From Vibe Coding to Agentic Engineering — How Programming Is Changing

Posted on: 5/12/2026 10:19:15 AM

92%US developers adopted vibe coding

60%New code in 2026 is AI-generated

2.74xMore security vulnerabilities in AI code

$8.5BGlobal AI coding market

1. What Is Vibe Coding?

In February 2025, Andrej Karpathy — OpenAI co-founder and former AI Director at Tesla — coined the term Vibe Coding to describe a new programming paradigm: developers describe requirements in natural language, and AI generates the entire source code. Instead of writing each line of code, you simply "feel the vibes" and let AI do the work.

The core idea: forget that code even exists. You talk to AI, describe what you want, accept the results if they work, and move on. No need to read and understand every line of generated code.

Vibe Coding Defined

Using natural language and AI tools to generate and refine code, replacing most of the traditional manual coding process. Developers shift from being code writers to intent describers.

2. The Vibe Coding Landscape in 2026

Just over a year after the term was coined, vibe coding has transformed the entire software development industry:

92% of US developers have adopted vibe coding practices at various levels
60% of new code written in 2026 involves AI assistance
The global AI coding market reached $8.5 billion
Karpathy himself admits that 80% of his code is now AI-written

The most popular tools: GitHub Copilot, Cursor, Claude Code, Windsurf, and Cline. Each tool is racing to support AI coding agents — from simple auto-complete to executing entire complex workflows.

graph LR
    subgraph "2023-2024"
        A["Autocomplete
Code suggestions"]
    end
    subgraph "2025"
        B["Vibe Coding
Describe -> Code"]
    end
    subgraph "2026"
        C["Agentic Engineering
AI Agents execute autonomously"]
    end
    A -->|"Evolution"| B -->|"Evolution"| C
    style A fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style B fill:#2c3e50,stroke:#fff,color:#fff
    style C fill:#e94560,stroke:#fff,color:#fff

The evolutionary journey: from autocomplete to agentic engineering

3. The Next Step: From Vibe Coding to Agentic Engineering

Karpathy himself recently declared that vibe coding is already outdated. His new preferred term is Agentic Engineering:

"Agentic" — because the new default is that you're not directly writing code 99% of the time. You orchestrate AI agents that do the work and serve as oversight
"Engineering" — because this is a real art and science requiring expertise, not just typing prompts and hoping for the best

Criteria	Vibe Coding	Agentic Engineering
Interaction	Single prompt → receive code	Orchestrate agent workflows
Developer role	Intent describer	Architect + supervisor
Trust level	Accept without review	Systematic review, automated testing
Scope	Generate code snippets	Execute entire features/workflows
Quality	Depends on prompt quality	Guardrails + CI/CD + human oversight
Best for	Prototypes, side projects	Production, enterprise

Software 3.0

If Software 1.0 is writing explicit code, Software 2.0 is learning from data (ML/DL), then Software 3.0 is programming through sophisticated context and prompts for LLMs. Context becomes the operational foundation instead of traditional code.

4. The Agentic Engineering Workflow in Practice

In the agentic engineering model, developers don't write code directly but design and supervise a pipeline:

graph TD
    A["Developer writes Spec
(Requirements + Constraints)"] --> B["AI Agent analyzes
and plans"]
    B --> C["Agent writes code
+ unit tests"]
    C --> D["CI/CD runs automatically
Lint + Test + Security scan"]
    D -->|"Pass"| E["Human review
Logic + Architecture"]
    D -->|"Fail"| C
    E -->|"Approve"| F["Deploy"]
    E -->|"Request changes"| B
    style A fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style B fill:#2c3e50,stroke:#fff,color:#fff
    style C fill:#2c3e50,stroke:#fff,color:#fff
    style D fill:#ff9800,stroke:#fff,color:#fff
    style E fill:#e94560,stroke:#fff,color:#fff
    style F fill:#4CAF50,stroke:#fff,color:#fff

Agentic Engineering Workflow: Developer is the architect, AI Agent is the implementer

Key steps:

Write detailed specifications: Instead of writing code, developers write clear requirements including constraints, edge cases, and acceptance criteria
AI Agent analyzes and executes: The agent independently analyzes the codebase, plans the approach, writes code and tests
Automated validation: CI/CD pipeline runs linting, type checking, unit tests, and security scanning
Human review: Developers review business logic, architecture, and design decisions — not syntax

