You shipped fast. That's the whole point of vibe coding — describe what you want, get working code, iterate in hours instead of weeks. The AI delivered. And somewhere in that beautiful, functional-looking app, it quietly handed an attacker the keys.

According to a 2024 Stanford HAI report, 45% of AI-generated code contains at least one security vulnerability. This isn't about edge cases or obscure attack vectors. These are the basics: broken authentication, exposed secrets, SQL injection, missing security headers. The AI wrote them wrong because it was trained to produce code that *looks* correct — not code that's been battle-tested in production.

The most common vulnerability we see is broken authentication. The AI implements JWT tokens, but forgets to set an expiry. Or it validates the token signature but not the claims. Or it checks authentication on 11 out of 12 routes because the context window ran out before the last one. In every case, the demo works perfectly. The hack is trivial.

Second on the list: exposed secrets. API keys in the frontend JavaScript. Environment variables hardcoded in source files. AWS credentials committed to GitHub. The AI learned from codebases that include these things, so it reproduces the pattern without hesitation. One scanned SaaS had its Stripe webhook secret directly in a Next.js API route comment, labeled 'for testing.' It had been in production for four months.

Third: SQL injection and ORM misuse. When AI generates database queries, it often skips parameterized queries in favor of string concatenation — because that's faster to write and more common in the training data. The result is textbook 1998-era SQL injection, wrapped in a 2024 UI that looks perfectly modern.

Security headers are almost universally missing. No Content-Security-Policy. No Strict-Transport-Security. No X-Frame-Options. These are five-minute fixes that dramatically reduce the attack surface. The AI doesn't add them because they don't affect whether the app *works* in development — so they're rarely in the training examples either.

The solution isn't to stop using AI tools. They're genuinely useful, and the speed advantage is real. The solution is to treat AI-generated code the way you'd treat code from an enthusiastic but inexperienced junior developer: review it, audit it, and fix the security gaps before they become production incidents. That's exactly what we do.