How 5,000 vibe‑coded apps exposed what’s really wrong with shadow AI

Traditional security programs overlook “vibe-coded” apps

Most corporate security systems were designed for an older world, servers, endpoints, and cloud infrastructure. They were not built for the new wave of applications created outside traditional IT. Employees can now generate fully functioning tools in hours using platforms like Lovable, Base44, Replit, and Netlify. These apps access real company data and often go live without oversight. The problem is simple: security doesn’t see them. They fall into a blind spot.

These AI-assisted or “vibe-coded” applications are changing how organizations create digital products, but security architecture hasn’t evolved with them. RedAccess found 380,000 public assets built through these platforms, and about 5,000 contained sensitive corporate data. That’s not a minor issue, it’s a structural one. What’s at stake isn’t a few misconfigured apps, but an entire new category of exposure that enterprises haven’t yet mapped.

For executives, the key takeaway is visibility. You cannot protect what you don’t know exists. These tools extend innovation speed, but they do so by bypassing every traditional security gate. If even one of these unsanctioned builds connects to customer databases or internal APIs, the company’s exposure becomes everyone’s problem. Security strategy needs to evolve from asset-centric to activity-aware, focusing on how code is being built and deployed, by anyone, anywhere in the organization. The companies that adapt now will lead the next generation of secure automation. Those that don’t will play defense in public when the breach reaches the headlines.

Default public settings and user inexperience on vibe coding platforms

The way these platforms work by default is part of the problem. Most of them launch apps that are public from the start. A new user has to manually switch to private settings. Because many of these “developers” are nontechnical, marketing managers, analysts, product coordinators, security rarely crosses their minds. They expect the platform to handle it. It doesn’t.

Dor Zvi, the CEO of RedAccess, emphasized that it is unrealistic to expect mass users to comprehend or implement access control. His comment illustrates how the democratization of software builds collides directly with the complexity of security. What’s simple for a creator is complex for an enterprise. This mismatch creates an easy path to leaks and compliance failures. RedAccess found phishing websites on Lovable that imitated Bank of America, FedEx, and other major companies, proof that unguarded access is an invitation for abuse.

This is a design flaw in the platforms themselves. Public-by-default settings give the illusion of innovation speed but invite uncontrolled exposure. Policies and awareness programs help, but alone they aren’t enough. Real change happens when the organization enforces security at the platform and infrastructure levels, automating private deployment by default, integrating SSO and authentication hooks, and ensuring anything that connects to company data goes through review. The companies that take that approach are not slowing innovation; they’re making sure it can scale safely.

Independent investigations and industry research substantiate widespread vulnerabilities

Independent research has confirmed what many security professionals already suspect: the risks introduced by vibe-coded and AI-generated applications are systemic. These applications are being developed and deployed at a pace that traditional AppSec processes cannot match, leaving an expanding gap between innovation and safeguard. Escape.tech’s October 2025 study uncovered more than 2,000 high-impact security flaws and 175 separate instances of personal data exposure across 5,600 publicly available AI-built applications. Every one of these cases involved assets live in production when discovered.

Gartner’s 2026 forecast added weight to this trend, predicting a 2,500% rise in software defects by 2028 tied to citizen developers and AI-driven coding. The firm identified a new kind of defect, code that is technically correct but logically unaligned with a company’s systems and policies. It’s about the broader context AI can’t yet understand. This creates deeper, harder-to-detect vulnerabilities that require extensive remediation.

For executives, the message is clear. Rapid AI-based development opens new competitive frontiers, but without architectural reinforcement, it also scales vulnerability. Security budgets need to shift from retroactive recovery to preemptive control. That means embedding policy enforcement directly into AI-driven development workflows and integrating automated scanning across build pipelines. The companies that do this early will keep both velocity and stability, while others will spend their innovation budgets on patching.

Shadow AI amplifies risk, leading to higher breach frequency and increased financial costs

Shadow AI, the use of unsanctioned AI systems and self-deployed tools, has become one of the largest unmonitored threats facing enterprises today. It extends the challenge of shadow IT by introducing automation capable of producing production-grade code outside official structures. The result is a rapid multiplication of applications running without compliance checks, governance, or security oversight.

IBM’s 2025 Cost of a Data Breach Report quantified the financial toll: 20% of surveyed organizations experienced breaches linked to shadow AI, adding $670,000 to the average cost and pushing total breach expenses to $4.63 million. Among those organizations, 97% lacked proper access controls, and 63% had no AI governance policy at all. VentureBeat research projected that the number of active shadow AI applications could double by mid-2026. Cyberhaven found that 73.8% of ChatGPT accounts in enterprise environments were unauthorized.

For decision-makers, the immediate step is recognizing that AI’s introduction into business processes wasn’t matched by a similar upgrade in governance. Unregulated AI development threatens both data integrity and compliance standing across industries like healthcare, finance, and manufacturing. Closing this gap demands policy, technology, and enforcement working together. Executives must direct their teams to establish AI usage inventories, implement access audits, and align governance frameworks to international data protection standards. Leadership that acts decisively now will define how securely companies adapt to AI-driven transformation.

Detection and visibility shortcomings render vibe-coded applications

Most organizations still operate under a visibility model that assumes every asset has a record, a log, or a traceable endpoint. That assumption no longer holds. Vibe-coded apps deploy on fast-changing subdomains, often hidden behind content delivery networks that obscure original infrastructure. They don’t show up in traditional discovery systems or endpoint telemetry, leaving entire categories of digital assets invisible to the company’s monitoring stack.

