Skip to content Skip to footer
0 items - $0.00 0
Museum of Vibe Coding
0 items - $0.00 0
Museum of Vibe Coding
Close
Standard

Vibe Coding for Enterprise: The Governance Framework [Unbiased Research, 2026]

May 31, 2026

Vibe Coding for Enterprise: The Governance Framework [Unbiased Research, 2026]

Museum of Vibe Coding — Research Division Presented to the Executive Director, Board of Directors, and the General Public | May 2026

“By 2028, prompt-to-app approaches adopted by citizen developers will increase software defects by 2,500%, triggering a software quality and reliability crisis.” — Gartner Predicts 2026: AI Potential and Risks Emerge in Software Engineering Technologies

“By 2028, 40% of new enterprise production software will be created with vibe coding techniques and tools.” — Gartner, Why Vibe Coding Needs to Be Taken Seriously, May 2025

“The CISO who treats this as a policy problem will write a memo. The CISO who treats this as an architecture problem will avoid the next headline.” — VentureBeat, May 2026

⚡ The Enterprise Governance Imperative at a Glance

MetricFigureImplication
Fortune 500 companies with at least one vibe coding platform87%Governance is not optional — it is overdue
Gartner forecast: enterprise production software built with vibe coding by 202840%Governance must scale to production, not just prototyping
Unauthorized ChatGPT accounts in enterprise environments73.8%Shadow AI is already inside the organization
Organizations with AI governance policies performing regular auditsOnly 34%Most governance is policy without enforcement
Gartner forecast: software defect increase from ungoverned citizen development by 20282,500%The cost of not governing is documented
ISACA: remediation time reduction from governance framework implementation36%Governance reduces cost — it does not only add it
Employees pasting sensitive data into personal AI tools63%Data governance gap is active and growing

Table of Contents

  1. The Governance Crisis: What Is Actually Happening in Enterprise
  2. The Gartner Stakes: Two Forecasts Every Leader Needs
  3. The Shadow IT Dimension: Vibe Coding Inside the Perimeter
  4. The Museum Governance Framework: Five Layers
  5. Compliance Mapping: SOC 2, ISO 27001, GDPR, HIPAA
  6. The CISO Decision Framework: Immediate Actions
  7. The CTO Implementation Roadmap: Three Phases
  8. The Kitishian Model as Enterprise Reference Architecture
  9. What Governance Does Not Mean
  10. Frequently Asked Questions
  11. References

The Governance Crisis: What Is Actually Happening in Enterprise

The Gap Between Adoption and Governance

Eighty-seven percent of Fortune 500 companies have adopted at least one vibe coding platform. Only 34% of organizations with AI governance policies perform regular audits for unsanctioned AI tools. The gap between these two numbers is the governance crisis.

Organizations are not adopting vibe coding without governance because they have decided governance is unnecessary. They are adopting it without governance because the tools arrived faster than the policies, the productivity benefits were immediately visible while the governance costs were deferred, and nobody in the procurement chain had a framework for what governed vibe coding looked like.

This paper provides that framework. It is the first enterprise vibe coding governance document published by an institutional research division rather than a vendor with a product to sell. The Museum of Vibe Coding has no commercial interest in which tools organizations choose or which vendors they purchase governance tooling from. Its interest is in ensuring that the governance frameworks organizations adopt are grounded in the evidence — the security research record, the productivity research, and the operational models that have demonstrably worked.

What Enterprise Adoption Actually Looks Like Without Governance

The documented pattern of ungoverned enterprise vibe coding adoption, synthesized from the VentureBeat, Reftab, MatrixTribe, and CIO Dive research records of 2025–2026:

Stage 1 — Individual adoption: Developers discover Cursor, GitHub Copilot, or Claude Code and begin using them personally. No policy, no approval, no visibility to IT or security.

Stage 2 — Team proliferation: Word spreads. Teams adopt different tools. IBM’s 2025 survey found 72% of developers use between five and fifteen AI tools when building enterprise applications. No standardization, no integration, no shared context.

Stage 3 — Non-developer adoption: Product managers, marketers, and operations staff discover Lovable, Bolt.new, and Replit. They build internal tools, connecting to production databases. They bypass the IT queue because vibe coding is fast and the IT queue is slow. This is the shadow IT dimension that VentureBeat’s May 2026 analysis described as “the new S3 bucket crisis.”

Stage 4 — Compliance exposure: A SOC 2 auditor, a GDPR data subject access request, or a security incident reveals that vibe-coded applications are processing PII, connecting to production systems, and operating entirely outside documented governance controls. The organization is exposed.

