Vibe coding is now mainstream. The missing piece is not another model — it is identity, action visibility, and telemetry across human and AI development actors.

When Collins Dictionary named “vibe coding” its 2025 Word of the Year, it reflected a structural shift in how software is produced.

Software in many modern workflows is authored by multiple developer identities, not only humans.

From a DevSPM standpoint, developer is an actor class, consisting of three distinct identities:

Developer Type 1 — Human Developer

Direct authorship, identity, actions, and behavioral telemetry.

Developer Type 2 — Hybrid Developer (Human + AI)

Human identity triggering actions; AI systems generating logic and structure; mixed-lineage telemetry.

Developer Type 3 — AI Developer

AI models or agents that autonomously or semi-autonomously generate or modify code; their actions and resulting artifacts require their own identity and telemetry.

These actors now participate simultaneously across the SDLC.

The productivity gains are substantial. So are the governance implications.

ThoughtWorks’ recent discussion on vibe coding outlines a clear pattern: rapid creation, limited internal visibility, and unclear authorship.

This leads to a structural question:

What control plane observes identity, captures actions, and supplies telemetry across all developer types so that AI-assisted and AI-generated code remains governable over time?

This is the domain of Developer Security Posture Management (DevSPM).

1. What vibe coding has become

The ThoughtWorks panel converges on an observable definition:

• Flow-first development — natural-language interactions with AI systems generate code and scaffolding quickly.
• Prototype-oriented — highly effective for exploration and rapid iteration.
• Low-visibility — the path from request → implementation is partially opaque, even to the initiating human.
  
  

In practice, vibe coding spans:

• Copilot-style inline generation
• Agentic “build me a service” workflows
• Environments such as Cursor, Claude Code, Replit, Lovable
• MCP-based agents pulling context from documentation, tickets, logs, and CI signals
  
  

These tools operate across a spectrum from exploratory prototypes to production-adjacent systems.

The creation layer has changed. The governance layer has not kept pace.

2. What happens when vibe-generated code reaches production

The patterns that emerge map directly to DevSPM’s responsibility surface.

2.1 Identity becomes ambiguous

Traditional development mapped cleanly:

Identity → Code change → Artifact

With AI-augmented development:

• A human triggers an action
• An AI system generates most of the logic
• The commit lands under a human’s name
• The artifact contains blended lineage
  
  

This introduces ambiguity in:

• accountability
• authorship analysis
• incident investigation
• audit and compliance work
  
  

DevSPM restores clarity by correlating:

• human identity
• AI or agent identity (model, version, context source)
• actions taken
• resulting code paths
• associated posture signals

All tied into a unified telemetry graph.

2.2 Provenance and ownership become unclear

Common scenarios:

• AI-generated logic enters a repository without attribution
• Teams cannot reconstruct which model produced which change
• Commits reflect human identities without reflecting AI contributions
  
  

This complicates:

• forensics
• incident reconstruction
• responsibility mapping
• external documentation and regulatory responses
  
  

DevSPM models developer posture as a function of identity, actions, and artifacts, not assumptions about authorship.

2.3 Maintainability: there is no “vibe maintenance”

Even correct AI-generated code changes over time:

• dependencies evolve
• vulnerabilities are disclosed
• interfaces shift
• operational patterns diverge
  
  

If the code was produced in an opaque, AI-assisted session, teams may hesitate to modify or extend it.

DevSPM tracks ongoing posture:

• where security debt accumulates
• which services drift from internal patterns
• where maintenance pressure increases
• how code and configuration behave over time
  
  

Maintenance requires visibility.

DevSPM provides it.

2.4 Expanded attack surface and insecure defaults

AI-assisted builds frequently manifest issues such as:

• exposed administrative endpoints
• misconfigured infrastructure from auto-generated scripts
• missing authentication or authorization paths
• functional code without corresponding non-functional safeguards
  
  

AI tools optimize for visible functionality unless prompted otherwise.

