the happy path exclusively
Integration blind spots are the most expensive. I've seen this repeatedly. The AI will happily generate a perfect module that uses a completely different state management approach than the rest of your application. It looks clean. It works in isolation. And three weeks later when nothing integrates cleanly, you realize you've been building two different apps.
4. Explicit Security Constraints in Every Prompt
If you're building anything going to production, this is non-negotiable. And the data backing this up is frankly alarming — connecting directly to the broader AI security conversation.
The Cloud Security Alliance's AI Safety Initiative published a devastating report in April 2026: AI-assisted developers produce commits at 3-4x the rate of their peers, but introduce security findings at 10x the rate. Veracode tested over 100 LLMs and found that 45% of AI-generated code introduces OWASP Top 10 vulnerabilities — and that rate hasn't improved across multiple testing cycles.
Georgia Tech's Vibe Security Radar project tracked 35 CVEs in a single month (March 2026) directly attributable to AI coding tools, up from 6 in January 2026. Researchers estimate the true count across open-source is 5-10x higher.
And then there's this: about 20% of AI-generated code references packages that don't exist. Attackers exploit this through "slopsquatting" — registering the hallucinated package names as malicious packages and waiting for developers to install them. I find this genuinely terrifying.
The fix is structural, not aspirational. Include security requirements directly in your prompts: "Use parameterized queries. Validate all input. Do not use eval(). Follow OWASP Top 10 guidelines." Make these part of your CLAUDE.md or equivalent config so they're always in context. Don't rely on yourself to remember — you won't at 11 PM on a Thursday. If you're building production AI systems, understanding prompt injection risks is table stakes.
5. Checkpoint Commits With Meaningful Messages
Version control isn't optional when vibe coding. It's your primary safety net.
I've watched teams lose entire days of work because they vibed their way through fifteen changes without committing, then hit a dead end and couldn't roll back cleanly. The commit frequency for vibe coding should be higher than traditional development, not lower, because the probability of any individual change introducing a subtle regression is higher.
Commit after every successful iteration. Use commit messages that describe what the AI generated and what you modified. "AI-generated user auth module, manually fixed JWT expiration handling" is infinitely more useful than "wip" when you're debugging a production issue at 2 AM. I've been that person at 2 AM. Trust me on this.
6. Write Tests Before Generating Implementation
This sounds counterintuitive — if the AI is generating code, why write tests first? Because tests are your specification language. When you write tests first (or have the AI generate tests from your spec), you create an objective validation layer that doesn't depend on eyeballing generated code.
I've shipped enough features to know that AI-generated tests are often dangerously circular: the test passes because it tests exactly what the AI intended, not what you intended. Having the specification drive the tests, and the tests validate the implementation, breaks that circularity.
This is also where the gap between vibe coding and what Karpathy calls agentic AI becomes practical. Modern AI coding agents can run tests, read the results, and self-correct. But they can only do that if the tests actually test the right things. Garbage tests in, garbage validation out.
7. Know When to Stop Vibing
This is the hardest skill. Full stop. It's what separates developers who use AI tools productively from those who create tech debt disasters.
There's a point in every vibe coding session where the AI starts going in circles — regenerating similar solutions, making changes that break previous fixes, producing increasingly complex code for what should be simple problems. When you hit that point, stop. Switch to manual coding. The AI has exhausted its ability to help with this specific problem, and pushing further just makes the mess bigger.
In my experience building production AI systems, this inflection point usually arrives when the problem involves deep integration with existing code the AI doesn't fully understand, performance optimization that requires profiling, or complex state management across multiple components. I'd estimate I switch to manual coding about 30% of the time now. That number hasn't decreased as the tools have gotten better — the problems I bring to AI have just gotten harder. Recognizing this moment is itself a skill worth developing.
The Vibe Coding Traps That Create Tech Debt
Not everything that goes viral as a "vibe coding secret" is actually sustainable. Three patterns I see constantly create more problems than they solve.
Trap 1: The One-Shot App Generation Fantasy
The most viral vibe coding content shows someone generating an entire application from a single prompt. This works for demos and disposable prototypes. It fails for anything you'll maintain.
The Kyros Engineering Team documented what they call the "Technical Debt Flywheel" that emerges from this pattern. It progresses through five stages: velocity spike → consistency erosion (code duplication increases up to 4x) → review fatigue (coverage drops below 50%) → incident acceleration → velocity collapse. Every team I've seen hit stages 4 and 5 started with the one-shot approach and never developed the discipline to shift out of it. Stage 5 is ugly. I've watched a team go from "we're shipping 3x faster" to "we can't deploy without breaking something" in about four months.
Trap 2: Ignoring Architecture for Speed
Vibe coding optimizes for feature delivery speed. Architecture is about long-term system health. These are in direct tension, and the AI will almost always choose speed unless you explicitly constrain it.
