Someone on your team has almost certainly built an app recently without telling you. Maybe it’s a little dashboard for tracking sales enquiries. Maybe it’s a customer-facing form. Maybe it’s an internal tool that pulls data from three spreadsheets and presents it neatly. They built it in an evening. They’re very proud of it. And you’re not sure whether to high-five them or panic.
Welcome to the era of vibe coding.
The term — coined by Andrej Karpathy in early 2025 and named Collins Dictionary’s word of the year that December — describes building software by describing what you want to an AI and accepting the result without necessarily reading the underlying code. Tools like Lovable, Bolt, Replit Agent, v0, Claude Code and Cursor have made this astonishingly easy. Research suggests that around 92 per cent of US developers now use AI coding tools daily, and a startling 46 per cent of all new code written globally is AI-generated.
That’s an enormous productivity shift. It’s also a governance minefield, and for anyone responsible for an ERP or a regulated business system, it’s worth understanding both sides clearly.
Where vibe coding genuinely helps
There’s a useful mental model that Salesforce promotes which we’ve found clarifying. They talk about a “green zone” and a “red zone” for AI-assisted development.
The green zone is where vibe coding shines: user interface prototypes, internal tools, dashboards, visualisations, forms, lightweight extensions — anything short-lived or experimental. The cost of being wrong is low. The value of being fast is high. For these things, vibe coding is a legitimate ten-times productivity uplift.
For an ERP-led business, that translates into some genuinely useful applications. If your operations team needs a quick bolt-on that queries your ERP, summarises the data in a specific way, and presents it for a niche purpose — that’s a great candidate for a vibe-coded app. If your finance team wants a lightweight dashboard that sits alongside the ERP for a specific reporting need, vibe coding can stand it up in an afternoon. If your marketing team wants a landing page with a form that drops leads into HubSpot, same deal.
The common thread is that these are edge-of-the-stack applications. They read from systems of record. They don’t replace them.
Where vibe coding hurts
The red zone is where the trouble starts. This is core business logic, financial data, compliance-sensitive processes, systems integration — anything that multiple teams rely on for a single version of the truth. Running an ERP workflow on a vibe-coded substitute (general ledger, AP, AR, inventory, job costing) is not a productivity win. It’s a liability with a pretty front end.
The evidence is grim. Research from Georgetown CSET found that around 45 per cent of AI-generated code contains exploitable vulnerabilities. A scan by Escape.tech of 5,600 publicly deployed vibe-coded applications found 2,000 critical vulnerabilities, 400 exposed secrets (API keys and access tokens), and 175 instances of exposed personal information — in live, production systems. Georgia Tech’s Vibe Security Radar attributed 35 CVEs to vibe-coded apps in March 2026 alone, up from six in January of the same year.
The security issues compound with something worse: lack of traceability. Enterprise analysts have pointed out that vibe coding produces no design artefact and no documentation. The logic lives inside a conversation nobody else can see. When the original author leaves, or the code needs to be audited, or something breaks at 2am, there’s nothing to reconstruct. That is disqualifying for any system that touches finance, payroll, or customer data.
Compliance sharpens the point further. GDPR, NIS2, BCBS 239, and New Zealand’s Privacy Act 2020 — plus IRD audit requirements and FMA expectations — all require complete traceability of how data is processed. Regulators are not accepting “generated by an AI” as an answer.
And then there’s the “spaghetti code on steroids” problem, as one industry commentator put it. AI-generated code is often verbose and architecturally incoherent, creating technical debt that looks fine in a demo and becomes a nightmare at scale. Tools that democratise building also democratise the creation of problems.
A practical framework for the New Zealand mid-market
Rather than banning vibe coding or embracing it indiscriminately, sensible organisations are drawing a clear line. Here’s the rule we’d suggest, specifically for businesses with ERP-centric operations.
Build on top of your ERP, not around it. A vibe-coded tool that reads from your ERP via an API and presents something useful is an extension. A vibe-coded tool that stores its own data and duplicates what the ERP already holds is shadow IT waiting to hurt you.
Keep systems of record boring. General ledger, inventory, payroll, customer data, job costing — these live in a governed, auditable, vendor-supported platform. They get upgraded, backed up, secured, and audited. They do not get vibe-coded.
Treat vibe-coded tools as prototypes, not production. If something built on a whim turns out to be genuinely useful, it needs to be productionised properly — reviewed, documented, secured, integrated — before it becomes part of how the business actually runs.
Use the good version of this. The major ERP platforms are now shipping AI features that do much of what your team might be tempted to vibe-code anyway — natural-language querying, AI-generated summaries, dashboards, anomaly detection. Most of the time, the answer isn’t “build it yourself”; it’s “turn on what’s already in the product.”
The Verde view
Vibe coding is a genuine leap forward in productivity, and teams who use it well on the right problems are going to out-deliver teams who don’t. But the core of the business still needs to run on an ERP that’s governed, supported, auditable, and properly implemented. That’s not an either/or. It’s an and.
If your organisation is wrestling with where to draw the line — what to build, what to buy, what to vibe — we can help. Verde Group works with mid-market New Zealand businesses on ERP strategy, implementation, and the increasingly important question of how to integrate AI sensibly without losing the foundation underneath.
Get in touch for a readiness assessment, or just a straight-talking conversation about where you are and where you’re heading.
References
1. ‘Vibe Coding’ May Offer Insight Into Our AI Future — Harvard Gazette. https://news.harvard.edu/gazette/story/2026/04/vibe-coding-may-offer-insight-into-our-ai-future/
2. How To Use Vibe Coding Safely in the Enterprise — The New Stack / Salesforce. https://thenewstack.io/how-to-use-vibe-coding-safely-in-the-enterprise/
3. The Risks of Vibe Coding: Security Vulnerabilities and Enterprise Pitfalls — Retool Blog. https://retool.com/blog/vibe-coding-risks
4. Vibe Coding Security Risks: Enterprise Guide 2026 — BeyondScale. https://beyondscale.tech/blog/vibe-coding-security-risks-enterprise
5. Can Vibe Coding Handle Your Organization’s Data? — Tale of Data. https://www.taleofdata.com/blog/vibe-coding-enterprise-data
6. Does Vibe Coding Have a Place in the Enterprise? Yes and No — diginomica. https://diginomica.com/vibe-coding-place-enterprise-yes-and-no
7. Vibe Coding vs. AI-Assisted Low-Code Development: What Sets Them Apart? — Zoho Creator Decode. https://www.zoho.com/creator/decode/vibe-coding-vs-ai-assisted-low-code-development
8. Vibes, AI, and the Search for Truth: Why Some Businesses Still Need an ERP — Glo Systems. https://www.glo.systems/blog/blog-news-1/vibes-ai-and-the-search-for-truth-why-some-businesses-still-need-an-erp-626
9. Navigating the Future of Software Development: Understanding Vibe Coding and Its Implications — Black Duck Blog. https://www.blackduck.com/blog/vibe-coding-and-its-implications.html
