How I Learned to Stop Worrying and Love Vibe Coding

As a security professional, watching AI-generated code seep into production feels like a nightmare. It’s incredibly fast to write and looks convincing—but it’s often wrong. The code looks polished on the surface but rarely meets quality and security standards the first time around. Worse, it can erode trust in our tests since AI writes and updates both the code and the tests—sometimes creating bugs and then quietly validating them. And yet...I love AI tools. When I have a job to do, it’s great to have AI write the boilerplate to frame out the project almost instantly, and then continue to suggest improvements and quickly help me troubleshoot when I run into issues. How can we reconcile these two opposing views? Enter Policy as Code. Over the past year and a half, I’ve been writing Policy as Code (PaC) to create automated guardrails that ensure only high-quality, compliant AI-generated code makes it to production—automatically, and enforced on every commit, across every repository. By codifying organizational requirements as machine-enforceable policies, we can scale our security and quality expectations without slowing teams down. In this talk, I’ll share my real-world lessons learned—mistakes and all—from rolling out Policy as Code across multiple engineering organizations. Many companies have jumped headfirst into using AI for developer efficiency as well as in their products. Now, we’re entering an era of managing those wins responsibly. That means putting techniques in play that ensure we can stay compliant and safe against attackers as our companies continue to scale. Join me to get practical, field-tested approaches to getting your arms around AI-generated code tomorrow, without slowing down your development teams.