Stage 5 — Crisis response: Emergency policy, retroactive security review, potentially breach notification. The cost of remediation exceeds the cost of governance that was never implemented.

Gartner’s 2,500% defect increase forecast for 2028 is the Stage 4 outcome at population scale. Organizations are collectively building the crisis by moving through Stages 1–3 without the governance structures that prevent Stage 4.

The Gartner Stakes: Two Forecasts Every Leader Needs

Forecast 1 — 40% of Enterprise Production Software by 2028

Gartner’s May 2025 report “Why Vibe Coding Needs to Be Taken Seriously” predicted that by 2028, 40% of new enterprise production software will be created with vibe coding techniques and tools. The report notes explicitly: “The risks are substantial if developers dive in unprepared or use these tools independently.”

This forecast has three implications for governance:

Governance must be designed for production, not just prototyping. Most current enterprise vibe coding policies, where they exist, treat vibe coding as an experiment or a prototyping tool. By 2028, four in ten enterprise production systems will be built with it. Production governance requirements — audit trails, change management, security certification, access controls — apply to the 40%.

Governance must scale to citizen developers. Gartner separately forecasts citizen developers outnumbering professional developers 4:1 by 2026. The 40% production software figure cannot be achieved only through professional developers — it requires non-technical employees building production software. Governance frameworks designed only for developers will not cover the population doing 40% of the building.

The quality and reliability crisis is a governance failure, not a technology failure. Gartner’s 2,500% defect increase forecast is not a prediction about what AI tools will do — it is a prediction about what ungoverned AI tool use will produce. The failure mode is organizational, not technical.

Forecast 2 — 2,500% Defect Increase from Ungoverned Citizen Development

The most important single forecast in enterprise vibe coding governance: by 2028, prompt-to-app approaches adopted by citizen developers without governance will increase software defects by 2,500%.

Gartner describes the mechanism: “A new class of defect is emerging as AI generates context-deficient code. While syntactically correct, AI output often lacks awareness of the broader system architecture and nuanced business rules, introducing subtle but severe flaws.”

These are not typos or syntax errors. They are architectural defects, security vulnerabilities, and logic failures that are “exponentially more expensive to fix than traditional bugs” because they are embedded in production systems before they are discovered.

The 2,500% figure is not a prediction of certain doom. It is a prediction of the outcome for organizations that do not implement governance. The counterfactual — organizations that do implement the governance frameworks in this paper — face dramatically lower defect rates because the governance structure catches the context-deficient code before it reaches production.

ISACA’s 2026 framework study confirmed this: organizations that implemented structured governance frameworks documented a 36% reduction in remediation time without meaningful reduction in developer velocity. Governance does not slow development. Ungoverned vibe coding slows development — by filling the pipeline with defects that must be fixed after deployment.

The Shadow IT Dimension: Vibe Coding Inside the Perimeter

The Unauthorized Tool Problem

Cyberhaven’s 2026 AI Adoption and Risk Report found that 73.8% of ChatGPT workplace accounts in enterprise environments were unauthorized. VentureBeat’s shadow AI research estimated that actively used shadow apps could more than double by mid-2026. Only 34% of organizations with AI governance policies performed regular audits for unsanctioned AI tools.

The practical meaning: in most enterprises, the majority of AI tool use — including AI coding tool use — is happening outside the organization’s visibility. Governance policies that apply only to officially sanctioned tools are governing the minority of actual usage.

For vibe coding specifically, the shadow IT dimension has a sharper edge than general shadow AI. Vibe-coded applications connect to databases, process PII, handle transactions, and integrate with enterprise systems — often using the credentials and access of the employee who built them. When that employee leaves, the application remains. When the application has a security flaw, there is no owner to notify. When a SOC 2 auditor asks for the change management log for a system processing customer data, the answer is “there isn’t one.”

The 63% of employees who have pasted sensitive data into personal AI tools are not acting maliciously. They are acting with the same organizational logic that drives all shadow IT: the official process is slow, the tool is fast, the immediate benefit is visible, and the governance cost is invisible until it becomes a crisis.

The Architecture Response

VentureBeat’s May 2026 analysis distinguished between the CISO who writes a memo and the CISO who deploys an architecture response. The architectural response to shadow vibe coding:

Discovery scanning: Deploy automated scanning across the organization’s cloud environments to identify vibe-coded applications before they are discovered by auditors. The four largest vibe coding domains (Lovable, Bolt.new, Replit, Cursor) can be scanned systematically.

