Describing AI as an indispensable tool in software development might be an understatement. Recent surveys show that 84% of developers either currently use or plan to use AI in their daily work, even though many are concerned about security risks posed by AI-generated code.
That said, AI’s role in dev environments is continuing to grow, thanks to a new technique known as “vibe coding.” First described by OpenAI’s founder earlier this year, vibe coding gives AI more control than ever over software’s final output, allowing developers and non-developers alike more ability to spin up code quickly and avoid the painstaking reviews that slow projects down.
This is enticing for companies hoping to both supercharge their dev environments and save time, money, and stress. But it’s also risky. It’s like giving a powerful Ferrari to someone used to riding a tricycle.
AI, of course, carries plenty of risks that have been well documented. News reports tumble out every day about deepfakes threatening elections, AI favoring names associated with white males, and data leaks involving sensitive corporate source code pasted into ChatGPT. But the risks security leaders worry about most are the threats to the data that drives their companies’ mission-critical operations.
What is vibe coding?
Vibe coding itself doesn’t require the code “creator” to write, review, or edit any code. The creator just describes a set of properties to a large language model and accepts its recommendations without fully reviewing or understanding them. Rather than write structured code and put it through a rigorous review, the developer creates by tapping into a vibe.
Fans of this process see it as a valuable tool for prototyping, hacking together disconnected concepts, or brainstorming new ideas. But critics worry that deeding over coding functions to people without expertise is compounding an already difficult security problem. AI-produced code generates security vulnerabilities in 45% of all cases, according to Veracode’s 2025 GenAI Code Security Report, exposing organizations to a host of cybersecurity risks.
The biggest issue is with backups. Threat actors are increasingly targeting backup data, but most organizations’ backup systems aren’t built to withstand these attacks. According to a recent study from Enterprise Strategy Group (ESG), “Almost every organization (96%) that has experienced a ransomware attack in the past two years said that their backup data has been targeted at least once.” Nearly half (49%) took up to five business days to recover their data, and most failed to recover all of it.
In vibe coding, backups are often overlooked. Developers build prototypes quickly with AI, but then they may not fully understand how backups are stored, secured, or cleaned up.
AI-generated code also often misses security controls. Vibe coding frequently produces functional code that may work for prototyping, but it skips past built-in protections around access control, encryption, retention policies, or secure deletion. Such code can replicate insecure patterns, leading to vulnerabilities like SQL injections or data breaches.
And when access controls fail, backups become targets. If an attacker breaks into a system through a vibe-coded endpoint, they can often move around at will, compromising logs, configuration files, and backup archives. If backups are stored without encryption or authentication, they can be exploited for financial gain.
Vibe coding and the inevitable extra risks and dangers that it presents further underline the need for immutable backups. Where there are mistakes in code, there can be vulnerabilities, and where there are vulnerabilities, there is potential data loss.
Achieving absolute immutability
Immutability is a security concept that safeguards critical data by ensuring that data can’t be altered or deleted once recorded. It’s widely regarded as an industry best practice, but there remains a persistent disconnect between IT leaders who recognize the importance of immutability and those who have implemented it.
More than 80% of the IT decision makers surveyed by ESG consider backup storage immutability as the last line of defense and the most important component of any ransomware protection strategy. However, only 59% of organizations have actually deployed immutable storage, and just 58% report that they adhere to the 3-2-1 rule for maintaining multiple backup copies to ensure recovery.
Absolute immutability means zero access to destructive actions—no factory reset, no backdoor access, and no virtualized backup storage. Threat actors are adept at finding even the smallest vulnerability and using it to wreak havoc. In cybersecurity, subtle complexities and technicalities matter.
Object storage with object lock capabilities is the only storage with native immutability built in. It should be operated in compliance mode, not governance mode, to avoid privileged users being able to override object lock settings. Implement end-to-end encryption to prevent data exfiltration, but watch out for vendors that recommend deduplication, which would require disabling encryption. This storage setup ensures immutability from the moment the data is written.
When considering a standalone storage device optimized for backup data, ensure backup software is segmented from backup storage and avoid integrated appliances and do-it-yourself systems. This is yet another safeguard to limit exposure if credentials are compromised.
Conclusion
AI is here, and it’s going to be part of our software process going forward. Companies that embrace vibe coding need to understand the security risks it poses and guard against them. Given the tactics used by modern threat actors, proactive measures are not enough; companies must now assume breach and prepare for recovery. Protecting their backups with immutable storage is a good first step.
- Vibe Coding: Balancing Productivity with Protection - November 3, 2025
