There’s something about AI-assisted coding, or “vibe coding”, that feels eerily familiar. Not familiar in the cozy, “grandma’s kitchen” sense, but familiar like the “oh dear God, haven’t we lived through this before?” way. As someone who has spent 25 years in cybersecurity, but also lived through the heady days of financial services leading up to the 2008 crash, I can’t shake the déjà vu, but I couldn’t find the word to describe it.
Rewind 18 years. Fintechs were booming, balance sheets were exploding, and the market believed in infinite growth because, well, why not? When Bear Stearns collapsed in March 2008, the financial world shrugged and said, “That’s weird, but it’ll buff out.” Then Lehman Brothers imploded in September, and suddenly it wasn’t fine. Cue The Big Short, a Michael Lewis book (and later a hit movie) that let everyone claim they totally understood what Collateralized Debt Obligations (CDOs) and Credit Default Swaps (CDSs) were.
This summer, I attended Stacey Schreft’s talk at B-Sides Las Vegas comparing the 2008 crisis to cybersecurity. She aptly pointed out that the 2008 financial crisis was caused by a number of factors, and one of them was “Leverage”. That’s the word I had been fumbling for! AI-assisted coding is doing exactly that: it is creating massive leverage for half-baked designs to sprint into production, and it democratizes a skill that often requires nuanced knowledge. And if history is any guide, we may be on the brink of a subprime coding crisis.
Subprime Code and the Illusion of Velocity
Let’s start with the obvious: there’s been an explosion of AI tools that promise to help you code faster: Claude Code, Cursor, Replit, GitHub Copilot, ChatGPT plugins, take your pick. With a keystroke, anyone can generate scaffolding, build APIs, or even deploy entire web or mobile apps. Idea-to-Build-to-Deploy-to-Prod pipelines have never been so frictionless.
And therein lies the leverage. We’ve handed the keys to developers, regardless of skill or experience level, who can now ship “working” software without really understanding what’s under the hood. Just like banks in 2006 handing out no-documentation loans — “you want a $500,000 mortgage with no job, no income, and no clue? Approved!”
Velocity is intoxicating. But velocity without guardrails is risky, like a centrifuge spinning out of control. We’ve already seen it: junior developers proudly demoing AI-generated apps that “just work” until you actually press a few buttons and the thing catches fire. Blue skies today, storm clouds tomorrow.
The financial world had its subprime mortgages bundled into AAA-rated instruments called CDOs. In tech, we’re stuffing subprime code into environments that may also host mission-critical, well-architected systems. And just like those mortgage bundles, the toxic parts don’t stay hidden forever. Eventually, they overwhelm the system.
The Disappearance of the Experts
Here’s the kicker: the people who actually know how to build resilient systems (the software equivalent of conservative bankers) are increasingly being sidelined.
Experts understand full lifecycles: design, build, test, deploy, maintain, decommission. They know how to architect for failure, manage dependencies, and measure resilience. But in the vibe coding world, those experts can be seen as expensive bottlenecks. “Why waste time on design reviews when Copilot can churn out a module in 30 seconds?”
Sound familiar? It should. During the mortgage boom, traditional bankers who insisted on things like income verification were laughed out of the room. Why check pay stubs when the market is only going up?
Subprime code is like the adjustable-rate mortgage of software. Cheap and shiny at first, a maintenance nightmare later. Return on investment looks fantastic on day one: “Look, we shipped in record time!” but the total cost of ownership lurks like a balloon payment.
Tech Debt Interest Rates Rise
Ask any seasoned engineer: all software atrophies. Bugs accumulate. Dependencies rot. Vulnerabilities creep in. Without care and feeding, systems degrade. Historically, experts have played the roles of janitor, custodian, and responsible borrower, patching, refactoring, and paying down the interest on tech debt.
But AI-assisted coding doesn’t do maintenance. It doesn’t monitor environments. It doesn’t patch quietly at 2 a.m. It just creates more code. And more code equals more surface area for entropy.
As technical debt mounts, the “interest rate” rises. Minor bugs turn into cascading failures. Vulnerabilities become attack vectors. Suddenly, those quick wins cost exponentially more to sustain. Just like mortgage defaults snowballed when interest rates reset, defaults in vibe-coded systems will come when organizations can’t keep up with the compounding debt.
The Crash
At first, everything will look fine. Systems will hum, dashboards will glow green, and product managers will beam about how fast they’re shipping.
Then entropy kicks in. Fragility multiplies. That vibe-coded feature you deployed last year? It now breaks every time a library updates. The chatbot you shipped to production? It leaks data under certain inputs. The infrastructure-as-code templates your intern pasted in? They left the equivalent of the front door wide open.
When enough of these brittle systems stack together, the crash comes. Not necessarily one big bang (though don’t rule it out), but more likely a rolling crisis. Outages become more frequent, breaches more severe, and recovery becomes slower. Organizations without experts to bail water will drown in their own subprime code.
The severity of the crash may depend on the ratio of subprime code to prime code, and whether experts have been retained as the last line of defense. Unfortunately, the current trajectory doesn’t inspire confidence, and those experts will likely burn out fighting the fire.
Avoiding the Subprime Code Bubble Burst
So, where do we go from here? Pretending vibe coding doesn’t exist isn’t an option. The genie is out of the bottle, and frankly, there’s enormous potential if we wield it wisely. But just as regulators eventually reined in no-doc loans (a bit too late, admittedly), we need discipline in software development before the crash comes.
- PoC / R&D is not Production Grade. Develop and experiment with intentionality but plan on doing significant engineering work once that is done to make it production grade. Don’t let the intoxication of velocity make you forget how to make things resilient and great.
- Architect for resilience, not just features. Build failure modes into the design, not as an afterthought.
- Retain and empower experts. They’re not relics of a bygone era; they’re the guardrails that keep velocity from turning into a crash.
- Don’t forget to train the next generation. While they can build quickly because they don’t know what dangers lurk in prod, they also need to learn how to build well.
- Test like you mean it. Automated frameworks that validate resilience are as critical as the code itself.
- Plan for maintenance up front. If your AI-generated module doesn’t come with a maintenance strategy, then it’s not an asset; it’s a liability. Don’t focus solely on ROI, but also consider TCO.
The temptation will always be to hand AI tools to non-experts and let them sprint. It’s cheaper. It’s faster. It feels like growth. But without expertise, architecture, and discipline, it’s just leverage, and leverage cuts both ways, and it cuts deeper over time.
The 2008 crisis taught us that bubbles don’t last forever, and crashes are far more expensive than resilience. Today, vibe coding gives us incredible speed, but it also risks burying us in a mountain of subprime code. The only question is whether we learn from history or end up explaining to our kids, 10 years from now, why The Big Short 2: Code Harder is topping Netflix.

