In February 2025, OpenAI co-founder Andrej Karpathy coined the term “vibe coding” — writing software by prompting AI and accepting whatever it generates with minimal review. Fourteen months later, the consequences are showing up everywhere: in crash reports, AWS invoices, and security audits.
This isn’t speculation. The data is in.
Half of all code is now AI-generated
GitHub’s own research shows that AI writes roughly 46% of code in the average developer’s workflow. In Java projects, that number hits 61%. A large-scale empirical study covering 4.2 million developers found that 26.9% of production code is now AI-authored — and that’s only counting what can be traced.
Meanwhile, 90% of Fortune 100 companies use GitHub Copilot. Developers complete tasks 55.8% faster with AI assistance. The productivity gains are real.
But so is the wreckage.
The three crises
1. The Scaling Wall
AI agents build features in isolation. They optimize for “it compiles,” not “it scales.” Each prompt is treated as its own universe — no awareness of how a new component interacts with existing architecture, state management, or data flows.
The result is what we call the Scaling Wall: the point where a vibe-coded MVP collapses under real user traffic.
Industry estimates suggest roughly 10,000 vibe-coded startups require partial or full rebuilds. 25% of Y Combinator’s Winter 2025 batch had codebases that were 95%+ AI-generated. The estimated cleanup cost across the ecosystem: $400 million to $4 billion.
Teams that ignore compounding technical debt experience 50–70% velocity drops — the exact opposite of the speed advantage that attracted them to AI tools in the first place.
2. Invisible cost spirals
AI-generated code optimizes for functionality, not infrastructure efficiency. The patterns are consistent and predictable:
- N+1 query patterns generating 12,000 database calls per request instead of batched queries
- Over-provisioned EC2 instances running at 8% CPU utilization
- All LLM requests routed to the most expensive model when 60% could use 30× cheaper alternatives
One startup documented a $47,000 AWS bill after 90 days of AI-managed pipelines — up from a $3,200/month baseline. Another found $147,000 in annual waste hiding in code that passed every review.
Nobody catches infrastructure waste at code review time. It shows up on the invoice.
3. Security by accident
This is the most dangerous crisis because it’s the least visible.
A March 2026 study testing six major LLMs against OWASP Top 10 found that 25.1% of AI-generated code contained confirmed vulnerabilities. SQL injection appeared in 31% of projects. XSS in 27%. Broken authentication in 24%.
Georgia Tech researchers tracked a dramatic spike in AI-attributed CVEs: from 2 in August 2025 to 35 in a single month by March 2026. Over that 10-month window, 74 confirmed CVEs were traced to AI-authored code. Researchers estimate the real number is 5–10× higher.
Veracode’s Spring 2026 report shows the security pass rate for AI-generated code has stalled at 55% — essentially unchanged since 2023 despite massive improvements in syntax correctness. The models got better at writing code that works. They didn’t get better at writing code that’s safe.
Taken together, these studies imply that many vibe-coded applications ship with at least one security issue serious enough to warrant remediation before scale.
The gap nobody’s filling
The developer tools market is $58 billion and growing. There’s no shortage of tools that solve individual pieces: Snyk for security, SonarQube for code quality, AWS Trusted Advisor for cost. The DevSecOps segment alone is approaching $12 billion.
But none of these tools answer the question that actually matters: what do I fix first?
A founder staring at 200 security warnings, a growing AWS bill, and a codebase that breaks under load doesn’t need more alerts. They need a prioritized path forward — ranked by business impact, not severity labels.
That’s the gap. Security tools tell you what’s vulnerable. Cost tools tell you what’s expensive. Code quality tools tell you what’s messy. Nobody tells you which of those things will kill your company first.
What comes next
The vibe coding era isn’t ending. AI-assisted development is only accelerating — the tools are getting faster, the adoption is near-universal, and the productivity gains are too significant to ignore.
What’s ending is the grace period. The first wave of vibe-coded MVPs is hitting production. Users are scaling. Audits are happening. Bills are arriving.
The startups that survive this transition won’t be the ones that stop using AI. They’ll be the ones that add an intelligence layer between what AI generates and what actually ships — something that can see the full picture, surface what’s breaking, and tell you where to spend your limited engineering hours.
That’s what we’re building with Cortex.
Sources linked throughout. All data points referenced are from publicly available research published between 2025–2026.