Automation complacency, security edition
The most dangerous moment isn't day one — it's day ninety. On day one you're cautious; you read every diff, you run the attacker , you check the upload handler. Then a hundred changes ship and nothing bad happens, and the checking starts to feel like ceremony. You skip the review gate "just this once" on a small change. The small change adds an with no authorization check. Nothing happens for a while, because nothing happening is exactly what a security hole looks like from the inside.
This is automation complacency pointed at security, and it's worse here than anywhere else, because security failures are silent and delayed. A broken feature punishes you in minutes. A broken permission check rewards you with apparent success right up until the breach. The absence of disaster is not evidence of safety — it's the normal condition of a vulnerable app that simply hasn't been found yet.
The defense is to make the gate cheap enough that you don't skip it and automatic enough that you can't. Put the scan and audit in so they run without your memory, and keep the attacker prompt handy for anything touching auth, data, or uploads. Hold one line: a change that handles user data or permissions doesn't ship until someone — you, with the AI's honest help — has actively tried to break it. Speed in vibe coding comes from good gates, not from trusting that the quiet means everything is fine.