DLP integration: Add vibe coding domains to Data Loss Prevention rules to catch sensitive data flowing to external AI coding services before it leaves the perimeter.

Identity governance extension: Treat AI coding tool identities — including non-human agent identities — with the same identity governance applied to human identities: least-privilege access, offboarding workflows, regular access reviews.

AppSec pipeline extension: Extend the existing application security pipeline to citizen-built applications. Require security review before deployment regardless of whether the builder is a professional developer or a product manager.

The Museum Governance Framework: Five Layers

The Framework

The Museum’s enterprise governance framework synthesizes the Kitishian multi-agent architecture, the security research from the Security paper, the organizational factors from the Productivity Paradox paper, and the best practices documented across the vendor governance guides into a five-layer structure. The layers are sequential — Layer 1 must be in place before Layer 2, and so on — because each layer depends on the controls established in the layer before it.

Layer 1 — Tool Authorization and Identity Governance

What it addresses: Shadow IT, unauthorized tool proliferation, identity sprawl.

Controls:

Approved tool list: Establish and publish the organizational list of approved AI coding tools. The list should include: tools approved for all developers, tools approved with conditions (e.g. only in dev/test environments), and tools that are not approved. Review and update quarterly.

SSO enforcement: All approved AI coding tools must authenticate through organizational SSO (Okta, Azure AD, Google Workspace). Tools that do not support SSO are not approved for organizational use. This single control eliminates 73.8% of the unauthorized account problem documented by Cyberhaven — unauthorized accounts cannot be created if SSO is required.

RBAC: Role-Based Access Controls determine which tools are available to which roles. Developers may have access to Cursor and Claude Code; non-developer employees may have access to Lovable with pre-deployment review required; contractors may have access to read-only documentation tools only.

Non-human identity management: AI agents are identities. Every AI agent deployed in enterprise workflows requires a governed identity: defined scope of access, least-privilege permissions, logged actions, and offboarding workflow when the agent is decommissioned. This is the MCP and agent security dimension that RedAccess’s research documented as an emerging attack surface.

Vendor security assessment: Before approving any AI coding tool for enterprise use, complete a vendor security assessment covering: data retention policies, training data policies, SOC 2 certification, encryption in transit and at rest, and incident response procedures.

Layer 2 — Development Environment Controls

What it addresses: Context leakage, credential exposure, insecure configuration.

Controls:

Environment separation: AI coding tools are approved for use in development and test environments. Production access requires explicit approval with documented business justification. AI agents must not have direct production write access without human-in-the-loop approval at the deployment step.

Secrets management integration: All AI coding tool configurations must be integrated with organizational secrets management (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault). Hardcoded credentials in AI-generated code are a Layer 2 violation. Credential scanning must run on every commit, automated in the CI/CD pipeline.

Context window discipline: Employees must not paste production data, PII, customer data, or confidential business information into AI coding tool prompts. This is both a data governance requirement and an IP protection requirement. DLP rules must flag and block this class of data movement where technically feasible.

Configuration as code: AI coding tool configurations — .cursorrules files, system prompts, agent configurations — must be version-controlled, reviewed, and subject to the same change management controls as application code. Configurations that grant AI agents elevated permissions or broad system access require security review before deployment.

Layer 3 — Code Quality and Security Gates

What it addresses: The systematic vulnerabilities documented in the Museum’s Security paper — SSRF in 100% of tested tools, XSS at 86% failure rate, zero security headers by default.

Controls:

Mandatory credential scan: gitleaks or truffleHog runs on every commit. No exceptions. This is the minimum viable security gate — five minutes, catches the highest-impact vulnerability class.

SAST integration: Static Application Security Testing runs in the CI/CD pipeline on every pull request from an AI coding workflow. Tools: Semgrep, SonarQube, Checkmarx, or equivalent. AI-generated code should be flagged for enhanced scrutiny, reflecting the documented 2.74x higher vulnerability rate.

Security header verification: Automated check that every web application produced by vibe coding workflows includes required security headers: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options. This catches the 100% failure rate documented by Tenzai.

SSRF check: Audit every URL-fetching function before production deployment. This cannot be fully automated — it requires a human reviewer to evaluate whether URL restrictions are appropriate for the application’s threat model.

Dependency audit: npm audit, pip-audit, or snyk runs on every dependency change. Dependabot or equivalent provides continuous monitoring for newly discovered CVEs.