They can generate large volumes of code quickly, expanding the review burden.

DevSPM assesses posture across:

• vulnerabilities and dependencies
• misconfigurations and exposures
• policy alignment
• environment-level risk signals
  
  

This shifts the focus from artifact-level scanning to systemic posture.

2.5 AI-accelerated shadow IT

With AI tools:

• a finance analyst can deploy a working dashboard
• an operations lead can create internal tools directly via SaaS platforms
• a developer can spin up cloud-connected services through AI IDEs
  
  

These systems often appear before governance processes observe them.

DevSPM functions as a discovery and telemetry layer:

• identifying emerging repos and services
• correlating them to specific identities
• surfacing posture data
• flagging unmanaged or unapproved deployment paths
  
  

Creation now outpaces visibility.

DevSPM closes that gap.

2.6 De-skilling and brittle teams

Teams may ship functional systems without deep understanding of the generated logic.

When problems arise:

• no clear maintainer exists
• ownership is diffuse
• reasoning about change impact becomes difficult
  
  

DevSPM reinforces operational clarity by:

• highlighting complexity hotspots
• correlating risk to specific actors
• surfacing patterns that degrade maintainability over time
  
  

It does not replace skills; it supplies the visibility that strengthens them.

3. Actor governance, not artifact governance

Traditional AppSec systems govern artifacts:

• source code
• binaries
• containers
• deployed endpoints
  
  

AI-era development requires governance of actors:

• human developers
• hybrid (human + AI) developers
• AI developers
• agentic systems orchestrating actions
  
  

Governing actors requires observing actions at creation time, not only scanning outputs.

DevSPM focuses on:

• identity binding
• action capture
• provenance linking
• upstream policy enforcement
  
  

Artifacts are downstream evidence.

Actors generate risk upstream.

4. The identity → actions → telemetry triad

DevSPM operates on three primitives:

Identity

Which human, AI model, or agent acted, and in what environment.

Actions

What occurred — code generation, modification, dependency introduction, configuration editing, or deployment triggers.

Telemetry

How security posture evolves — vulnerabilities, misconfigurations, policy drift, dependency lineage, exposure patterns.

This triad enables:

• reconstruction of system lineage
• correlation of risk to specific developer identities
• continuous evaluation of posture across environments
  
  

Without this layer, governance becomes post-incident reconstruction.

5. Three practical scenarios

Scenario 1: The internal tool that does not stay internal

A team builds an internal dashboard using an AI IDE.

It connects to production data.

Authentication is minimal.

A reverse-proxy modification exposes it more broadly.

With DevSPM:

The dashboard appears as:

• a tracked asset
• with known maintainers
• misconfigurations and vulnerabilities surfaced
• policy deviations visible in telemetry
  
  

Scenario 2: AI-generated microservice in a regulated domain

A service handling sensitive forms is generated by an AI agent.

Functionally correct in test, it deploys with insufficient audit logging or access control.

DevSPM:

• correlates developer and AI identities
• surfaces missing controls
• provides posture data for compliance workflows
  
  

Scenario 3: A shadow pipeline from a single AI-native tool

A developer connects a SaaS AI platform directly to a cloud account.

It can deploy containers without central review.

DevSPM:

• detects services tied to that identity
• flags unmanaged CI/CD paths
• brings the assets into the governed surface
  
  

Across scenarios, the pattern is consistent:

actors act faster than governance can observe.

6. From “trust but verify” to “vibe but govern”

A more precise framing for AI-assisted development:

Vibe, but govern.

Create, but observe.

Accelerate, but instrument.

Build with AI, but anchor identity, actions, and telemetry.

Vibe coding accelerates how software appears.

DevSPM provides the foundation that determines whether that software remains understandable, governable, and maintainable.

Human developers, hybrid developers, and AI developers all contribute to modern systems.

DevSPM observes, attributes, and measures their actions.