The news
Martech.org published a piece by Wyndham Hotels & Resorts marketing technologist Steve Petersen making the case that vibe coding needs enterprise-grade governance — documentation, validation, security review, and maintenance workflows — to be sustainable inside larger organizations. The argument: AI-generated code shifts accountability onto humans, not away from it. Security researcher Dor Zvi's findings, cited in Wired, show vibe-coded apps already leaking medical, financial, and corporate data into the open web.
Our take
Petersen is right, and the governance argument applies even if you're not at an enterprise. The risk compounds at scale, but it starts on day one.
Here's what breaks: a marketer vibe-codes a lead enrichment tool or a campaign reporting dashboard in an afternoon. It works. It gets added to the team's workflow. Six months later, the API it calls changes, the person who built it has left, and nobody knows what the tool does or how to fix it. That's not a vibe-coding problem specifically — it's a documentation problem wearing vibe-coding's clothes.
The security angle Petersen raises is real and underappreciated by GTM teams. Most demand gen and marketing ops professionals aren't thinking about data exposure when they're spinning up a Lovable app or a Make scenario. They're thinking about whether it works. But "does it work today" and "is it safe to leave running" are different questions, and most teams only ask the first one.
The fix isn't to stop vibe-coding — that would be like telling a team to stop using Zapier because automations can break. The fix is to treat vibe-coded tools with the same lightweight operational discipline you'd apply to any production system: document what it does and what data it touches, establish who owns it, and build in a review cadence. None of that requires engineering. It requires someone deciding it matters.
Adoption is a design constraint, and so is sustainability. A tool that ships fast but creates liability isn't a win — it's a deferred cost.
So now what?
Before your next vibe-coded build goes into production, run a quick three-part check:
- What data does this touch? If the answer includes any customer PII, CRM records, or connected SaaS credentials, that tool needs documentation and a named owner before it goes live.
- Who maintains it? If the answer is "whoever built it," you don't have a production tool — you have a prototype someone forgot to label.
- What breaks if the underlying API or platform changes? Build the assumption of drift into your planning, not your postmortem.
Fast-moving teams don't avoid governance — they make governance lightweight enough to actually happen.