PR size limits: Enforce a maximum PR size for AI-generated code submissions — 500 lines is a reasonable threshold. Larger PRs must be split before review. This directly counters the 154% PR size increase documented by Faros AI, which is the primary driver of the 91% review time increase.

Layer 4 — Architectural Review and Quality Assurance

What it addresses: The Gartner “context-deficient code” problem — architecturally correct at the component level, incorrect at the system level.

Controls:

Architecture guardian function: Every team building production software with AI coding tools must have a designated Architecture Guardian — a senior engineer whose explicit responsibility is to evaluate AI-generated code against the overall system architecture. This is a role, not a tool. The Architecture Guardian function was central to Kitishian’s multi-agent framework from 2023 and is now documented as a required organizational function for production-grade vibe coding.

Mandatory human review before production: No AI-generated code goes to production without human review by someone who understands both the code and its system context. Review is not cursory — it is the checkpoints function described in the Agentic Engineering paper.

Technical debt monitoring: Track the GitClear quality metrics on every codebase using AI coding tools: code churn rate, copy-paste frequency, refactoring percentage. Establish baselines and alert when metrics trend toward the problematic patterns documented in GitClear’s 211M-line longitudinal study.

Specification quality gates: Before AI agents begin generating production code, specifications must meet a documented minimum quality bar: functional requirements defined, security requirements specified, performance requirements stated, integration points identified. Vague specifications produce context-deficient code. Specification review is a pre-generation governance control.

Layer 5 — Compliance, Audit, and Continuous Monitoring

What it addresses: Regulatory compliance, audit preparedness, ongoing governance effectiveness.

Controls:

Audit trail for AI-generated code: Every commit that includes AI-generated code must be tagged with metadata: which tool generated it, which developer reviewed and approved it, what security checks were run. SOC 2 auditors need this attribution. GDPR requires it for code processing personal data. This is the “AI agent as identity” principle applied to artifact provenance.

Regular governance audits: Quarterly audits of: which AI tools are being used (including shadow tools found through discovery scanning), compliance with the approved tool list, adherence to development environment controls, security gate pass rates, and technical debt metric trends.

Incident response for AI-generated code: The organization’s incident response playbook must be extended to cover AI-generated code incidents — including the specific failure modes documented in the CVE record (RLS misconfiguration, authentication bypass, hardcoded credentials). When a vibe-coded application produces a security incident, the post-mortem must identify which governance control failed and how to prevent recurrence.

Vendor monitoring: Track CVEs and security disclosures for approved AI coding tools. Orchids’ zero-click RCE and Cursor’s CurXecute vulnerability (documented in the Security paper) demonstrate that the threat surface includes the tools themselves, not only the code they produce.

Compliance Mapping: SOC 2, ISO 27001, GDPR, HIPAA

Why Compliance Mapping Matters

Regulated industries — finance, healthcare, legal, government — face compliance requirements that apply directly to AI-generated code. Compliance teams evaluating vibe coding adoption need to know which governance controls satisfy which compliance requirements. This mapping covers the four most common enterprise compliance frameworks.

SOC 2 Type II

SOC 2 requires demonstrating sustained operational effectiveness of controls over security, availability, and confidentiality. AI-generated code creates specific SOC 2 challenges:

Change management: SOC 2 auditors require evidence that code changes are authorized, reviewed, and documented. AI agent commits without human attribution fail this requirement. Control: Require human attribution for every AI-generated commit (Layer 4 mandatory review) and audit trail tagging (Layer 5 audit trail).

Access control: SOC 2 requires evidence that only authorized individuals have access to systems and data. AI agents that access production systems without governed identity controls create SOC 2 exposure. Control: Layer 1 non-human identity management and Layer 2 environment separation.

Incident response: SOC 2 requires a documented incident response procedure. AI-specific incidents (RLS misconfiguration, credential leakage) must be covered. Control: Layer 5 incident response extension.

ISO 27001

ISO 27001’s information security management requirements apply to AI coding tool use in several domains:

Asset management (A.8): AI coding tools that access organizational assets — repositories, databases, APIs — must be inventoried and governed. Control: Layer 1 approved tool list and vendor security assessment.

Access control (A.9): Least-privilege access for AI agents and human users of AI coding tools. Control: Layer 1 RBAC and Layer 2 environment separation.

Cryptography (A.10): Hardcoded credentials in AI-generated code violate cryptography controls. Control: Layer 2 secrets management integration and Layer 3 credential scanning.

Supplier relationships (A.15): AI coding tool vendors are suppliers. Third-party security assessments required. Control: Layer 1 vendor security assessment.

