Your Team Can Build Anything. That’s The Problem

Asphalt road destroyed by the landslide
AdobeStock
The dangers of vibe coding continue to grow—especially for finance. But there’s a solution taking shape.

A couple of months ago I was training a RoboCFO client’s finance team on the advanced end of what Claude can do, and we got to the segment on vibe coding, where everyone learns to build and deploy their own apps. We’d just walked through the NetSuite MCP server, the role-based access and the guardrails Oracle already built into it. These are the kinds of rails that let you hand the tool to a controller and sleep fine. Then I said the part that’s been rattling around my head ever since.

Anybody can point an AI at a company’s financials. It takes about two minutes and literally zero training. But if you can’t reliably tell EBITDA from net income, or say why operating income sits between them, you won’t catch the model when it’s confidently wrong—and at some point it will be wrong in ways that look clean to the untrained eye. You need the domain expertise to know what you’re even looking at.

Same goes for the app you just vibe-coded. If you’re not an engineer or a security person, you don’t have the domain expertise to know which guardrails you’re missing, and you can’t put up a rail you’ve never heard of. A security pro looks at that same app and asks whether the database login it’s using can read one table or the whole thing, whether there’s a password sitting in plain text in the code, if the app is sitting open to the internet with no sign-in, or if anyone will ever know it ran. You didn’t ask any of those because you didn’t know they existed. I was telling a room of smart, tech-forward people that the thing I’d just taught them to do was one they weren’t equipped to do safely and I watched it land.

Here’s the part I didn’t say: Both my insurance policies had come up for renewal that same week. Cyber liability, for when a client’s data ends up somewhere it shouldn’t, and errors-and-omissions, for when the client decides your advice put it there.

I was pricing my own downside and handing everyone else theirs in the same week.

That juxtaposition stung a bit.

So I softened the training. I’d been slipping caveats in all week without quite noticing: use fake data for now, don’t wire anything into the real systems, loop in IT before this goes near production and please don’t point it at the live ledger. I was teaching a declawed version, because the full version felt like dropping them into a Ferrari, pointing them at the test track and sending them off with no seatbelt. And the only guardrail actually in the room was me, standing at the front hoping everyone remembered the caveats after the coffee wore off.

You can’t insure your way out of a fire you can see coming. Sooner or later somebody has to go move the matches.

(I realize I’m mixing metaphors again, but you get it.)

The reviewer is gone

Back in May I ran the body count. Israeli researchers scanned roughly 380,000 apps built with AI coding tools and found about 5,000 leaking corporate data, internal financial records and sales files and strategy decks sitting on the open web for anyone who typed the URL. Finance was in the blast radius. The short version, if you missed it: The apps shipped public by default, and nobody flipped the setting.

What’s stuck with me since isn’t that scan. It’s what the scan is a symptom of.

The person who used to catch the security problem before it shipped has been designed out of the process. These tools are very good at producing software that run—and pretty bad at producing software that’s safe. And those are not the same skill. Veracode tested over a hundred models and found that 45 percent of AI-generated code carries the kind of hole that belongs on the OWASP Top 10, and the pass rate has held flat near 55 percent even as the models got dramatically better at coding. Bigger model, same hole. At Fortune 50 scale it gets worse: AI-assisted developers ship three to four times faster while their monthly security findings jump roughly tenfold. Ship rate up, defect rate up more. Same curve, two readings.

The failure modes are getting inventive, too. There’s a fresh one called slopsquatting: The model hallucinates a software package that doesn’t exist, an attacker registers that exact fake name and loads it with malware, and the next person who runs the AI’s code installs it without a second look. Socket’s research lead warned in late June that AI agents are pulling in dependencies faster than any scanner can watch, and that the first half of 2026 already produced more than four times the package-compromise volume of all of last year. Even Microsoft got its own open-source projects breached twice in a matter of weeks, with password-stealing malware slipped into tools developers run right alongside their AI assistants. If Microsoft’s supply chain can get hit, the dashboard your treasury analyst built over the weekend is not the hard target here.

Why it’s your problem specifically

A vibe-coded app in marketing leaks a campaign calendar. A vibe-coded app in finance reaches the operating account, the AP subledger, the AR subledger and payroll. Same tool, different blast radius—and yours is the one with the balance sheet wired to it.

The prototype works, the trouble is everything wrapped around it: no access review, no log of who touched the data, no version control, no idea whether it’s reading from a sandbox or the live ledger. For a public company, that’s a compliance problem with a short fuse. SOX already demands access controls, audit trails, documented data handling, and a named owner for anything touching financial reporting, and an unauthenticated app rendering ERP data in a browser window misses all of it the second an auditor finds it. The EU AI Act’s high-risk provisions land August 2, and citizen-built tools can trip them while sitting below the line where anyone’s looking. IBM puts the shadow-AI premium at about $670,000 on top of an already ugly breach.

The Cloud Security Alliance said the quiet part out loud in June: A risk committee can’t sign off on controls inside applications it can’t even list. Which squares with something from an Escape.tech scan I flagged in May: Not one of the 5,600 apps they checked had basic access scoping in place. You can’t govern what you can’t see, and right now you can’t see most of it.

So I built the harness

The only guardrail in that room was me, and I don’t scale. Caveats stop working the second the session ends. So I stopped trying to bolt on rails one at a time and built the thing they run inside instead. It’s called Trustward. A harness for the apps your team builds.

The idea is boring in the best way. Your team keeps the AI coding tool they already like. Trustward sits between that tool and your real systems and hands each app only the slice of data it’s cleared for, masked and logged, through credentials that reach nothing else. While they build, the tool works against synthetic data, so the dangerous paste into some outside model has nothing live to leak. Every app they ship lands on a map you can read in plain English: who owns it, what data it touches, whether it’s cleared and when it last ran. And if one of them needs to stop, you stop it. One switch.

You never read a line of the code. You get the part that was your job all along, which is knowing what’s running and being able to turn it off.

Five years out

Play it forward and the training room I was standing in stops being a training room because nobody needs to be taught anymore. The very notion seems as archaic as teaching a roomful of analysts how to Google something or attach a file to an email. Every person on your team runs a personal automation platform the way they run email today. The month-end close assembles itself overnight while a fleet of small agents ties out the subledgers and drafts the commentary for a human to bless over coffee. The analyst doesn’t build one dashboard over lunch. She runs a dozen agents that build and rebuild 40 of them, retiring the ones that stop earning their keep. The org chart stops looking like a pyramid with a wide base of juniors doing grunt work and starts looking like a diamond, thin at the bottom, thick in the middle where people direct the machines. PwC is already watching that shape form.

Plenty of it won’t arrive on schedule. Gartner expects more than 40 percent of agentic AI projects to be scrapped by 2027, and the ones that die will mostly be the ungoverned ones, the pilots that couldn’t prove what they did or couldn’t be trusted near real data. That’s the part worth sitting with. The teams that win the next five years are the ones that built inside something, with a wall around the work and a record of what it touched, so the speed came with a paper trail instead of a prayer.

Everyone on your team is going to build like this soon, all day, whether you’re ready for it or not. The only real choice you get is whether they’re building with rails that hold, or building with nothing under them at all.

Next time I run that training, I’m not going to soften anything. I won’t have to.


  • Get the CFO Leadership Briefing

    Sign up today to get weekly access to the latest issues affecting CFOs in every industry

    "*" indicates required fields

    This field is for validation purposes and should be left unchanged.
    Name*
    This field is hidden when viewing the form
    Send me more information about the CFO Peer Network.
    A members-only peer network for CFOs. Members meet both online and in-person a few times a year.
  • MORE INSIGHTS