RedAccess found 380,000 publicly accessible assets on vibe coding platforms like Lovable, Base44, and Netlify, 5,000 of them leaking sensitive corporate information. That's the measurable part of a code sprawl problem that security leaders from Datadog, Jamf, and ASOS say is running wild in 2026.
The Scale of Ungoverned AI Code
Code sprawl isn't new, but AI tools have turned it into a superweed. Every employee with a Claude or ChatGPT subscription can now build automations, scripts, and full applications without touching a security review.
At a Tines-hosted virtual event called Workflow, CISO Mario Villatoro of Jamf, former ASOS CISO Indu Sajeev, and Datadog's Director of Security Operations Matt Muller shared what they're seeing. The bottom line: conventional governance is a joke against this volume.
Why Policy Fails When Employees Want to Build
"Employees who want to get their job done are by far the most persistent and successful APTs," Muller said. Ban a tool and they'll screenshot their screen with a phone to feed data to a personal account. The behavior goes underground, not away.
Sajeev put it bluntly: "I don't think it can be a paper-based, policy-based governance layer. It needs to be something that's codified and that runs continuously at a critical infrastructure level." Paper policies don't stop a motivated builder.
What Works: Data Classification, Tooling Hubs, and Use-Case Registries
Villatoro started with the unglamorous ground truth: "Do you have your data categorized correctly? Because if you just say 'sensitive data', well, what is sensitive data?" Without proper tagging, every downstream control is built on sand.
Muller flipped the script by making the security team a tool provider, not a gatekeeper. "Make Claude skills available in an internal marketplace. Our only ask is: when you use it, give us feedback." The goal is one funnel for AI usage, even if that funnel lights up with uncomfortable activity. Visibility beats prohibition.
At ASOS, Sajeev implemented a use-case registry that treats AI agents like infrastructure assets. Each agent gets a human identity and a documented purpose, making accountability traceable. The registry also forces the underlying data-maturity conversation that most orgs want to skip.
Make the governed path more appealing than the ungoverned one. That's the working principle. The question for 2026 is whether security teams can pull it off before the next incident makes the choice for them.
Source: Vibe coders are gonna vibe code: How CISOs are tackling code sprawl
Domain: bleepingcomputer.com
Comments load interactively on the live page.