Vibe Coding Security Risks: What Law Firm Leaders Need to Know Before the Next Breach
If your team has used AI to build an internal app โ a client intake form, a scheduling tool, a contact tracker โ there is a real chance it has a security vulnerability nobody thought to check for. "Working" and "secure" are two different standards, and AI coding tools almost never apply both at the same time.
For law firms handling confidential client data, that gap carries real legal and financial exposure. Here is what it looks like, how common it is, and what to do about it โ with or without an IT background.
What Is Vibe Coding and Why Are Law Firms Using It?
Vibe coding is a term coined in early 2025 to describe the practice of using generative AI tools โ Claude, ChatGPT, GitHub Copilot, and similar platforms โ to build functional software without writing code manually. A firm administrator describes what she needs in plain English. The AI writes the code, connects the components, and delivers something that runs.
It has become genuinely popular in professional services firms for one simple reason: it works. Non-technical staff can now build tools that would have required a developer six months ago. Client intake forms, matter trackers, scheduling systems, internal dashboards โ all of it is now accessible to anyone willing to describe what they need clearly enough.
The speed and accessibility are real. So is the security problem.
The Security Gap No One Warned You About
AI coding tools are optimized to make your feature function. When you ask for a client intake form, the AI builds a client intake form. It connects the database, handles the logic, formats the output, and delivers something that does exactly what you described.
What it almost never does on its own is stop and think: Who else can access this data? What happens if someone types something malicious into that field? Are these credentials visible to anyone who views the source code?
Researchers at Georgia Tech have been tracking this gap since mid-2025 through the Vibe Security Radar. The trajectory is striking โ six confirmed vulnerabilities in January 2026, fifteen in February, thirty-five in March alone. The research team estimates the real number is five to ten times higher. Independent security firm Veracode tested over 100 AI models and found roughly 45 percent of the code they generated failed standard security tests.
The "it works!" moment โ proud, fast, and potentially exposed. This is exactly the scenario the research is warning about.
The Three Vulnerabilities That Show Up Most Often in AI-Built Apps
You do not need a technical background to understand these. You just need to know they exist and what to ask about.
Why This Matters Specifically for Your Law Firm
The data your firm handles carries weight that general business data does not. Client names, matter descriptions, immigration statuses, estate plans, financial disclosures โ all of it sits under ABA Model Rule 1.6, which requires reasonable measures to prevent unauthorized disclosure of client information. ABA Model Rule 1.1 extends that obligation to technology competence.
Cyber insurance adds a second layer of accountability. Many policies now ask specifically whether the firm has reviewed internally built software for known vulnerabilities. An AI-built intake form with an open database is not a gray area on those forms. It is a documented, auditable exposure.
What to Do If You Have Already Built Something With AI
The honest answer is that a vulnerable app looks and works identically to a secure one until something goes wrong. You cannot tell the difference by using it. That is the entire problem.
The practical first step is not a full security audit. It is the three gut-check questions above applied to everything your team has built with AI in the last eighteen months. If yes to any of them, get a second set of eyes on the code before assuming it is safe.
How to Build More Securely With AI Going Forward
Better security starts with better instructions. The AI builds what you describe. If your description does not include security requirements, neither will the output. Before starting any AI-built tool, open with this prompt:
Choosing the Right AI Tool Matters Too
Not all AI platforms handle data the same way. The tool your team uses to build internal apps is a separate decision from the security of what gets built. If you are evaluating which platforms are appropriate for law firm use, these resources cover the differences that matter most for attorney-client privilege and confidential client information.
How eSudo Helps Law Firms Catch What AI Missed
For law firms in Silicon Valley and the Bay Area, eSudo typically starts with a focused review of any AI-built tools that touch client data โ not a full audit, just the three critical questions applied systematically with someone who knows what the answers should look like. From there, we can usually identify within an hour whether something needs a quick fix, a deeper review, or a rebuild.
We have been doing this kind of work for small law firms since 2001. The tools change. The underlying security principles do not.
Vibe coding is the practice of using AI tools like Claude or ChatGPT to build functional software by describing what you want in plain English, without writing code manually. The security risk comes from how AI tools prioritize output: they build what works, not what is safe. Basic protections like access controls, input validation, and secure credential storage are routinely skipped unless specifically requested.
For law firms, the stakes are higher than for most businesses. Client data falls under ABA Model Rules 1.1 and 1.6, and an unsecured AI-built tool that stores client information is a potential compliance violation as well as a breach risk.
Yes โ especially if that form stores client names, contact information, or matter details, connects to your email system, or is accessible from the internet. The size of the tool does not determine the level of risk. The data it touches does.
Research from Veracode found that nearly half of AI-generated code fails standard security tests, and the vulnerabilities most commonly found โ open databases, exposed credentials, unsanitized inputs โ are just as likely in simple apps as in complex ones.
You almost certainly cannot tell by using it. A vulnerable app looks and performs identically to a secure one until something goes wrong. This is precisely what makes vibe coding security risk difficult to manage without intentional review.
The practical starting point is asking three questions: Does it store client or sensitive data? Does anyone log into it? Is it connected to the internet or an external service? If yes to any of those, the tool warrants a review by someone who can look at the underlying code, not just the interface.
Yes, and it is more useful than most people expect. Asking Claude or ChatGPT to review code and identify the top security vulnerabilities will surface many common issues. A prompt like "Review this code for security vulnerabilities and tell me specifically what could be exploited and how" is a meaningful first filter.
It is not a substitute for a professional security review on anything that touches sensitive client data. Think of it as a junior associate reviewing their own work before it goes to a partner โ useful, but not final.
Before asking AI to build anything that stores data or connects to the internet, start with: "Before writing any code, identify the top three security risks for this type of application and explain how you will address each one." Additional prompts: "Do not hardcode any passwords or API keys." "Ensure users can only access their own data." "After building this, do a security review and flag any vulnerabilities."
For firms that want a formal policy governing how staff use AI tools, the eSudo AI Acceptable Use Policy Template provides a starting framework you can adapt to your firm's specific needs.