What 2,000 Exposed Vibe-Coded Apps Reveal About the Limits of Most Security Stacks

The report warns that employees are building and publishing custom AI-driven applications on vibe-coding platforms that are frequently connected directly to corporate systems and often left publicly accessible; Red Access found hundreds of thousands of public assets, thousands tied to corporate contexts, and over two thousand containing sensitive data. Existing controls (EDR, DLP, CASB, SSE) often miss these session-layer builds because the entire build/publish flow happens in a browser session, across managed and unmanaged devices. The recommended immediate actions are workforce discovery (ask employees what they've built), mapping each app's integrations and reachability, creating a sanctioned path and lower-friction reporting process, and adopting continuous session-layer discovery and governance.