# Example Spec for Agentic Engineering

## Feature: User Authentication Refresh Token

### Requirements:
- Refresh token must expire after 30 days
- Each refresh token can only be used once (rotation)
- When reuse is detected -> revoke entire token family
- Rate limit: max 10 refresh requests/minute/user

### Constraints:
- Do not modify existing Users table schema
- Backward compatible with v2 API
- Store tokens in Redis with TTL

### Edge cases:
- Concurrent refresh requests from multiple devices
- Token rotation when user changes password
- Clock skew between service instances

5. Security Risks — The Dark Side You Can't Ignore

According to a December 2025 analysis, AI co-authored code contains 1.7 times more critical issues than fully human-written code. Specifically:

1.7xMore critical bugs

75%More misconfigurations

2.74xMore security vulnerabilities

6 Major Risk Categories

Risk	Description	Severity
Prompt Injection	Malicious inputs manipulate models to leak data or disable security checks	High
Insecure Code Patterns	AI replicates known vulnerabilities or introduces new ones	High
Tool & Permission Misuse	Agents with broad access can rapidly escalate privileges	Critical
Untraceable Provenance	Lack of commit history and authorship metadata complicates auditing	Medium
Supply Chain Attacks	Compromised models or plugins; agentic workflows amplify impact	High
Shadow AI	Unapproved AI assistants bypass established security controls	Medium

Real-world Warning

Code that works and passes basic tests doesn't mean it's secure. Production code needs deep review, threat-modeling, and security validation — regardless of whether it was written by AI or humans.

6. Best Practices — Safe Vibe Coding for Production

6.1. The "AI as Junior Developer" Principle

The most successful teams treat AI as a talented junior developer that needs constant supervision. AI writes code fast but lacks understanding of business context, security implications, and long-term architectural decisions.

6.2. Multi-layered Validation

graph TD
    A["AI generates code"] --> B["Static Analysis
ESLint, SonarQube"]
    B --> C["Security Scan
Snyk, Semgrep"]
    C --> D["Unit + Integration Tests"]
    D --> E["Human Code Review
Logic + Architecture"]
    E --> F["Staging Deploy + QA"]
    F --> G["Production"]
    style A fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style B fill:#2c3e50,stroke:#fff,color:#fff
    style C fill:#ff9800,stroke:#fff,color:#fff
    style D fill:#2c3e50,stroke:#fff,color:#fff
    style E fill:#e94560,stroke:#fff,color:#fff
    style F fill:#2c3e50,stroke:#fff,color:#fff
    style G fill:#4CAF50,stroke:#fff,color:#fff

Multi-layer validation pipeline: no step is optional

6.3. No-Go Zones for AI Code

Some areas should remain human-coded:

Authentication & Authorization: Login logic, access control, token management
Payment Processing: Financial transactions, billing logic
Cryptography: Encryption, key management, signing
Data Privacy: PII handling, GDPR compliance

6.4. Governance with Version-Controlled Instructions

# .cursor/rules or CLAUDE.md
# Instruction file for AI agents

security:
  - Never store secrets in code or config files
  - Always parameterize SQL queries
  - Use bcrypt for password hashing, minimum 12 rounds
  - All API endpoints require authentication by default

architecture:
  - Follow existing patterns in the codebase
  - No new dependencies without explicit approval
  - Max function length: 50 lines
  - All public methods must have unit tests

7. How the Developer Role Is Changing

Before 2023

Craftsperson: Developers wrote every line of code, taking pride in clean syntax and elegant coding techniques.

2023 - 2024

Code + AI Copilot: Developers wrote primary code, AI suggested and auto-completed. Speed increased 30-50%.

2025

Vibe Coder: Developers described requirements, AI generated code. Quick review and accept if it works.

2026

Agentic Engineer: Developers write detailed specs, orchestrate AI agents, review results at architecture and business logic level. 80%+ code is AI-written.