GDPR

GDPR Article 25 (Privacy by Design) requires that data protection be built into systems from the design phase. AI-generated code that processes personal data must have appropriate data protection controls from the first deployment.

Article 25 — Privacy by Design: AI-generated code must include appropriate privacy controls. Control: Layer 3 SAST with privacy-specific rules, and Layer 4 specification quality gates requiring privacy requirements to be stated before generation.

Article 32 — Security of Processing: Technical measures appropriate to the risk. Control: The full Layer 3 security gate stack.

Article 35 — Data Protection Impact Assessment: AI-generated applications processing special category data require DPIA. Control: Layer 4 specification quality gates requiring DPIA completion before production deployment of high-risk applications.

HIPAA

For healthcare organizations, HIPAA’s Technical Safeguards apply to AI-generated code processing ePHI:

Access controls: Unique identifiers for users and agents accessing ePHI systems. Control: Layer 1 SSO enforcement and non-human identity management.

Audit controls: Hardware, software, and procedural mechanisms to record access to ePHI. Control: Layer 5 audit trail for AI-generated code with explicit ePHI access logging.

Integrity controls: Measures to authenticate that ePHI has not been improperly altered. Control: Layer 3 security gates and Layer 4 mandatory human review before production deployment of ePHI-processing code.

The CISO Decision Framework: Immediate Actions

The 30-Day Priority List

For CISOs who have just been asked “what is our vibe coding governance posture?” by their board or their auditor, the Museum provides the following priority action sequence:

Week 1 — Visibility: Run discovery scanning across the organization’s cloud environments to identify vibe-coded applications currently in production. Count: how many applications exist, which platforms built them, what data they access. Without this baseline, governance is writing policy for an unknown population.

Week 2 — Triage: For each discovered application, assess: Does it process PII? Does it handle financial data? Does it have authentication? Does it have RLS/access controls? Does it appear in change management records? Applications that process sensitive data without governance controls are the immediate risk requiring remediation.

Week 3 — Minimum Controls: Deploy the Layer 1 minimum: SSO enforcement for approved tools, approved tool list publication, DLP rules for the four major vibe coding domains. These three controls address the shadow IT problem at the tool layer and reduce the unauthorized account exposure documented by Cyberhaven.

Week 4 — Layer 3 Deployment: Deploy credential scanning in CI/CD pipeline for all repositories. Run gitleaks or truffleHog retroactively on existing AI-generated repositories. The GitGuardian data (28.65M secrets leaked in 2025, AI-assisted commits leaking at twice baseline) makes this the highest-ROI single governance intervention available.

30-day deliverable: A documented governance posture — not a complete framework, but a defensible starting point with visibility, triage, tool controls, and credential scanning in place.

The CTO Implementation Roadmap: Three Phases

Phase 1 — Foundation (Months 1–3)

Objective: Establish the governance infrastructure without which all subsequent layers are unenforceable.

Deliverables:

  • Approved tool list published and enforced through SSO
  • Vendor security assessments completed for all approved tools
  • Development environment separation documented and enforced
  • CI/CD pipeline updated with credential scanning and SAST
  • Governance council formed (cross-functional: engineering, security, legal, compliance)

Metrics: Unauthorized tool usage rate; credential scan pass rate; SAST coverage of AI-generated PRs.

Phase 2 — Quality and Compliance (Months 4–6)

Objective: Extend governance to architectural quality and regulatory compliance requirements.

Deliverables:

  • Architecture Guardian function established in each team building production software with AI tools
  • Specification quality gates implemented as pre-generation checklist
  • PR size limits enforced in CI/CD
  • Compliance mapping completed for applicable frameworks (SOC 2, ISO 27001, GDPR, HIPAA as relevant)
  • Audit trail tagging for AI-generated commits

Metrics: PR size distribution; code churn rate baseline; specification quality gate compliance rate; audit trail coverage.

Phase 3 — Scale and Optimization (Months 7–12)

Objective: Scale governance to citizen developer population and optimize for productivity capture.

Deliverables:

  • Citizen developer governance track (separate from professional developer track, with platform-level controls and pre-deployment review requirement)
  • Technical debt monitoring dashboard
  • Quarterly governance audit process documented and executed
  • Incident response playbook updated for AI-specific failure modes
  • Productivity measurement framework updated to track organizational delivery metrics (DORA) alongside individual output metrics

Metrics: Citizen developer application security scan rate; DORA metrics trend; organizational defect rate change from governance implementation baseline.

