Table of Contents 

Introduction

Not long ago, building a software application or automating a process required technical expertise, development skills, careful planning, and coordination across teams. 

Today, it might just take a well-crafted prompt into an artificial intelligence (AI) platform. 

  • Need to automate a task? There's a prompt for that.
  • Looking to write a PowerShell Script or Excel Macro? Look no further.
  • Want to connect systems or build an application? AI can generate code in seconds.

What once required specialized knowledge is now accessible to almost anyone, and while that's exciting, it also raises an important question:

What happens when people start building solutions without fully understanding how they work or the risks they present?

For financial institutions, this is critical question if the system accesses, transmits, stores, or shares regulated data (e.g., GLBA-protected data). Let's take a look at the rise of vibe coding and AI citizen developers, as well as steps you can take to protect your business and your information.

A Familiar Pattern: Lessons from the Early Internet

For some of us, we remember what it was like when the internet took off, and for those who were born with an iPhone in hand, here is a quick history lesson.

When the internet was just beginning, organizations realized they needed websites. There was urgency to get online and fast. So, what happened?

Many organizations hired whoever could build something quickly. Which sometimes meant:

  • Inexperienced developers
  • No secure coding practices
  • No understanding of vulnerabilities

The result? Websites that looked functional, but were wide open to compromise.

We're seeing a similar pattern today with vibe coding and citizen developers, except now it's happening at machine speed and often without oversight.

What is Vibe Coding?

With AI, you don't need a background in software development to build tools or even create full applications. You just need a good prompt and an AI coding assistant (e.g., Claude Code, ChatGPT Codex, Github Copilot). This has led to a growing trend often called "vibe coding."

Vibe coding occurs when someone:

  1. Describes what they want in plain English to an AI tool.
  2. Prompts the AI to generate a solution.
  3. Iterates through quick tweaks until it "feels right," and then…
  4. Ships it.

No formal design. No structured testing. No security validation. Just vibes. ✨

While this kind of approach may be fine for personal experimentation, for community financial institutions, vibe coding introduces significant risks that cannot be overlooked.

Quick Disclaimer: When we're talking about vibe coding, we're not talking about using AI to write a simple Excel formula or a small macroThis is about using AI to build tools, connect systems, or automate processes that interact with real data and support day to day operations.

What is a Citizen Developer?

A citizen developer is an individual who uses AI tools to generate, debug, and optimize software without formal training in software development, security, or system design.

There might be a lot of terms that fall under this category like:

  • Prompt Engineer
  • AI Developer
  • AI-Assisted Developer
  • AI Application Builder
  • Vibe Coder

These individuals are not authorized developers. They are not usually security experts. But they are building things that can directly impact your systems, data, and operations. Often, they do it with the best intentions (trying to work faster, automate tasks, or solve everyday problems), which is part of what makes this risk so tricky.

So, What Could Go Wrong?

Vibe coding and citizen development introduce real risks for community financial institutions because they move software creation outside of established governance, security, and operational risk management practices.

Governance Risks

AI-driven development often bypasses the institution's established system development life cycle (SDLC), which is expected under FFIEC guidance. Instead of progressing through defined stages (i.e., initiation, development, testing, implementation, maintenance, and sunset), vibe coded solutions may move directly from prompt to production.

This lack of structure weakens foundational governance controls such as approval workflows, documentation standards, change management, and segregation of duties. It also expands shadow IT, as employees independently build automations, applications, and integrations outside of IT visibility.

In some cases, these tools are deployed directly into production environments without staging, version control, or formal rollback procedures, increasing the institution's exposure to unmanaged change.

Security Risks

AI-generated code can introduce security and data protection weaknesses even when it appears to function correctly. Common issues include missing input validationweak authentication controls, and insecure API management

There is also a significant risk of data leakage. Users may test or validate solutions using proprietary or nonpublic data, which can then be inadvertently exposed through insecure storage, plain-text logging, or being shared with unintended recipients. 

