Who said coding couldn’t be fun?

As AI coding companions flood the market, so-called “vibe coding” has taken the tech world by storm. The tools have allowed developers to create code from natural language prompts, rather than writing it themselves, permitting easier prototyping and development with more creative freedom. They don’t come without risk, however, experts told CIO Upside.

“You don’t necessarily have to approach coding as before, in which you have to plan how you’re going to design something and figure out all the steps beforehand,” said Alejandro Castellano, CEO of Caddi. “Now you can have the support of AI to help you navigate.”

While that support can lead novice developers astray with hallucinations, many firms are fixating on AI-powered coding tools to generate returns on their eye-popping AI investments:

• Anysphere, the developer of the popular coding app Cursor, was reportedly in talks to raise funding at a valuation of nearly $10 billion in March.
• And after toying with the idea of buying Anysphere, OpenAI announced last week that it would instead acquire its competitor, AI coding platform Windsurf, for $3 billion.
• Though major commercial AI models can write code with ease, these tools in particular offer an easy workflow integration that typical chatbots don’t have, said Castellano. “The success is in making that interaction with developers seamless.”

It makes sense that tech firms and enterprises are drawn to vibe coding: The tools give developers the ability to automate large portions of tedious grunt work that would otherwise take hours, said Denis Ignatovich, co-founder and co-CEO of Imandra. For novice developers, meanwhile, the tech lowers the barrier to entry for coding. “It offers the ability to get something working really quickly,” said Ignatovich.

It also allows more advanced developers to play around a bit, since AI tools can offer multiple ways to solve a problem before users have to do the work themselves, Castellano said. “It most benefits people that have good engineering experience,” he added. “This just makes them way faster.”

But the vibes aren’t all of the “feel good” sort. If used to write large amounts of code, models may hallucinate an output with pitfalls that put your enterprise’s data and systems at risk, Castellano warned.

Because of that, they can be a double-edged sword when wielded by novices, said Castellano: Inexperienced developers may not be able to see the risks as they come up, and may trust the outputs blindly.

“If you’re expecting to have production-level software just by vibe coding, without having the right experience, that’s quite dangerous,” he said. “How are you making sure that your system actually protects data the way it should?”

It’s why the best use cases for AI coding companions aren’t production-level or critical context coding, said Castellano, but rather prototyping and experimentation. “It’s really useful for getting something out there and putting your vision onto a screen.”

Phishing attacks are using better bait.

Last week, attackers were able to send emails to recipients that appeared to be from Google’s systems, leading the victims to a fraudulent page that collected login information. The hacker was able to send messages that appeared to be from a “no-reply@google.com” email address, passing authentication and verification checks.

The incident highlights the growing sophistication of phishing attacks, which are benefiting from an expanding arsenal of AI tools to make them appear even more legitimate, said Jan Miller, CTO of Threat Analysis at OPSWAT. The shift to cloud has also given hackers a larger surface area of attack, he said.

“The Google attack really showed that just authenticating the sender is not enough,” said Miller. “You need to really inspect the content as well.”

With the growing sophistication of such attacks, how can enterprises avoid falling victim? There are a few useful tactics, said Miller:

• One is “sandboxing,” or a security practice that allows for the examination of suspicious content without the risk, Miller said. This could look like image or text analysis to catch details in the content of a phishing email that may otherwise be missed. “In addition to the authentication, you also need dynamic analysis and content inspection.”
• Another is applying the principles of “zero trust,” he said. As the name implies, this security framework relies on never trusting any user, device or application, and requiring constant verification.
• For example, OPSWAT will “sanitize” URLs that it comes across to redirect to a cloud service, where AI analysis is performed to ensure the integrity of a link.

“While the sophistication of the phishing attack is becoming multi-step, these model analysis pipelines are becoming more sophisticated as well to counter that,” said Miller. “It’s kind of like a battle of technologies.”

At a certain point, however, there’s bound to be someone in your organization who clicks the wrong link, said Miller. It’s important to have the proper protocols in place before such events.

That means limiting data access to only what each employee needs, having an incident response plan in place, and performing “dry runs” of security procedures, said Miller. Even things as simple as multi-factor authentication and VPNs can serve as lines of defense. “The least-privileged approach is key,” he said.

Not every task requires the full force of a large language model.

As the industry continues to build bigger and better models, Google is looking at ways to save energy: The company is seeking to patent a system for automatically mixing the usage of multiple generative models with “differing computational efficiencies.”

Upon receiving a query, Google’s system will first feed the input to a small, resource-efficient AI model to come up with an initial response, which is then checked by a verifier and assigned a quality score.

If the score is high enough, it’s sent back to the user without engaging a more powerful model. If not, the original input is sent to a large language model for a more in-depth, high-quality response.

The tech can lower compute costs and increase response times by using powerful language models only when necessary. “A smaller counterpart to a larger model can include 25%, 33%, 50%, 66% or other percentage less parameters than the larger model … Such a smaller-size counterpart may be sufficient for processing some content,” Google said in the filing.

Google’s filing highlights an important and ever-present question that enterprises are weighing as they continue to build AI into their businesses: How much power is too much? While the powerful AI models coming from the likes of OpenAI, Anthropic and Google are capable of complex tasks, you don’t need Thor’s hammer to kill a fly.

Google isn’t the only company interested in small models – OpenAI, Microsoft, Alibaba and more all have small model offerings. These models could become even more valuable as enterprises continue to question the value of their AI investments and seek efficiency gains in smaller packages.