Why vibe coding and VS Code extensions create new risks for business and development

AI is already changing the distribution of roles in companies: an employee without deep technical background can assemble a script, connect an extension in VS Code, and quickly solve a local task. The problem is that along with speed, new risks come to the business—from data leaks and vulnerable code to shadow automation, which IT teams discover too late.

Why the Risk Has Grown

Vibe-coding lowers the barrier to entry: a person describes a task in natural language, and the model offers ready-made code snippets, infrastructure configs, and deployment commands. For business, this looks like acceleration because tasks are completed without waiting in line for developers and administrators. But speed is deceptive here: an employee may not understand what exactly the AI generated, what permissions the script needs, where the data goes, and how the IDE extension processes project contents.

A separate problem is the VS Code extension ecosystem. Installation takes minutes, but consequences can stretch for months. A plugin gains access to files, tokens, terminal, or network requests, while verification is usually limited to the number of stars on the marketplace. If there is weak protection inside, aggressive telemetry, or simply poor-quality code, the company gets a new entry point for leaks, errors, and unauthorized changes to workflows. Often such solutions end up in daily work without formal approval and version control.

Where Business Loses

The main risk is the emergence of shadow IT. Employees begin automating processes themselves: writing bots, integrating APIs, creating internal panels, modifying CI scripts, or running client data processing without architectural review. While everything works, this seems like a win for efficiency. But at the moment of an incident, it turns out that no one knows where the code lies, who maintains it, what secrets are buried in it, and what will break if the author leaves or simply stops using it.

• Leakage of keys and internal documents through AI plugins and external APIs
• Vulnerable code in production without proper review and tests
• Automations that bypass role models, audit logs, and security policies
• Increased expenses due to broken integrations, incorrect SQL queries, and downtime
• Legal risks if customer data goes to third-party services without approval

The illusion of competence is especially dangerous. AI often produces a plausible result that looks like a senior-level solution, although it may contain outdated libraries, unsafe patterns, and incorrect assumptions about the environment. For a small task this results in extra hours; for a large company it can be a production incident, compliance violation, or direct financial losses. Errors are discovered not in the editor, but only after running on real data and clients.

How to Reduce Damage

It's impossible to ban AI entirely, so the practical approach is to introduce controls. Companies need a clear list of approved tools, data handling rules, and a basic responsibility model: who can install extensions, which repositories can be sent to external models, where to store tokens, and which scenarios require mandatory IT or security team involvement. Vibe-coding is safer where it is integrated into the process rather than living as a separate gray area within teams.

In practice, this means several mandatory steps: separate corporate accounts for AI services, extension whitelists, secret isolation through vault or environment variables, mandatory review of all code that goes beyond local experimentation, and automation logging. It's also useful to separate prototype and production: an employee can quickly assemble a solution with AI, but deploying it to the production pipeline should be done by people who understand architecture, security, and the cost of maintenance.

If a company is already using AI tools at scale, it's worth conducting an audit: which plugins employees have installed, which external models are connected, who is sending project files where, which scripts are running from the IDE, and how many business processes depend on unmaintained code. Such an audit usually quickly shows that the problem is not with AI itself, but with the lack of rules, observability, and engineering discipline. The earlier such an inventory is done, the cheaper it is to fix the consequences.

What This Means

AI makes development more accessible, but at the same time blurs the boundaries of responsibility. In business, those who win are not those who simply allowed vibe-coding, but those who quickly imposed control over it: clear tools, code review, data protection, and ownership for every automation.