What 2,000 Exposed Vibe-Coded Apps Reveal About the Limits of Most Security Stacks

Shadow AI used to mean employees pasting things they shouldn't into ChatGPT. It now means something bigger: employees building full applications with AI, wiring them into production systems, and publishing them on the open internet. Without Security or IT in the loop. The artifact moved from a prompt to a product. The risk surface moved with it. In The Shadow Builders report (get it here), a

The article describes how employees are using generative AI to 'vibe code' full applications, wiring them directly into production systems and exposing them on the public internet without Security or IT involvement.[5] This shifts 'shadow AI' from ad hoc prompt use to unsanctioned SaaS-like applications that interact with live data and internal services, creating a large, largely invisible attack surface. From a security perspective, this raises significant SaaS AI risk: unreviewed code, missing authN/Z, insecure integrations, and lack of monitoring can lead to data leakage and compromise of core systems. CyberSE.AI would recommend an AI Security Readiness Assessment and policy support to inventory and govern shadow AI apps, combined with Secure AI Agent Build patterns to give teams safe, approved ways to create AI-powered applications.