Companion piece to the Vivecoding manifesto. Watch the talk below, then read whichever you want.
I gave the Vivecoding talk at IT Audit Labs game night. Eric Brown introduced it, the same Eric who pointed at a whiteboard one afternoon and corrected the pronunciation I had been getting wrong for a year.
The manifesto post has the diagram, the DAG, the model lineup, the scars. This one has the moments around it.
The pronunciation that wasn’t a typo
When I joined IT Audit Labs, the first question Eric Brown asked me was, “Did you vibe code it?”
I did not know what the term meant. I went home and Googled it. Then I felt a little ashamed to admit I had been using ChatGPT to help me ship.
A few weeks later, Eric stood at a whiteboard, looked at me, and said: “You are pronouncing it wrong. It is vibe coding, not vive coding.”
He was right that I was saying it wrong. He was wrong that it was a mistake.
The vibe coder rolls a d20 and ships whatever the model spits out. The vive coder treats AI as the most powerful junior they have ever managed, and applies the same engineering rigor they would apply to any other contributor.
Same tools. Same models. Different discipline.
Once I noticed the gap, the wrong pronunciation became the right name.
The night Bard refused
This is a real story. Last week, around 10pm, a stakeholder asked me to take a working product and rebuild it under a new shape, same name, different features.
I opened the orchestrator. I told Bard, my Anthropic-backed lead agent, what I was about to do.
Bard said: “We are not doing that tonight. It is 10pm. We already have a working product. Let us wait until tomorrow.”
That is the workflow doing its job. Bard is not a yes-man. The personality is wired to push back when the request looks like it will create more debt than value, especially when the engineer asking for it is tired. Engram, my persistent memory layer, had context on the existing product, the hours I had logged that day, and the fact that the proposed change overlapped with something already shipped.
A vibe coder would have spent the night refactoring. I went to sleep. The next morning we scoped it properly, with a spec, a design, and a verify gate.
The discipline is not in the model. It is in the orchestrator that knows when to say no.
Two scars the talk did not have time for
I covered two production CVEs in the talk. Both anonymized here, because the fixes shipped and the lessons are what matter.
Scar one. An internal tool granted admin to every member of our organization, automatically, regardless of role. The pattern was old, looked intentional, and would have lived in production for months if my security agent had not run an unprompted audit and flagged it as a real privilege-escalation bug, not a design choice.
The lesson: what looks like a feature is sometimes a CVE. Old code is not safe code. Old code is unaudited code with a longer rap sheet.
Scar two. A chatbot helper with tool-calling access to a shared database fetched any record by ID through a service account, with no ownership check. A user in tenant A could ask the bot for a record from tenant B, and the bot would hand it over.
Caught during the security audit phase of an overhaul, before production.
The lesson generalizes: every AI tool is an authenticated endpoint. If you would not expose the underlying operation as an unguarded REST call, you cannot expose it as an unguarded tool either. The Zod schema on a tool definition is not a security boundary. The handler is.
The Zendesk and YouTube bans
Two stories I told live and want to write down so I do not forget them.
I once made so many calls to the Zendesk API in a single development session that they rate-limited my account. The system worked. The system worked too well. The retry logic I had asked the AI to add was correct in shape and wrong in timing.
Same week, different system: I was pulling our YouTube videos through the Data API to populate a section of the site. I pulled them every page render. The user saw an empty page until the API forgave me.
Both bugs were AI-generated and AI-reviewed. Both passed all five layers of my pipeline. Neither was caught until production.
The pipeline is not magic. It catches a lot. It does not catch “this is technically correct but operationally a footgun”. That is still the engineer’s job.
The five-year-old with the genius mind
The framing I keep coming back to, borrowed from a talk I sat through years ago: AI is a five-year-old with the mind of a genius and the knowledge of the internet.
It can produce anything. It does not know what is worth producing.
That is why the orchestrator exists. That is why the spec comes before the code. That is why five models cross-check each other. The intelligence is in the room, but the judgment has to come from the human who knows what the system is for, who is going to use it, and what happens when it breaks.
The vibe coder asks the five-year-old to build the thing.
The vive coder writes the spec, asks the five-year-old to build it, asks the second five-year-old to audit it, and reads everything before merging.
Three things to take home
Discipline beats vibes. Always.
Right model for the right job. One model is never the right answer.
AI is your amplifier, not your enemy and not your engineer. It makes a trained one faster. It does not turn an untrained one into a trained one.
If you want the technical writeup, with the DAG, the agent classes, the model assignments, and the architecture of the IT Audit Labs portal that I shipped on this workflow, read the manifesto.
If you want to watch the talk, it is right here.
Watch the talk
Recorded live at IT Audit Labs game night, May 2026. Thanks to Eric Brown for the introduction and the original pronunciation correction, and to the team for being a sport when I called everyone a nerd as a compliment.