In addition, AI-generated solutions frequently rely on external APIs, third-party services, or open-source components that have not been formally reviewed. These dependencies can introduce unauthorized third-party relationships and create hidden data flows outside of established vendor management processes.

Operational Risks

When AI-generated solutions are deployed without structured testing or oversight, even minor issues can create operational disruption. Common gaps include missing edge caseslimited logging, and inadequate error handling

In addition, systems may produce inaccurate or misleading outputs that are not immediately apparent, particularly when results appear plausible on the surface. 

Without proper controls, failures may surface directly in production and be difficult to detect or resolve quickly. When outputs inform important decisions, even subtle inaccuracies can lead to significant downstream costs. Over time, this increases the likelihood of service interruptions, breaks down trust in system outputs, and reduces the institution's ability to respond effectively when issues occur.

What Can You Do About It?

The goal of managing "vibe coding" and citizen development is not necessarily to eliminate the use of AI or to restrict innovation. Instead, it is about ensuring AI is used with the right level of expertise, oversight, and control. 

Two quick notes here: 

  1. Most of these controls are not new. The issue with AI is that it is easier for people to build and deploy things outside of the normal process. So, the question becomes less about whether standards exist and more about whether they are being applied in the first place. 
     
  2. Required controls are going to vary. While these suggestions are good, in principle, they may be too much or too little, in practice. Your organization's size, complexity, risk, and use cases are going to ultimately determine what controls you need to put in place to adequately manage the risk of vibe coding and citizen developers.

Learn more about secure development practices in the FFIEC IT Examination Handbook, Development, Acquisition, and Maintenance Booklet.

Governance Controls

Governance controls help ensure AI-assisted development remains under the institution's oversight.

  • Write a clear AI policy. You can't hold people accountable to nonexistent standards. Your AI policy should be clear about acceptable use of AI tools, including which ones may (or may notbe used, as well as what types of data or activities are prohibited.
  • Identify and engage citizen developers. Make reasonable efforts to identify areas where employees may be building solutions outside of IT oversight and start the process of bringing those activities under the institution's control.
  • Require a human-in-the-loop. It can be helpful to think of an AI coding assistant as a junior developer who writes fast, but still needs review. All AI-produced outputs should be reviewed by qualified personnel (e.g., developers, IT, information security, compliance) with knowledge of system design, security requirements, and operational dependencies.
  • Maintain an SDLC and train citizen developers. AI-assisted development should follow formal SDLC processes. Employees who are authorized to use AI tools should receive practical training on risks, including data handling, secure development expectations, and when review is required.

  • Create a culture of "verify, don't just trust." AI can be very convincing. That's why it's important to reinforce a consistent mindset: Just because it works doesn't mean it's safe. Encourage all employees to pause and think through downstream effects.

Security Controls

Security controls help prevent data exposure and ensure AI-generated code does not introduce vulnerabilities.

  • Restrict direct production use. If you are going to allow AI-coding assistants, it is a best practice to ensure these tools are not able to directly access or change production systems. AI-generated code should never be deployed into production without formal review, testing, and approval.
     
  • Protect sensitive data. Unless explicitly approved and properly controlled, nonpublic, confidential, and/or restricted data should not be used in AI tools. This should apply not only to vibe coding and citizen developers, but to all use of AI tools at your organization.
     
  • Configure development environments securely. Work with citizen developers to implement required security controls (e.g., multi-factor authentication, data controls, monitoring and logging, etc.). 
     
  • Perform regular security testing. Include vibe coded applications in your security testing activities (e.g., audits, penetration tests, vulnerability assessments), the same way you'd include other internally developed applications. Check for issues such as weak authentication, improper input validation, insecure APIs, and inadequate error handling.
     
  • Plan for ongoing maintenance. When software (vibe coded or otherwise) relies on third-party components, those components must be regularly updated to address newly discovered vulnerabilities and incorporate supported versions. Without maintenance, dependencies can become outdated and introduce security and stability risks over time.
     