The most important developer skill in 2026 is no longer writing code fast, but rather:

Writing clear specs: Precisely describing requirements, constraints, and edge cases
Reviewing and catching bugs: Reading code quickly, detecting logic and security flaws
System thinking: Understanding overall architecture and component interactions
Context engineering: Designing optimal context for AI to produce the best results

8. When NOT to Vibe Code?

The Verifiability Principle

Vibe coding works best in domains where output is easily verifiable. If you can't quickly confirm that AI-generated code is correct, write it manually.

Situations where manual coding is preferable:

Complex algorithms with invariants that are hard to verify through tests
Compliance-related code (HIPAA, PCI-DSS)
Performance-critical code requiring deep optimization
Legacy system integration with poor documentation
Code handling financial transactions or medical data

9. What's Next?

The clearest trend: the boundary between developer and AI will continue to blur. But this doesn't mean developers become redundant — on the contrary, the role becomes more important at a higher level: system design, quality assurance, and architectural decision-making.

Agentic Engineering isn't the end of programming — it's a natural evolution, much like how high-level languages replaced Assembly without diminishing the value of programmers. The winners will be developers who know how to combine AI power with deep understanding of technical fundamentals.

Advice

Don't fight the change, but don't abandon foundational knowledge either. Understanding how code works underneath helps you supervise AI better — and know when to intervene. Agentic engineering demands more engineering skills, not fewer.

References

#Vibe Coding #Agentic Engineering #AI Agent #AI Coding

# From Vibe Coding to Agentic Engineering — How Programming Is Changing

92%US developers adopted vibe coding

60%New code in 2026 is AI-generated

2.74xMore security vulnerabilities in AI code

$8.5BGlobal AI coding market

## 1. What Is Vibe Coding?

In February 2025, Andrej Karpathy — OpenAI co-founder and former AI Director at Tesla — coined the term **Vibe Coding** to describe a new programming paradigm: developers describe requirements in natural language, and AI generates the entire source code. Instead of writing each line of code, you simply "feel the vibes" and let AI do the work.

The core idea: **forget that code even exists**. You talk to AI, describe what you want, accept the results if they work, and move on. No need to read and understand every line of generated code.

#### Vibe Coding Defined

Using natural language and AI tools to generate and refine code, replacing most of the traditional manual coding process. Developers shift from being **code writers** to **intent describers**.

## 2. The Vibe Coding Landscape in 2026

Just over a year after the term was coined, vibe coding has transformed the entire software development industry:

- **92% of US developers** have adopted vibe coding practices at various levels
- **60% of new code** written in 2026 involves AI assistance
- The global AI coding market reached **$8.5 billion**
- Karpathy himself admits that **80% of his code** is now AI-written

The most popular tools: **GitHub Copilot**, **Cursor**, **Claude Code**, **Windsurf**, and **Cline**. Each tool is racing to support AI coding agents — from simple auto-complete to executing entire complex workflows.

```
graph LR
    subgraph "2023-2024"
        A["Autocomplete  
Code suggestions"]
    end
    subgraph "2025"
        B["Vibe Coding  
Describe -> Code"]
    end
    subgraph "2026"
        C["Agentic Engineering  
AI Agents execute autonomously"]
    end
    A -->|"Evolution"| B -->|"Evolution"| C
    style A fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style B fill:#2c3e50,stroke:#fff,color:#fff
    style C fill:#e94560,stroke:#fff,color:#fff

```

The evolutionary journey: from autocomplete to agentic engineering

## 3. The Next Step: From Vibe Coding to Agentic Engineering

Karpathy himself recently declared that vibe coding is **already outdated**. His new preferred term is **Agentic Engineering**:

- **"Agentic"** — because the new default is that you're not directly writing code 99% of the time. You orchestrate AI agents that do the work and serve as oversight
- **"Engineering"** — because this is a real art and science requiring expertise, not just typing prompts and hoping for the best

| Criteria | Vibe Coding | Agentic Engineering |
| --- | --- | --- |
| **Interaction** | Single prompt → receive code | Orchestrate agent workflows |
| **Developer role** | Intent describer | Architect + supervisor |
| **Trust level** | Accept without review | Systematic review, automated testing |
| **Scope** | Generate code snippets | Execute entire features/workflows |
| **Quality** | Depends on prompt quality | Guardrails + CI/CD + human oversight |
| **Best for** | Prototypes, side projects | Production, enterprise |

#### Software 3.0

If Software 1.0 is writing explicit code, Software 2.0 is learning from data (ML/DL), then Software 3.0 is programming through **sophisticated context and prompts** for LLMs. Context becomes the operational foundation instead of traditional code.