This invisibility poses a growing risk. Even enterprises with advanced detection technologies, such as secure web gateways, cloud access security brokers (CASBs), or DNS logging, are only identifying employee access to these platforms. Without an internal system to scan for unmonitored deployments, security teams are working with incomplete situational awareness. C-suite leaders must recognize that this is a structural visibility crisis.

For executives, the nuance is that prevention now depends on discovery precision. Monitoring network activity alone no longer guarantees coverage. Enterprises require automated scanning across major vibe coding domains like Lovable, Base44, Replit, and Netlify. Establishing real-time discovery and authentication mapping is critical to understanding where company data flows and who can access it. Strategy discussions at the leadership level should include discovery operations as a permanent layer of enterprise risk control.

Inadequate platform accountability and design flaws within the ecosystem exacerbate security risks

The responsibility gap between vibe coding platforms and their users remains wide. When security researchers expose flaws, responses from these platforms have often lacked transparency or urgency. In this emerging ecosystem, accountability is unclear, and that uncertainty directly increases enterprise risk. A security weakness on a popular development platform propagates across thousands of live apps created by unsuspecting users.

Recent events make the issue concrete. Wiz Research identified a platform-wide authentication bypass in Base44 in July 2025 that allowed unauthorized access to private applications. The vulnerability was fixed within 24 hours by Wix, but only after reporting prompted immediate action. Similarly, CVE‑2025‑48757 documented missing row-level security policies in Lovable-generated Supabase projects, exposing data across more than 170 live applications. These flaws highlight how thin the default security architecture is when millions of apps are created by users assuming the platform safeguards are sufficient.

Replit CEO Amjad Masad stated that RedAccess gave the company only 24 hours before public disclosure, while Base44 (via Wix) and Lovable claimed they lacked enough detail to verify findings. None denied the exposures occurred. That fact underscores the ecosystem’s fragile state of responsibility. For executives, this means vendor trust cannot replace due diligence. Enterprises need clear contractual terms defining platform security requirements, independent vulnerability assessments, and escalation protocols for disclosures. Accountability must be engineered into the relationship between developers, users, and service providers so that security expectations are explicit.

Robust architectural solutions and integrated governance are essential to mitigate Vibe-Coded app risks

Most organizations treat the problem of unsanctioned or AI-built applications as a matter of policy when it is, in fact, a matter of architecture. Memos and awareness campaigns do little to solve structural weaknesses. What executives need to focus on is integration: embedding discovery, access control, scanning, and governance directly into the development environment where these apps are born. This ensures that security operates as part of system design.

An effective strategy focuses on automation and alignment between technology and governance. Automated scanning of DNS and certificate-transparency logs can expose hidden subdomains tied to Lovable, Replit, Base44, and Netlify assets. Authentication enforcement, using SSO or SAML, must occur before deployment, blocking public exposure by default. Code scanning should extend beyond sanctioned builds to cover citizen-created apps using SAST and DAST tools. Data loss prevention (DLP) must include vibe coding platforms in its policy scope, ensuring that sensitive data does not move into unmonitored environments.

For C-suite leaders, this approach is both strategic and pragmatic. It ensures that innovation continues without compromising control. Security maturity depends less on headcount and more on automation and clear governance. By treating AI-driven development as an architectural component, leadership can manage risk at the same speed as technological change. The organizations that build these structural protections today will set the operational standards others eventually follow.

The rise of shadow AI signals a fundamental shift in enterprise risk, necessitating a reevaluation of traditional security paradigms

Shadow AI has moved beyond experimentation; it is now part of production infrastructure in nearly every large enterprise. This represents a transformation in how digital systems are created, deployed, and maintained. The tools enabling this shift, AI-assisted coding, no-code and low-code platforms, and automated pipelines, accelerate capability but outpace existing governance models. Leadership must accept that legacy frameworks built around static assets and known endpoints can no longer manage the velocity and decentralization of modern software creation.

The combined research from RedAccess, Escape.tech, Gartner, and IBM highlights the direction of change. Vulnerabilities are rising exponentially, remediation costs are growing, and governance frameworks are lagging years behind real-world use. Gartner forecasts a 2,500% increase in software defects stemming from AI-driven development by 2028, while IBM reports shadow AI breaches adding an average of $670,000 per incident to remediation costs. These figures are early indicators of how fast the risk landscape is shifting.

For executives, the strategic response must go beyond containment. It requires rethinking enterprise security as part of adaptive digital strategy. Shadow AI cannot be eliminated, but it can be managed through visibility, governance, and technical enforcement. Senior leadership should ensure that AI use policies, auditing, and continuous monitoring evolve alongside business adoption. The companies that modernize their risk models will not just avoid losses, they will build trust, maintain resilience, and remain competitive in an economy increasingly shaped by intelligent automation.

Final thoughts

The spread of vibe-coded and AI-built applications is not a passing trend; it’s a structural change in how companies create software. Every major enterprise already has some version of shadow AI operating inside it, whether leadership knows it or not. The real challenge isn’t stopping it; it’s governing it intelligently.

Executives should treat this moment as a turning point. The organizations that adapt their architectures, automate discovery, and make AI governance a standing component of their operating model will move faster and safer than those that rely on after-the-fact security reviews. Policies written in isolation don’t protect data; design that enforces control does.

Boards and leadership teams must begin viewing AI use, security, and transparency as part of business strategy, not technical maintenance. This is an opportunity to build resilience while solidifying trust with customers and regulators. AI-driven innovation will continue to accelerate. What matters now is how securely, and how consciously, it’s engineered into the foundation of every enterprise.