  • Manage third-party risk. Speaking of third-party components, make sure third-party AI vendors are included in your vendor management program. Perform risk assessments, obtain formal vendor approval, and review each AI vendor's privacy policy, SOC report, and other security documentation to manage supply chain risk and ensure they are a good fit for your organization.

Operational Controls

Operational controls help ensure AI-generated code is stable and resilient. 

  • Validate in controlled environments before release. AI-assisted solutions should be tested in non-production environments to identify errors, edge cases, and performance issues before they impact live systems.
     
  • Apply formal change management practices. Version control, documentation, approval workflows, and rollback capabilities should remain in place regardless of how code is produced.
     
  • Maintain monitoring and visibility. Logging and monitoring should be sufficient to detect issues quickly and support timely resolution. This is still evolving with AI-assisted development, but using enterprise-managed tools and dedicated user accounts can improve visibility and traceability.
     
  • Think beyond deployment. AI-generated tools can quietly outlive their usefulness or their creator's employment at the institution. One of the big reasons to bring these tools under the organization's umbrella is to ensure they are well-documented and can continue to be used in the future, adapted as the environment changes, or sunset appropriately when the time is right.

The Bottom Line

AI already has and will continue to expand how work gets done across financial institutions, including how software is built. As that happens, the expectations around governancesecurity, and operational controls do not change. What does change is who has the ability to create and deploy solutions. Institutions who recognize this shift early, and extend controls accordingly, will be better positioned to take advantage of the opportunities AI presents while managing the risk.

Download Tandem's Artificial Intelligence Risk Management Workbook to learn more about how your financial institution can securely use and manage the risks associated with AI.

Frequently Asked Questions

Q: What should banks and credit unions watch for in AI-generated code?

A: AI-generated code often looks clean and functional, but developers should still review with a critical eye, looking for things like input validation gaps, hardcoded secrets, authentication issues, error handling, and logging gaps. 

Q: Is my bank or credit union allowed to use AI-generated code?

A: Yes, but the same rules should apply that you'd require for human-authored code. AI-generated code should follow standard development, testing, and approval processes, and the AI tools used to generate it should go through your vendor management program before employees start using them. 

Q: What does financial industry regulatory guidance say about AI citizen developers?

A: There is no specific guidance on AI citizen developers, but existing expectations around secure development, vendor management, and information security still apply. Regulators expect financial institutions to manage risk regardless of how the code is created.

Q: What controls will examiners expect to see around AI-generated code?

A: Examiners will expect to see that AI-generated code is governed by existing controls, including testing, access restrictions, monitoring, and oversight. They may also look for how the financial institution is managing data exposure and third-party risk.

Q: How can I know if we have AI citizen developers at my bank or credit union?

A: Start by asking. Direct conversations with employees about how they're using AI in their day-to-day work can surface more than formal reporting ever will. From there, look for signs of informal development activity, such as scripts, automations, or system integrations being built outside of established processes.

Q: How does AI-generated code increase risk for financial institutions?

A: AI-generated code may introduce vulnerabilities, expose sensitive data, or disrupt operations if it's not properly reviewed and tested.

Q: How should banks and credit unions control the use of AI-generated code?

A: Institutions should establish clear guardrails and ensure that any AI-assisted development follows the same system development life cycle (SDLC) as traditional development. This includes requirements for testing, code review, approval, and controlled deployment. In practice, this also means limiting use to approved tools and environments, restricting the use of sensitive data, and maintaining visibility into who is building and deploying solutions.

Q: Can AI-generated code introduce third-party risk?

A: Yes, AI-generated solutions may include external APIs, libraries, or services that function like vendors without going through due diligence. These should be identified and managed through existing vendor management processes.

Q: How do we reduce the risk of data leakage when using AI tools?

A: Avoid using sensitive data in AI tools without approval and ensure data is handled in controlled environments. Organizations should also monitor how data is stored, transmitted, and shared in AI-generated solutions.