## 4. The Agentic Engineering Workflow in Practice

In the agentic engineering model, developers don't write code directly but design and supervise a pipeline:

```
graph TD
    A["Developer writes Spec  
(Requirements + Constraints)"] --> B["AI Agent analyzes  
and plans"]
    B --> C["Agent writes code  
+ unit tests"]
    C --> D["CI/CD runs automatically  
Lint + Test + Security scan"]
    D -->|"Pass"| E["Human review  
Logic + Architecture"]
    D -->|"Fail"| C
    E -->|"Approve"| F["Deploy"]
    E -->|"Request changes"| B
    style A fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style B fill:#2c3e50,stroke:#fff,color:#fff
    style C fill:#2c3e50,stroke:#fff,color:#fff
    style D fill:#ff9800,stroke:#fff,color:#fff
    style E fill:#e94560,stroke:#fff,color:#fff
    style F fill:#4CAF50,stroke:#fff,color:#fff

```

Agentic Engineering Workflow: Developer is the architect, AI Agent is the implementer

Key steps:

1. **Write detailed specifications:** Instead of writing code, developers write clear requirements including constraints, edge cases, and acceptance criteria
2. **AI Agent analyzes and executes:** The agent independently analyzes the codebase, plans the approach, writes code and tests
3. **Automated validation:** CI/CD pipeline runs linting, type checking, unit tests, and security scanning
4. **Human review:** Developers review business logic, architecture, and design decisions — not syntax

```markdown
# Example Spec for Agentic Engineering

## Feature: User Authentication Refresh Token

### Requirements:
- Refresh token must expire after 30 days
- Each refresh token can only be used once (rotation)
- When reuse is detected -> revoke entire token family
- Rate limit: max 10 refresh requests/minute/user

### Constraints:
- Do not modify existing Users table schema
- Backward compatible with v2 API
- Store tokens in Redis with TTL

### Edge cases:
- Concurrent refresh requests from multiple devices
- Token rotation when user changes password
- Clock skew between service instances

```

## 5. Security Risks — The Dark Side You Can't Ignore

According to a December 2025 analysis, AI co-authored code contains **1.7 times more** critical issues than fully human-written code. Specifically:

1.7xMore critical bugs

75%More misconfigurations

2.74xMore security vulnerabilities

### 6 Major Risk Categories

| Risk | Description | Severity |
| --- | --- | --- |
| **Prompt Injection** | Malicious inputs manipulate models to leak data or disable security checks | High |
| **Insecure Code Patterns** | AI replicates known vulnerabilities or introduces new ones | High |
| **Tool & Permission Misuse** | Agents with broad access can rapidly escalate privileges | Critical |
| **Untraceable Provenance** | Lack of commit history and authorship metadata complicates auditing | Medium |
| **Supply Chain Attacks** | Compromised models or plugins; agentic workflows amplify impact | High |
| **Shadow AI** | Unapproved AI assistants bypass established security controls | Medium |

#### Real-world Warning

Code that works and passes basic tests **doesn't mean it's secure**. Production code needs deep review, threat-modeling, and security validation — regardless of whether it was written by AI or humans.

## 6. Best Practices — Safe Vibe Coding for Production

### 6.1. The "AI as Junior Developer" Principle

The most successful teams treat AI as a **talented junior developer** that needs constant supervision. AI writes code fast but lacks understanding of business context, security implications, and long-term architectural decisions.

