The head of the UK’s National Cyber Security Centre (NCSC) has just delivered a stark message to businesses: artificial intelligence is changing the way software gets built, and if you are not paying attention, it could leave your organisation exposed.
Speaking at the RSA Conference in San Francisco on 24 March 2026, NCSC chief executive Richard Horne called on businesses and the wider security community to get ahead of a fast-growing trend known as “vibe coding” — before it becomes a serious liability.
What Is Vibe Coding?
Vibe coding is a term for using AI tools to write software with little or no human oversight. Instead of a developer writing each line of code by hand, they describe what they want in plain English, and an AI tool generates the code for them.
The appeal is obvious. Tasks that used to take days can be done in hours. The NCSC itself highlighted a case where a startup, faced with a software renewal quote that had doubled in price, simply asked an engineer to vibe code a replacement. The core functionality was rebuilt in a couple of hours.
For small and medium-sized businesses watching every pound, this kind of speed and cost saving is hard to ignore.
Why the NCSC Is Concerned
The problem, according to the NCSC, is that AI-generated code can be unreliable, difficult to maintain, and prone to security flaws. When nobody reviews the code before it goes live, vulnerable systems can end up being deployed without anyone realising.
Richard Horne put it plainly: “The AI tools we use to develop code must be designed and trained from the outset so that they do not introduce or propagate unintended vulnerabilities.”
The NCSC’s accompanying blog post went further, stating that code produced by AI currently presents “intolerable risks” for many organisations. That is not a phrase used lightly by the government’s own cyber security authority.
Key takeaway: AI can write code quickly, but speed without security review is a recipe for problems. The NCSC says the risks are currently intolerable for many organisations.
What Could Go Wrong?
For a non-technical business owner, the risks might not be immediately obvious. Here are the main concerns the NCSC has raised:
-
Hidden vulnerabilities. AI models can produce code that contains known security weaknesses. If nobody checks the output, those weaknesses go straight into your live systems.
-
Supply chain risks. AI tools can sometimes reference software libraries or components that do not actually exist. Attackers can exploit this by creating malicious packages with those names, which then get pulled into your systems.
-
False confidence. Because AI-generated code often looks professional and well-structured, there is a temptation to trust it without proper review. This creates a dangerous blind spot.
-
Maintenance headaches. Code that no human fully understands is code that is very difficult to fix when something goes wrong.
It Is Not All Bad News
The NCSC’s message was not simply “stop using AI.” In fact, Horne described vibe coding as a “huge opportunity” and said the agency sees “glimpses of a new paradigm” in how software could be developed more securely.
The argument is that if AI tools are trained properly, they could actually produce software that is more secure than what humans typically write. After all, human developers have been making the same types of security mistakes for decades. Well-designed AI could, in theory, avoid those mistakes altogether.
The NCSC compared the current moment to the early days of cloud computing around 20 years ago — a shift that felt risky at the time but ultimately transformed how businesses operate.
What Should UK Businesses Do Now?
The NCSC has set out several practical recommendations. While some are aimed at the technology industry itself, the principles apply to any business considering AI-generated software:
-
Do not skip the review. Treat AI-generated code with the same scrutiny you would apply to any software. If you are commissioning development work, ask your supplier how they are reviewing AI-produced code.
-
Ask about security by default. Any AI coding tools your team uses should be configured to produce secure code as standard, not as an afterthought.
-
Use automated testing. The NCSC recommends using automated tools to check AI-generated code for vulnerabilities before it goes live.
-
Verify before you trust. Adopt what the NCSC calls a “trust but verify” approach. AI output should be checked for hidden backdoors or insecure patterns.
-
Secure your hosting. Make sure the platforms running AI-generated applications are properly sandboxed and protected, so that even if code is flawed, the damage is contained.
The Bigger Picture for SMEs
This matters because the software your business relies on is increasingly likely to have been built, at least in part, by AI. Whether it is a bespoke internal tool, a customer-facing application, or a third-party service you subscribe to, AI-generated code is becoming part of the supply chain.
The February 2026 “SaaSpocalypse” — a sharp wobble in US tech stock values driven by fears that AI will undermine the traditional software-as-a-service model — showed just how quickly this landscape is shifting.
For UK business owners, the practical step is straightforward: have a conversation with whoever manages your IT about how AI-generated code is being used in your organisation, and whether appropriate safeguards are in place.
Bottom line: Vibe coding is here to stay. The businesses that benefit most will be those that embrace the opportunity while taking the NCSC’s security guidance seriously.
If you are unsure whether your current IT setup accounts for the risks of AI-generated software, it is worth getting a professional review of your security posture before adopting new tools.
Book a free cyber security review to understand how AI tools could affect your business
Learn more →Topics