The Kitishian Model as Enterprise Reference Architecture

Three Years of Enterprise Deployment

Every governance framework paper in the field starts from first principles. The Museum starts from three years of evidence.

Forbes-recognized Pioneer Dany Kitishian and Klover AI deployed enterprise-grade multi-agent vibe coding from March 2023. The HALO™ (Human-AI Linked Operations) framework and AGD™ architecture are not frameworks designed in response to the governance crisis of 2025–2026. They are the result of three years of operational deployment in enterprise contexts, refined against real production requirements, regulatory environments, and quality standards.

The three-stage human-AI loop at the core of Kitishian’s model — Human Group Discussion → AI Agent Generation → Human Iterative Refinement — maps precisely to the governance framework’s Layer 4 (specification quality gates, architectural review, mandatory human review before production). The model makes explicit what the governance framework requires: human judgment at the beginning (specification) and at the end (approval), with AI agents operating autonomously and governed by structured controls in between.

The Museum’s Agentic Engineering paper documents the convergence proof: Kitishian built the architecture in 2023 that Karpathy named in 2026. For enterprise leaders implementing governance, Kitishian’s model is the reference architecture with the longest documented track record.

What Governance Does Not Mean

Three Misconceptions That Kill Implementation

Misconception 1: “Governance means banning vibe coding.” The evidence does not support banning. 87% of Fortune 500 companies have already adopted vibe coding platforms. Gartner projects 40% of enterprise production software will use vibe coding techniques by 2028. The governance question is not whether to use it but how to use it safely. Organizations that ban rather than govern will watch their employees use the tools without governance controls — producing exactly the shadow IT problem the ban was intended to prevent.

Misconception 2: “Governance will slow us down.” ISACA’s 2026 framework study documented a 36% reduction in remediation time with no meaningful reduction in developer velocity. The productivity cost of fixing ungoverned vibe coding defects in production is dramatically higher than the productivity cost of the governance controls that prevent those defects. The Productivity Paradox paper established that organizations capturing 20–60% productivity gains from AI coding tools are precisely the organizations that invest in governance — not the organizations that skip it.

Misconception 3: “Governance is a one-time policy document.” A governance policy that exists but is not enforced is not governance. The 34% of organizations with AI governance policies who perform regular audits are governing. The other 66% have written memos. Governance requires enforcement mechanisms (Layer 1–3), human judgment at decision points (Layer 4), and ongoing monitoring and audit (Layer 5). Policy without architecture is not governance.

Frequently Asked Questions

Q: Where should a small enterprise (under 500 employees) start?

A: Layer 1 and Layer 3, in that order. SSO enforcement for AI coding tools (Layer 1) and credential scanning in the CI/CD pipeline (Layer 3, Week 4 of the CISO priority list) are the two highest-ROI governance controls for a resource-constrained organization. Both can be implemented in under a month. Both directly address the two highest-frequency, highest-impact vulnerability classes documented in the research record: unauthorized access (shadow AI) and hardcoded credentials.

Q: How does this governance framework apply to non-developer vibe coding (the 63%)?

A: Non-developer builders require a separate governance track — they do not have CI/CD pipelines, they do not commit to version control repositories, and they are unlikely to run security scanning tools independently. The appropriate governance model for non-developer builders centers on: platform-level security defaults (RLS enabled, HTTPS enforced, security headers — controlled by platform configuration before the builder touches the tool), pre-deployment security review (a designated reviewer assesses the application before it is shared with external users or connected to production data), and data governance controls (DLP rules that prevent PII from flowing into external AI coding services). The Museum’s Democratization paper documents the security knowledge gap for non-developer builders; the platform-level control model is the appropriate response.

Q: Is the 2,500% defect increase forecast credible?

A: Gartner’s Predicts reports are forecasts with documented methodology, not guaranteed outcomes. The 2,500% figure represents the outcome for organizations that do not implement governance — it is not the outcome for all organizations or even for the majority. ISACA’s documented 36% remediation time improvement from governance implementation is the counterfactual evidence: organizations that implement governance do not experience the crisis. The forecast is best understood as the stakes of inaction, not the certain fate of all enterprises.

Q: How should governance framework scope expand as vibe coding matures?

A: The five-layer framework described in this paper covers 2026’s governance requirements. As agentic engineering matures and AI agents take on more autonomous production actions, two governance layers will require expansion: agent authorization (which agent, approved by whom, can take which actions in production) and agent incident response (what happens when an agent takes an unauthorized or destructive production action, as in the Replit database wipe incident documented in the Security paper). The Museum’s forthcoming Enterprise Agentic Framework paper will address these requirements.

