Vibe coding — building software by describing what you want to an AI tool like Cursor, Bolt, or v0 — has changed how prototypes get built. What took weeks now takes hours. The problem is not the speed. The problem is what gets skipped.
I review vibe-coded applications every week. Some are impressive. Most are dangerous. Not because the developers did anything wrong, but because AI tools optimise for “it runs” — not for “it survives real users, real data, and real attackers.”
Here are the six gaps I find in almost every AI-generated codebase.
1. Security is an afterthought
AI-generated code frequently contains hardcoded API keys, SQL injection vectors, missing authentication checks, and insecure dependencies. The AI does not think about security because you did not ask about security. It optimises for the feature you described, not the attack surface you created.
In one recent review, a Cursor-built application stored user passwords in plain text, had an admin endpoint with no authentication, and used a 3-year-old npm package with a known remote code execution vulnerability. The demo looked perfect.
2. No error handling
When everything works, AI-generated code looks clean. But production is not “everything works.” Production is: the database connection drops, the API returns a 500, the user uploads a 200MB file, the browser has JavaScript disabled, the payment gateway times out.
Most vibe-coded apps have zero structured error handling. When things fail, they fail silently — losing data, showing blank screens, or crashing with stack traces visible to users.
3. Zero test coverage
AI tools rarely generate tests. This means every change is a gamble. You fix a bug on the checkout page and accidentally break the registration flow. Nobody knows until a customer complains — or worse, leaves silently.
Production-ready applications need unit tests, integration tests, and end-to-end tests. Not for perfectionism — for confidence. Tests let your team ship changes without fear.
4. No deployment pipeline
“I deploy by pushing to main” is not a deployment strategy. It is a prayer. Without CI/CD (continuous integration and deployment), there is no automated testing before release, no rollback if something breaks, and no audit trail of what changed when.
5. Performance bottlenecks hidden under low traffic
Your prototype is fast because it has one user: you. Add 100 concurrent users and the N+1 database queries, unoptimised images, missing caching, and memory leaks reveal themselves. I have seen vibe-coded apps that respond in 200ms for one user and 30 seconds for fifty.
6. No monitoring or observability
If your application is down and you find out from a customer email, you have no observability. Production systems need health checks, error alerting, performance metrics, and logging. Without them, you are flying blind.
The fix: production hardening, not rebuilding
The good news is that most vibe-coded prototypes do not need to be thrown away. About 60% of the applications I review can be hardened — the core logic is sound, it just needs the production discipline that AI tools skip.
At SelectWise, we offer a Prototype to Production service that starts with a 48-hour code review. You get a scored assessment of your codebase with specific findings, an honest recommendation on whether to harden or rebuild, and a clear cost and timeline estimate.
If your team built the prototype and you want ongoing technical oversight, a fractional CTO ensures the same gaps do not reopen in future development.