Full Report
Vibe Coding is the practice of using an AI-assisted programmer to write all of the code without paying attention to whether it's correct or not. So, what's the term for a seasoned professional who uses AI to accelerate their work? Productivity with LLMs on non-toy projects is actually very hard to do correctly. The author proposes that we call this vibe engineering. LLMs actively reward existing top-tier software engineering. By forcing the LLM to write tests, you can quickly figure out if something works or not. A good test suite really benefits the AI and you're sanity on the code. Another way to be better is to Plan in Advance. Providing the AI with a detailed plan of how you want a particular task done will significantly enhance the output. Comprehensive Documentation greatly heps AI. Whether it's just a subset of a codebase, documentation for a library or something else, allowing the LLM to read relevant documentation goes a long ways. LLMs are apparently amazing at Git. They can navigate the history to find the origin of bugs. Effective automation provides good impact as well. Linters and CI/CD help find bugs quickly. The most important thing to me is a culture of code review at the company. This makes sure bad code isn't added at the organizational level. From a personal level, this means reviewing the code that the LLM writes for bugs and correctness. A good article on what needs to be done well in order to be a good usage of LLMs when programming.
Analysis Summary
# Best Practices: Agentic Engineering (Vibe Engineering)
## Overview
These practices address the security and reliability risks associated with "Vibe Coding"—the irresponsible use of AI-generated code. By shifting to **Agentic Engineering**, professionals use LLMs as high-speed accelerators under strict human accountability, ensuring that generated code is secure, maintainable, and verified against functional requirements.
## Key Recommendations
### Immediate Actions
1. **Mandate Code Reviews:** Implement a "No-Merge-Without-Human-Review" policy for all AI-generated code to catch logical errors and security vulnerabilities.
2. **Enforce Linting & Formatting:** Standardize code quality by using automated linters (e.g., ESLint, Ruff) to immediately identify syntactical issues or "hallucinated" code patterns.
3. **Use Git for Traceability:** Commit often with clear messages to allow for rapid rollbacks and the use of `git bisect` to find the origin of AI-introduced regressions.
### Short-term Improvements (1-3 months)
1. **Develop a Robust Test Suite:** Transition to a Test-First approach. Use LLMs to generate unit and integration tests *before* writing logic to provide the agent with a "success" definition it can verify itself.
2. **External Context Injection:** Create and maintain comprehensive documentation. Feed relevant documentation and API schemas into the LLM context to prevent it from guessing (and hallucinating) library behaviors.
3. **CI/CD Integration:** Automate the execution of security scanners and test suites within the CI/CD pipeline to catch bugs before they reach staging environments.
### Long-term Strategy (3+ months)
1. **Agentic Workflow Standardization:** Establish a formal "Management" style for coding agents, treating them as specialized junior engineers who require detailed plans (RFCs) and iterative feedback loops.
2. **Advanced Debugging Mastery:** Train staff in AI-assisted debugging techniques, such as using LLMs to navigate Git history and perform root-cause analysis on complex, multi-agent builds.
## Implementation Guidance
### For Small Organizations
- Focus on **testing and review**. With fewer developers, the risk of unreviewed "vibe code" is high. Use coding agents like Claude Code or Gemini CLI to handle repetitive tasks, but keep a lead developer as the final gatekeeper.
### For Medium Organizations
- Implement **automated guardrails**. Introduce mandatory CI/CD checks and centralized documentation stores that LLMs can index to ensure consistency across different projects.
### For Large Enterprises
- Establish a **culture of Agentic Engineering**. Move away from ad-hoc usage toward a structured management framework where humans orchestrate multiple agents in parallel, supported by rigorous code review cultures and global security standards.
## Configuration Examples
*While specific code was not provided in the text, the following configuration "best practices" align with the author’s recommendations:*
- **Git-focused Workflow:**
bash
# Use AI to troubleshoot regressions via history
git bisect start
git bisect bad HEAD
git bisect good [last_known_stable_commit]
# Ask Agent: "Analyze the diffs between these periods to find the bug"
- **Test-Driven Loop:**
1. Prompt: "Write a test suite for [Feature] based on [Security Specs]."
2. Prompt: "Generate code that passes these tests."
3. Prompt: "Fix failures until 100% pass."
## Compliance Alignment
- **NIST SSDF (Secure Software Development Framework):** Aligns with "Produce Secure Software" by emphasizing automated testing and code review.
- **CIS Controls:** Specifically Control 16 (Application Software Security) through the use of automated linting and CI/CD.
- **ISO/IEC 27001:** Supports documentation and version control requirements for information security management.
## Common Pitfalls to Avoid
- **Implicit Trust:** Assuming that because code "looks" right or "vibrates" correctly, it is secure.
- **Context Starvation:** Not providing the LLM with enough documentation, leading to "hallucinated" APIs or insecure workarounds.
- **Neglecting the Human Element:** Treating LLMs as a replacement for engineering judgment rather than a productivity multiplier.
## Resources
- **Claude Code:** hxxps://claude[.]ai/product/claude-code
- **OpenAI Codex CLI:** hxxps://github[.]com/openai/codex
- **Gemini CLI:** hxxps://github[.]com/google-gemini/gemini-cli
- **Git Bisect Documentation:** hxxps://git-scm[.]com/docs/git-bisect