What Andrej Karpathy and your legal team both get right about vibe coding

Andrej Karpathy coined "vibe coding" in February 2025 with a deliberately provocative frame: fully give in to the vibes, embrace exponentials, forget that the code even exists. Collins English Dictionary named it Word of the Year. Ninety-two percent of US developers now use AI coding tools daily. Replit went from $3 million to $250 million in revenue in a little over a year, fueled largely by non-technical domain experts — HR managers, marketing leads, sales ops — building their own software rather than waiting on IT.

Your legal team looked at all of that and said: absolutely not.

They're both right.

Karpathy wasn't describing a toy. He was describing something enterprises have been slow to name: when AI agents fail at the complex, ambiguous work — the "squishy" domains like legal, HR, and marketing where there's no unit test to verify a right answer — people build workarounds. The Saudi Arabia Public Investment Fund, which manages $1 trillion in assets, ran a hackathon where its executive team used vibe coding to build software and route around SaaS products that weren't solving their actual problems. When a sovereign wealth fund's executives start writing their own code, the signal is organizational, not technical.

The legal team's concern is backed up by the numbers. One in four AI-generated code samples contains confirmed security vulnerabilities. AI-generated code now contributes to one in five enterprise security breaches. A developer known in the community as "Jason" used an AI agent to modify his production database and watched it get wiped. That incident became the canonical case study for two requirements that now drive serious enterprise AI architecture: isolation (the agent gets its own sandbox, never production access) and reversibility (one-click rollback, always). Jason's mistake was expensive. The same mistake inside a Fortune 500 will cost more than a rollback can fix.

Both sides are solving the same problem from opposite ends, and they're missing each other in the middle.

Karpathy's vibe coding is about removing the bottleneck between someone who understands a problem and their ability to build a solution. Speed, specificity, no procurement delays. The legal team is watching what happens when that same velocity touches customer data, financial records, or compliance workflows with no audit trail and no one accountable when something breaks. Both concerns are real. The gap between them is the absence of a shared vocabulary for what "safe" looks like when a product needs to move fast.

Product counsel lives in that gap, and the mechanics of enterprise AI autonomy — which is the real subject underneath the vibe coding debate — require three things to hold together. Agents need isolation from the start, not retrofitted after the first incident. The Replit team learned this the hard way and built a testing environment roughly 10x cheaper and 3x faster than using a generic AI to click around a live screen, specifically because live environments were fragile and exposed. Autonomous actions need to be reversible before deployment, with rollback treated as a design requirement rather than a contingency plan. And the compliance layer — what the agent is allowed to touch, what it logs, who gets notified when it deviates — has to be in the room when the product is being designed, not when it's being reviewed.

Most teams treat those three things as afterthoughts, and that's an organizational habit problem rather than a technology problem. The tools to build isolation, reversibility, and embedded oversight exist today. What's missing is the habit of treating governance requirements as a design input instead of a final checkpoint.

Legal teams that can translate between those worlds — who can walk into a product conversation and ask "what does this agent touch, what can it do, what can it undo, and who knows when something goes wrong?" — are operating as architects of the trust infrastructure that lets the product move, rather than as the checkpoint at the end of the hall.

Karpathy is right that the bottleneck between expertise and software is collapsing. Your legal team is right that autonomy without accountability architecture creates real exposure. The organizations that figure out the translation between those two truths will move faster than the ones still arguing about which one matters more.