### 6.2. Multi-layered Validation

```
graph TD
    A["AI generates code"] --> B["Static Analysis  
ESLint, SonarQube"]
    B --> C["Security Scan  
Snyk, Semgrep"]
    C --> D["Unit + Integration Tests"]
    D --> E["Human Code Review  
Logic + Architecture"]
    E --> F["Staging Deploy + QA"]
    F --> G["Production"]
    style A fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style B fill:#2c3e50,stroke:#fff,color:#fff
    style C fill:#ff9800,stroke:#fff,color:#fff
    style D fill:#2c3e50,stroke:#fff,color:#fff
    style E fill:#e94560,stroke:#fff,color:#fff
    style F fill:#2c3e50,stroke:#fff,color:#fff
    style G fill:#4CAF50,stroke:#fff,color:#fff

```

Multi-layer validation pipeline: no step is optional

### 6.3. No-Go Zones for AI Code

Some areas should remain human-coded:

- **Authentication & Authorization:** Login logic, access control, token management
- **Payment Processing:** Financial transactions, billing logic
- **Cryptography:** Encryption, key management, signing
- **Data Privacy:** PII handling, GDPR compliance

### 6.4. Governance with Version-Controlled Instructions

```yaml
# .cursor/rules or CLAUDE.md
# Instruction file for AI agents

security:
  - Never store secrets in code or config files
  - Always parameterize SQL queries
  - Use bcrypt for password hashing, minimum 12 rounds
  - All API endpoints require authentication by default

architecture:
  - Follow existing patterns in the codebase
  - No new dependencies without explicit approval
  - Max function length: 50 lines
  - All public methods must have unit tests

```

## 7. How the Developer Role Is Changing

Before 2023

**Craftsperson:** Developers wrote every line of code, taking pride in clean syntax and elegant coding techniques.

2023 - 2024

**Code + AI Copilot:** Developers wrote primary code, AI suggested and auto-completed. Speed increased 30-50%.

2025

**Vibe Coder:** Developers described requirements, AI generated code. Quick review and accept if it works.

2026

**Agentic Engineer:** Developers write detailed specs, orchestrate AI agents, review results at architecture and business logic level. 80%+ code is AI-written.

The most important developer skill in 2026 is no longer writing code fast, but rather:

- **Writing clear specs:** Precisely describing requirements, constraints, and edge cases
- **Reviewing and catching bugs:** Reading code quickly, detecting logic and security flaws
- **System thinking:** Understanding overall architecture and component interactions
- **Context engineering:** Designing optimal context for AI to produce the best results

## 8. When NOT to Vibe Code?

#### The Verifiability Principle

Vibe coding works best in domains where output is **easily verifiable**. If you can't quickly confirm that AI-generated code is correct, write it manually.

Situations where manual coding is preferable:

- Complex algorithms with invariants that are hard to verify through tests
- Compliance-related code (HIPAA, PCI-DSS)
- Performance-critical code requiring deep optimization
- Legacy system integration with poor documentation
- Code handling financial transactions or medical data

## 9. What's Next?

The clearest trend: the boundary between developer and AI will continue to blur. But this doesn't mean developers become redundant — on the contrary, the role becomes **more important** at a higher level: system design, quality assurance, and architectural decision-making.

Agentic Engineering isn't the end of programming — it's a natural evolution, much like how high-level languages replaced Assembly without diminishing the value of programmers. The winners will be developers who know how to **combine AI power** with **deep understanding of technical fundamentals**.

#### Advice

## References

- [Vibe coding — Wikipedia](https://en.wikipedia.org/wiki/Vibe_coding)
- [Vibe Coding Is Passe — The New Stack](https://thenewstack.io/vibe-coding-is-passe/)
- [Karpathy on the Evolution from Vibe Coding to Agentic Engineering — Frank's World](https://www.franksworld.com/2026/05/01/andrej-karpathy-on-the-evolution-from-vibe-coding-to-agentic-engineering/)
- [Vibe Coding and Its Implications — Black Duck](https://www.blackduck.com/blog/vibe-coding-and-its-implications.html)
- [The Real Risk of Vibecoding — Trend Micro](https://www.trendmicro.com/en_us/research/26/c/the-real-risk-of-vibecoding.html)

Agentic RAG — When RAG Meets Autonomous AI Agents

Disclaimer: The opinions expressed in this blog are solely my own and do not reflect the views or opinions of my employer or any affiliated organizations. The content provided is for informational and educational purposes only and should not be taken as professional advice. While I strive to provide accurate and up-to-date information, I make no warranties or guarantees about the completeness, reliability, or accuracy of the content. Readers are encouraged to verify the information and seek independent advice as needed. I disclaim any liability for decisions or actions taken based on the content of this blog.