Vibe Coding One Year Later: From Vibes to Engineering

On February 4, 2026, exactly one year after coining the term "vibe coding," Andrej Karpathy posted a thread on X that effectively retired his own creation. After a year of watching the term spread through every Slack channel, conference keynote, and venture capital pitch deck on earth, the man who started it all said it was time for something better. His new term: "agentic engineering." His reasoning was characteristically precise: the technology had matured, the workflows had professionalised, and the casual "give in to the vibes" framing no longer captured what serious teams were actually doing.

We have been writing about vibe coding since June 2025, when the tools first landed and the promise felt electric. We wrote about the honeymoon ending in November, when the METR study proved experienced developers were 19% slower with AI tools and VeraCode found 45% of generated code had security vulnerabilities. Now, in March 2026, we have a full year of data, a transformed landscape, and a much clearer picture of what AI-assisted development actually is, and what it is not.

What Happened in the Last Year

The numbers are staggering. As of early 2026, 41% of all code pushed to production globally is AI-generated. 92% of US developers use AI coding tools daily. Lovable, the platform we first wrote about as a promising newcomer, raised $330 million at a $6.6 billion valuation with NVIDIA, Salesforce, and Databricks on the cap table. Over 25 million projects have been created on the platform. The AI coding tools market hit an estimated $4.7 billion in 2026. Collins Dictionary named "vibe coding" their Word of the Year for 2025.

By any measure, adoption has exceeded even the most optimistic projections. The technology works. People are using it. Software is being built faster than ever before. But here is what also happened: the consequences of building without understanding caught up with the industry.

The Incidents That Changed the Conversation

In our November article, we flagged the Tea dating app breach and the SaaStr database deletion as early warning signs. Since then, the pattern has repeated and escalated. In December 2025, security researcher Etizaz Mohsin discovered a critical flaw in the Orchids vibe coding platform and demonstrated it live for BBC News. CodeRabbit’s December analysis of 470 open-source GitHub pull requests found that AI co-authored code contained 1.7 times more major issues than human-written code, including 2.25 times more business logic bugs, 75% more misconfigurations, and 2.74 times higher rates of security vulnerabilities.

Security researchers identified a pattern across nearly every incident from January 2025 through early 2026: the same preventable root causes kept appearing. Misconfigured Firebase databases. Missing Supabase Row Level Security. Hardcoded API keys. Exposed cloud backends. These are not sophisticated exploits. They are the basics that any competent security review would catch, and that vibe-coded applications systematically miss because the entire premise is that nobody reads the code.

A new attack vector has also emerged that nobody predicted: slopsquatting. Researchers discovered that AI models hallucinate package names, confidently recommending libraries that do not exist. Attackers figured this out and started registering those hallucinated names on npm and PyPI, filling them with malware. In 2025, the "Shai-Hulud" supply chain attack compromised over 40 npm packages and earned a CISA alert. Anyone blindly accepting AI-generated dependency lists was installing malware.

Even Karpathy Stopped Vibe Coding

Perhaps the most telling moment of the past year came when Karpathy himself released Nanochat, a minimal ChatGPT clone built in about 8,000 lines of Python and Rust. When developers on Hacker News asked about his process, he admitted the project was "basically entirely hand-written" because he "tried to use Claude/Codex agents a few times but they just didn’t work well enough at all and [were] net unhelpful."

The person who coined vibe coding, when building something he actually cared about, chose not to vibe code it. That tells you everything you need to know about where the technology sits for serious work.

The Shift to Agentic Engineering

Karpathy’s reframing matters because it captures what the most effective teams have been doing for months. As he put it: "’Agentic’ because the new default is that you are not writing the code directly 99% of the time, you are orchestrating agents who do and acting as oversight. ’Engineering’ to emphasise that there is an art and science and expertise to it."

The distinction between vibe coding and agentic engineering is not semantic. It is structural. Vibe coding meant accepting AI output without reading it. Agentic engineering means directing AI agents within a disciplined process: define the architecture, scope the task, let the agent build, review the output, validate against tests, and iterate. The human does not write the code. But the human understands the code, owns the architecture, and verifies the result.

Google Engineering Director Addy Osmani captured the tension in a February 2026 blog post, noting that "vibe coding" had become a suitcase term used to describe everything from a weekend hack to a disciplined agent-driven workflow. These are fundamentally different activities. Simon Willison proposed "vibe engineering" as a middle ground, but as Osmani observed, "when you tell a CTO you’re ’vibe engineering’ their payment system, you can see the concern on their face."

What Our Own Experience Has Taught Us

At Xavarro, we have now been building with AI coding tools for over a year. Claude, Cursor, and a range of other tools are embedded in our daily workflow. Every major project we have shipped since mid-2025 has involved AI-assisted development. Here is what a year of experience has crystallised for us.

The productivity gain is real, but it is not where most people expect it. The biggest value is not in the first draft of new code. It is in the unglamorous work: generating boilerplate, scaffolding test suites, writing documentation, refactoring existing code, and automating the repetitive tasks that drain developer time. For that work, AI tools save us hours every week. The estimate we cited in November of 30 to 40% velocity improvement on initial builds has held up.

But we also learned the hard way what the METR study measured: on complex, multi-file changes to existing codebases, AI tools can slow you down. The output looks right. It compiles. The tests pass. Then you discover a subtle architectural decision that conflicts with something three files away, and you spend an hour unwinding what the AI built in five minutes. The net gain is smaller than the perceived gain, and sometimes it is negative.

The rule we follow now: AI writes the first draft. A human who understands the system reviews every line before it touches production. We treat AI output the way a senior developer treats a junior developer’s pull request – with respect for the effort and rigour in the review. This is agentic engineering in practice.

The Honest Scorecard, Updated

In November we graded vibe coding across five use cases. Here is how those grades have shifted after another five months of evolution:

• •Prototyping and validation: A+ – unchanged. This remains the highest-value use case. The tools are even better here than they were in November.
• •Internal tools and dashboards: A- – up from B+. Platform improvements, especially Lovable’s security scanning and improved Supabase integration, have closed some gaps.
• •Production web applications: B- – up from C. With agentic engineering practices (human review, test-driven development, security scanning), production use is viable for many applications.
• •Applications handling sensitive data: C – up from D. The security tooling has improved, but the fundamental gap between generating functional code and generating secure code persists.
• •Complex, multi-system integrations: D+ – up from F. Improvements in context window size and multi-file reasoning have helped, but the complexity ceiling is still real.

Where This Goes From Here

McKinsey reports that 65% of organisations are now regularly using generative AI, nearly double from ten months prior. Gartner’s forecast of 40% of enterprise applications integrating AI agents by end of 2026 is on track. The trajectory is not in question. The question is how the industry navigates the gap between what the tools can generate and what production systems require.

We think the answer is exactly what Karpathy described: treating AI-assisted development as engineering, not vibes. The teams that are thriving with these tools are the ones that have built processes around them. Architecture before generation. Tests before code. Review before merge. Security before deployment. The AI handles the execution. The human handles the thinking.

One year ago, we said the vibes were real. They still are. The tools are more capable, the ecosystem is more mature, and the results, when achieved responsibly, are genuinely transformative. But the year has also taught us something Karpathy himself demonstrated by hand-writing his own project: the most powerful development tool is still the developer who understands what they are building.

From vibes to engineering. That is the journey. We are glad the industry is making it.