I've reviewed codebases where vibe coding produced three different authentication implementations in the same project because each feature was prompted independently without architectural guidance. Three. The AI didn't know — or care — that authentication was already handled elsewhere. Without context engineering, every prompt exists in isolation, and you end up with a codebase that looks like three different developers built it without talking to each other.
The fix: maintain an architecture decision record (ADR) as part of your context files. Before prompting for any feature, reference the ADR. "Follow the authentication pattern defined in ADR-003" is a simple prompt addition that prevents architectural drift. It takes five seconds to add and saves days of refactoring.
Trap 3: Skipping the "Why" in Prompts
A well-structured prompt with explicit constraints consistently outperforms vague, open-ended instructions. But a lot of vibe coding guides encourage broad, creative prompts: "Build me a dashboard." That gives you code you can't maintain because you don't understand the decisions embedded in it.
Instead: "Build a dashboard that displays the last 30 days of user activity, using our existing Chart component from /components/ui/Chart.tsx, connecting to the /api/analytics endpoint, with error states for network failures and empty data." The more specific your prompt, the more predictable — and reviewable — the output. Every constraint you add is one fewer surprise you'll debug later.
Why Karpathy Says Vibe Coding Is Already Passé
In February 2026 — exactly one year after coining the term — Andrej Karpathy published an essay introducing "agentic engineering" as vibe coding's successor. His argument is worth quoting at length because it reframes the entire conversation:
"Vibe coding served its purpose. It lowered the activation energy to build software with AI dramatically. It made the tools accessible and the practice fun. But the tools have grown up. Agents can now run for hours, modify hundreds of files, execute tests, read documentation, and self-correct. The 'just vibe with it' relationship to an AI is insufficient for that level of autonomy. You need engineering judgment to be the load-bearing element, not the vibe."
Karpathy defines agentic engineering as "the engineering discipline of maintaining professional software quality standards while using agents to move faster." The shift is from improvisational prompting to structured agent orchestration — task decomposition, verification patterns, and systematic oversight of AI-driven development.
Jodie Cook at Forbes explored what this means practically: the shift emphasizes task decomposition, agent orchestration, and verification patterns rather than open-ended prompting. Less "vibe with the AI" and more "architect the AI's workflow."
This tracks with what I've seen. The most productive teams I've worked with in 2026 aren't doing pure vibe coding anymore. They're running structured workflows where the AI operates within explicit guardrails — closer to a junior engineer following detailed specs than a creative partner improvising. The vibes were never the point. The velocity was. And it turns out you can keep the velocity without the chaos.
[YOUTUBE:PLKrSVuT-Dg|How to make vibe coding not suck…]
Vibe Coding vs Agentic Engineering: What Actually Changed
The evolution from vibe coding to agentic engineering isn't a rebrand. The underlying tools and workflows have fundamentally changed.
| Dimension | Vibe Coding (2025) | Agentic Engineering (2026) |
|---|---|---|
| Prompt style | Conversational, exploratory | Specification-driven, constrained |
| AI autonomy | Single-turn generation | Multi-step agent runs (hours) |
| Human role | Prompt-and-accept | Architect, review, verify |
| Quality bar | "Does it work?" | "Is it production-ready?" |
| Context | Per-prompt, ephemeral | Persistent config files, memory |
| Failure mode | Subtle bugs in generated code | Agent drift over long sessions |
| Testing | Optional, after the fact | Integral, agent-executed |
| Security | Hope-based | Constraint-based, audited |
The practical difference: in vibe coding, the developer is the engine and the AI is the accelerator. In agentic engineering, the AI is the engine and the developer is the safety system. That requires a completely different skill set — one closer to what I described in my post on how software engineering is becoming "plan and review".
How to Transition From Vibe Coding to Agentic Engineering
If you're currently vibe coding and want to move toward the more disciplined approach, here's the progression that's worked for teams I've advised:
Start with persistent context files. Create a CLAUDE.md, .cursorrules, or equivalent for every project. Include your tech stack, architecture decisions, naming conventions, and security requirements. This single change eliminates roughly half of the "context gap" problems that freeCodeCamp identifies as the first crack in vibe-coded output. I've seen teams go from constant "why did it do that?" confusion to predictable output just from getting this file right.
Decompose tasks before prompting. Stop prompting for features. Prompt for the individual components of features. Break "build user authentication" into data model, API routes, middleware, UI components, and tests. Each becomes a separate, reviewable unit. Yes, this feels slower. It's not. The time you "save" with one-shot prompting, you spend debugging.
Add verification checkpoints. After every AI-generated change, run your test suite. If tests fail, have the AI read the failures and self-correct before moving to the next task. This is the core loop of agentic engineering. It's also where AI agents actually shine — they're relentless debuggers when given clear test output to work from.