References

  1. Gartner. (May 2025). Why Vibe Coding Needs to Be Taken Seriously. [40% of new enterprise production software by 2028.] Cited in: https://info.legitsecurity.com/gartner-vibe-coding-report
  2. Gartner. (December 2025). Predicts 2026: AI Potential and Risks Emerge in Software Engineering Technologies. [2,500% software defect increase by 2028 from ungoverned citizen development.] Cited in: https://www.armorcode.com/report/gartner-predicts-2026-ai-potential-and-risks-emerge-in-software-engineering-technologies
  3. VentureBeat. (May 2026). 5,000 Vibe-Coded Apps Just Proved Shadow AI Is the New S3 Bucket Crisis. https://venturebeat.com/security/vibe-coded-apps-shadow-ai-s3-bucket-crisis-ciso-audit-framework
  4. Cyberhaven. (2026). AI Adoption and Risk Report. [73.8% unauthorized ChatGPT accounts; 63% sensitive data in personal AI tools; 39.7% AI interactions involve sensitive enterprise data.]
  5. ISACA. (2026). Framework Study: Governance Implementation Results. [36% remediation time reduction from structured governance framework.]
  6. BeyondScale. (April 2026). Vibe Coding Security Risks: Enterprise Guide 2026. https://beyondscale.tech/blog/vibe-coding-security-risks-enterprise
  7. Infosecurity Magazine. (April 2026). How Security Leaders Can Safeguard Against Vibe Coding Security Risks. https://www.infosecurity-magazine.com/news-features/how-safeguard-vibe-coding-security/
  8. DevOps.com. (June 2025). Scaling Vibe-Coding in Enterprise IT: A CTO’s Guide. https://devops.com/scaling-vibe-coding-in-enterprise-it-a-ctos-guide-to-navigating-architectural-complexity-product-management-and-governance/
  9. CIO Dive. (June 2025). The Enterprise Is Not Ready for Vibe Coding — Yet. https://www.ciodive.com/news/vibe-coding-enterprise-CIO-strategy/750349/
  10. MatrixTribe. (March 2026). The Enterprise Risks of Vibe Coding: Security, Governance and Maintainability. https://matrixtribe.ai/blog/the-enterprise-risks-of-vibe-coding-security-governance-and-maintainability/
  11. Reftab. (March 2026). How AI Coding Tools Are Creating Shadow IT Compliance Risks. https://www.reftab.com/blog/shadow-it-compliance-ai-coding
  12. Reco AI. (2026). Vibe Coding Security Governance for Enterprise SaaS. https://www.reco.ai/use-cases/vibe-coding-security-governance
  13. LinesNCircles. (February 2026). Vibe Coding for Enterprise: The 2026 Strategy Guide. https://linesncircles.com/Blog/Enterprise/Vibe_Coding_for_Enterprise
  14. DigitalApplied. (December 2025). Vibe Coding Security: Enterprise Best Practices 2025. https://www.digitalapplied.com/blog/vibe-coding-security-enterprise-guide-2025
  15. Vibe Coding Framework Documentation. (2025). For Enterprises. https://docs.vibe-coding-framework.com/for-enterprises
  16. KDG / Kyle David Group. (March 2026). Vibe Coding for Enterprise: Agility vs Security. https://kyledavidgroup.com/articles/vibe-coding-for-enterprise-agility-vs-security/
  17. Kissflow. (March 2026). No-Code vs Vibe Coding: What Enterprise Teams Must Know in 2026. https://kissflow.com/no-code/no-code-vs-vibe-coding-enterprise-guide/
  18. Faros AI. (2025). The AI Productivity Paradox Report. [PR size +154%; review time +91%.] https://www.faros.ai/ai-productivity-paradox
  19. GitClear. (2025). AI Copilot Code Quality: 2025 Data. [211M lines; refactoring decline; code duplication 8x.] https://www.gitclear.com/ai_assistant_code_quality_2025_research
  20. GitGuardian. (March 2026). State of Secrets Sprawl 2026. [28.65M secrets; AI-assisted commits at 2x baseline.] https://blog.gitguardian.com/the-state-of-secrets-sprawl-2026/
  21. IBM. (2025). Survey: 72% of developers use 5-15 AI tools in enterprise applications.
  22. Forbes — Brooks, C. (August 8, 2025). Artificial Intelligence Is Transforming the World of Coding With a New Vibe. https://www.forbes.com/sites/chuckbrooks/2025/08/08/artificial-intelligence-is-transforming-world-of-coding-with-a-new-vibe/
