20.06.2026
3 min
21
The UK’s National Cyber Security Centre (NCSC) has urged developers not to blindly trust code generated by artificial intelligence. The agency warns that without proper review and validation, AI-generated code can introduce serious security risks and make software systems more difficult to maintain and audit over time.
According to the agency, the increasingly popular development approach known as “vibe coding”, where AI generates most of the code with minimal human oversight, can introduce hidden vulnerabilities. The concern goes beyond potential security flaws. Over time, such projects may evolve into complex and difficult-to-understand systems that become challenging even for their own developers to maintain.
However, the NCSC stresses that AI-assisted coding should not be viewed as a threat in itself. Much depends on the purpose of the software being developed. When creating a prototype or proof-of-concept application for demonstrations or stakeholder presentations, the associated risks remain relatively low.
The situation changes when developers build authentication systems, services that handle credentials or secret tokens, or applications that process sensitive information. In these cases, a single flaw in the code can have far more serious consequences.
“The risk is not in using AI. The risk is in failing to apply appropriate safeguards when the stakes are high. It’s about recognizing that different types of code require different levels of care and oversight,” the NCSC explained.
British cybersecurity experts note that using AI to develop software is entirely acceptable, even in cybersecurity environments or projects that process personal data. However, every piece of AI-generated code should be carefully reviewed. Developers need to understand how the code works, manually check it for vulnerabilities, and investigate anything that appears unexpected or unclear.
The agency also pointed out that AI models are improving rapidly and becoming increasingly capable. Nevertheless, current technology has not yet reached a point where AI-generated code can be fully trusted in critical systems.
“Over time, we may place greater trust in vibe coding as models become more reliable and their outputs more dependable. But we are not there yet. Calibrate your approach based on today’s reality, not tomorrow’s potential,” the agency concluded.