Track what the AI gets wrong. This one changed my workflow more than anything else. Maintain a running list of the AI's recurring mistakes in your project. Add these as explicit constraints to your context files. "Do not use synchronous file operations" or "Always use the custom logger, never console.log." These accumulate into a project-specific instruction set that dramatically improves output quality over time. My oldest project has 40+ constraints now. The AI barely makes mistakes on that codebase anymore.
Review diffs like your career depends on it. Because increasingly, it does. The developers who thrive in the age of agentic AI are the ones who can read AI-generated code critically, not the ones who write the cleverest prompts.
This workflow connects directly to the broader context engineering discipline emerging around AI development — the idea that the quality of AI output is determined almost entirely by the quality of the context you provide.
The Security Reality Check Every Vibe Coder Needs
I saved the hardest truth for its own section because I think most vibe coding guides underplay it dangerously.
The Cloud Security Alliance's April 2026 report isn't ambiguous: the security costs of undisciplined vibe coding are accelerating faster than the productivity gains. When your developers produce commits at 3-4x the rate but introduce security findings at 10x the rate, you're not moving faster. You're accruing security debt at roughly 3x net. That math doesn't work. It will never work.
I've audited vibe-coded applications and the patterns are depressingly consistent: hardcoded secrets, SQL injection vectors, missing input validation, and phantom dependencies that reference packages that don't exist. These aren't edge cases. They're the default output when security isn't explicitly baked into the prompting workflow.
The teams that avoid this don't rely on developer discipline alone. They build security into their tooling:
- Security requirements in every context file
- Automated SAST scans on every commit (not just in CI — on every local commit)
- Dependency auditing that flags unknown packages immediately
- Prompt engineering templates that include security constraints by default
If you're doing vibe coding without these guardrails, you're not moving fast. You're moving toward an incident.
What Comes Next for Vibe Coding in 2026
I'll be direct about what I think happens from here.
Vibe coding as Karpathy originally defined it — the improvisational, vibes-based approach — is going to persist for prototyping, learning, and personal projects. It's genuinely useful for those contexts. The barrier to building software has never been lower, and that's a real, unqualified good.
But for professional development, the term "vibe coding" will gradually be replaced by "agentic engineering" or something similar. The tools are already evolving in that direction. Claude Code, Cursor, and GitHub Copilot are all adding features that assume a more structured workflow: persistent context, multi-file operations, test execution, and self-correction loops.
The developers who will thrive aren't the best prompters. They're the ones who understand systems deeply enough to guide AI agents effectively, review generated code critically, and know when the machine is wrong. That's software engineering. It always was.
The vibe was fun. Engineering judgment is what ships.
Frequently Asked Questions
Is vibe coding good for production applications?
Vibe coding can work for production applications, but only when combined with rigorous review, testing, and security practices. Pure vibe coding — prompting and committing without thorough review — introduces security vulnerabilities at roughly 10x the normal rate according to the Cloud Security Alliance. The techniques matter more than the tool.
What is the difference between vibe coding and agentic engineering?
Vibe coding is improvisational AI-assisted development where you describe what you want in natural language and iterate on the output. Agentic engineering, coined by Andrej Karpathy in February 2026, adds structured discipline: persistent context files, task decomposition, automated verification, and explicit quality gates. Think of it as vibe coding with engineering rigor applied.
What are the biggest risks of vibe coding?
The three largest risks are security vulnerabilities (45% of AI-generated code contains OWASP Top 10 flaws), technical debt accumulation (code duplication can increase up to 4x), and phantom dependencies where the AI references packages that don't exist — which attackers exploit through "slopsquatting." All three are manageable with proper guardrails.
Which tools are best for vibe coding in 2026?
The leading tools are Claude Code, Cursor, GitHub Copilot, and Windsurf. Claude Code and Cursor support persistent context files that dramatically improve output quality. The choice depends on whether you prefer a CLI workflow (Claude Code) or an IDE-integrated experience (Cursor, Copilot). For a deeper comparison, see tool-specific benchmarks for your use case.
Can non-programmers use vibe coding to build real software?
Yes, but with significant caveats. Non-programmers can build working prototypes and simple applications using vibe coding. However, without the ability to review generated code for security flaws, architectural problems, and performance issues, these applications shouldn't handle sensitive data or serve paying users without professional review.
How do you prevent AI-generated code from creating tech debt?
Use persistent context files to maintain architectural consistency, commit frequently so you can roll back cleanly, run automated tests after every generation step, and maintain an explicit list of the AI's recurring mistakes. The goal is to make the AI's constraints as clear as your intentions.
Originally published on kunalganglani.com
Top comments (0)