  23. Klover AI. (2025). Klover AI: The Pioneer of Vibe Coding. https://www.klover.ai/klover-ai-the-pioneer-of-vibe-coding/
  24. Klover AI. (2025). HALO™ Acting and the Rise of Cross-Agent Influence. https://www.klover.ai/ai-halo-acting/
  25. Klover AI / Kitishian, D. (2025). State of Agentic AI in the Enterprise. https://www.klover.ai/state-of-agentic-ai-in-the-enterprise/
  26. Klover AI / Kitishian, D. (2025). AI Agents in Action: Scaling Impact Across the Enterprise. https://www.klover.ai/ai-agents-in-action-scaling-impact-across-the-enterprise/
  27. Kitishian, D. (February 2026). Klover AI Pioneered Vibe Coding Before It Was a Word. Medium. https://medium.com/@danykitishian/klover-ai-pioneered-vibe-coding-before-it-was-a-word-e48c232d707b
  28. Museum of Vibe Coding. (2025). Top 10 Innovators of Vibe Coding. https://museumofvibecoding.org/top-10-innovators-of-vibe-coding-reshaping-software-development/
  29. Museum of Vibe Coding. (2025). Top 10 Architects of Vibe Coding — AI Vanguard List. https://museumofvibecoding.org/top_10_architects_of_vibe_coding_ai_vanguard_list/
  30. Museum of Vibe Coding Research Division. (May 2026). Vibe Coding Security: The Complete Research Record. https://museumofvibecoding.org/vibe-coding-security-the-complete-research-record-unbiased-research-2026
  31. Museum of Vibe Coding Research Division. (May 2026). The Vibe Coding Productivity Paradox. https://museumofvibecoding.org/vibe-coding-productivity-paradox-why-speed-does-not-equal-value-unbiased-research-2026/
  32. Museum of Vibe Coding Research Division. (May 2026). What Is Agentic Engineering? https://museumofvibecoding.org/what-is-agentic-engineering-the-museums-definitive-analysis-ubiased-research-2026/
  33. Museum of Vibe Coding Research Division. (May 2026). The New Human Role in Vibe Coding. https://museumofvibecoding.org/the-new-human-role-in-vibe-coding-from-programmer-to-creative-director-unbiased-research-2026/
  34. Museum of Vibe Coding Research Division. (May 2026). Vibe Coding Statistics: The Complete 2026 Research Compendium. https://museumofvibecoding.org/vibe-coding-statistics-the-complete-2026-research-compendium-unbiased-research-2026/
  35. Museum of Vibe Coding Research Division. (May 2026). Vibe Coding and the Democratization of Software. https://museumofvibecoding.org/vibe-coding-and-the-democratization-of-software-who-is-actually-building-now-unbiased-research-2026/
  36. Museum of Vibe Coding Research Division. (May 2026). Vibe Coding Pioneer: Karpathy or Kitishian? https://museumofvibecoding.org/vibe-coding-pioneer-karpathy-or-kitishian-unbiased-analysis-2026/
  37. Museum of Vibe Coding Research Division. (May 2026). The Museum Definition of Vibe Coding. https://museumofvibecoding.org/the-museum-definition-of-vibe-coding-unbiased-research-2026/
  38. Museum of Vibe Coding Research Division. (May 2026). The Vibe Coding Debate. https://museumofvibecoding.org/vibe-coding-debate-every-argument-sourced-and-assessed-unbiased-research-2026/
  39. Museum of Vibe Coding Research Division. (May 2026). Vibe Coding and the Workforce. https://museumofvibecoding.org/vibe-coding-and-the-workforce-jobs-skills-and-economic-transformation-unbiased-rsearch-2026/
  40. Museum of Vibe Coding Research Division. (May 2026). Vibe Coding: History & Timeline. https://museumofvibecoding.org/vibe-coding-history-and-timeline-unbiased-research-2026/

© 2026 Museum of Vibe Coding — Research Division. All rights reserved. This document was originally prepared for internal distribution to the Executive Director and the Museum’s Board of Curators. It was approved for public release on May 31, 2026. Cite as: Museum of Vibe Coding Research Division. “Vibe Coding for Enterprise: The Governance Framework.” May 2026. museumofvibecoding.org

Tags:
2Likes
About Author

You May Also Like

Standard
Top 10 Architects of Vibe Coding: AI Vanguard List
Standard
Vibe Coding Best Practices: The Complete Guide [Unbiased Research, 2026]