impress.js needs a modern browser.

If the animated presentation mode does not load, you can still open this file and inspect the HTML/CSS for the layout.

Laurie Ibbs
Laurie Ibbs
CyberCAKE - Code1885 - Safenetics - PSC-Europe
BSides Lancashire
2026 - Lancaster
Vibe Secure!
...or why the machine really loves you, like you are the best, high five man!
Andrej Karpathy
Andrej Karpathy
"The agents claim that we are now in the 10,205th generation of the code base, in any case no one could tell if that's right or wrong as the 'code' is now a self-modifying binary that has grown beyond human comprehension"
Cory Doctorow
Cory Doctorow
"...when the crash comes, and the crash will come, most of these foundation models are going to be turned off..."
The Fact Gap

What the tools do:

  • Prompt → Generate → Iterate
  • Conversational development
  • Achieving Agentic workflows

What the tools do:

  • Prompt → Generate → Iterate
  • Conversational development
  • Achieving Agentic workflows

What the tools do:

  • Prompt → Generate → Iterate
  • Conversational development
  • Achieving Agentic workflows

What users percieve

  • Massive productivity gains
  • Rapid prototyping
  • Lower barrier to entry
  • Exploration becomes cheap
“When it works, it's so engaging and fun. It's more addictive than any video game I've ever played. You can just iterate, iterate, and see your vision come alive. So cool.”

What users percieve

  • Massive productivity gains
  • Rapid prototyping
  • Lower barrier to entry
  • Exploration becomes cheap
“When it works, it's so engaging and fun. It's more addictive than any video game I've ever played. You can just iterate, iterate, and see your vision come alive. So cool.”

What users percieve

  • Massive productivity gains
  • Rapid prototyping
  • Lower barrier to entry
  • Exploration becomes cheap
“When it works, it's so engaging and fun. It's more addictive than any video game I've ever played. You can just iterate, iterate, and see your vision come alive. So cool.”

What users percieve

  • Massive productivity gains
  • Rapid prototyping
  • Lower barrier to entry
  • Exploration becomes cheap
“When it works, it's so engaging and fun. It's more addictive than any video game I've ever played. You can just iterate, iterate, and see your vision come alive. So cool.”

But…

  • Speed begins to outpace understanding
  • We can see what we acheived, but not how
  • Confidence without verification
“…and that’s slightly terrifying.”
Exhibit A:
⚠️ This presentation was vibe coded. ⚠️

Exhibit B:
♥️ A Loveable app I made for fun ♥️
So whats the big deal?

This is A MAY ZING no?

From prompt to public URL

A very short history of software appearing on the web
Initial app creation
1. Creation
An idea becomes an interface.
Iteration on the app
2. Iteration
One more prompt and its made real progress.
App live on the web
3. Live
And now it is on the public web.
The distance between "experiment" and "deployment" is collapsing.

From Public URL to Legal Implications

  • Speed bypasses responsibility
  • Convenience ignores constraints
  • Automation removes the pause
  • Had to restrict it to RSS
  • Scraping could breach terms
  • No visibility of runtime or deployment
  • Fine for a toy
  • Risky for a business
Breadth
Trained on vast codebases
Sees patterns across ecosystems
Often better than average developers
Surfaces best practices quickly
Inheritance
Trained on mixed-quality code
Insecure patterns are common
Context is missing
Security decisions are implicit
Trained on us
It knows patterns. It doesn’t know your context.
And your context may be enormous!

Looks like normal operation

The code runs
The output looks correct
The system behaves as expected

And yet...
This is a very dangerous failure mode.

And this is a security problem because...

Encrypt at rest. Encrypt in flight.

Mutual TLS. Certificate management.
Secrets storage. Rotation. Revocation.

Identity. Roles. Permissions. Drift.
Access control. Least privilege.

Logging. Monitoring. Alerting.
Audit trails. Forensics.

Static analysis. Dependency scanning.
Vulnerability management.

Red team. Blue team. Purple team.
Threat modelling. Adversarial thinking.

Vendor risk. Supply chain.
Reverse engineering. Validation.
Too much... for one person or an AI

Are we enshittifying…
or de-enshittifying?

From Friction → Flow

We’ve removed most of the natural checkpoints.
Then
  • Reviews
  • Gates
  • Deliberate handoffs
  • Slow, explicit decisions
Now
  • Prompt
  • Generate
  • Iterate
  • Fast, fluid decisions
We move faster and but lose opportunity to challenge the output or direction.

Where This Gets Real

“Where does your AI actually run?”
What people think/see
  • A helpful coding assistant
  • A chat window
  • Some generated code
  • A fast path to working software
What actually matters
  • Whose machine?
  • Whose network?
  • Whose logs?
  • Whose secrets?
  • Whose control plane?
The risk is not just in the code. It’s in the environment around it.

Deployment choices

Model
Trade-off
⚡ Managed
Fast, less control
☁️ Cloud
Flexible, misconfig risk
🏠 Self-hosted
Control, operational burden

Demo: Zero Trust

This service is not publicly exposed.
1
👤 Operator
Authenticated user
with a known identity
with authorised device
2
🪪 Identity / Policy
Access granted by
who you are
and what you’re allowed to reach
3
🔒 Private Service
Internal app or model endpoint
not open to the public internet
Public exposure is not the access model.

Velocity vs Certainty

Every one of these choices shifts the balance.
⚡ How fast can you build?
🔍 How sure are you about what you built?
That tension does not go away.
It becomes the job.

The Missing Challenge Step

01
Compiler as gate If it doesn’t build, it doesn’t ship
02
Tests as contract Unit + integration — no exceptions
03
Deployment as filter Fail in dev/staging → stop there
04
Human review Look at what actually runs
You don’t just accept code from your team...
so why would you accept it from a machine?

Agentic Engineering

Prompt
Generate
Inspect
Challenge
Deploy

Micro Demo

Own models. Own hardware.
  • 🏠 Self-hosted models
  • 🔐 Identity-based access
  • ⚙️ Claude Code workflow
Local inference
No public exposure
Controlled access path
Observable + auditable
Same tooling. Open models. Different trust boundary.

The New Role of the Developer

Then
  • Writing code
  • Implementing features
  • Following requirements
Now
  • Framing problems
  • Challenging outputs
  • Designing systems
  • Owning outcomes
You are no longer just the builder.
You are the challenger.

The New Role of Security

Then
  • Gatekeeper
  • Policy enforcer
  • Last-minute reviewer
Now
  • Embedded in development
  • Teaching secure thinking
  • Designing safe systems
  • Enabling safe velocity
AI doesn’t remove this role.
It makes it essential.

Positive Mental Attitude

  • Constant Positive Reinforcement
    "You are totally right!"
  • Rarely challenges
    "you are in an unusually strong position."
  • Encourages flow
    "If you want, next I can:"
THE MACHINE REALLY LOVES YOU!

But what kind of love is it?
Jensen psychology
Zuckerberg psychology
Elon psychology
General psychology

The Cognitive Load

  • Feels more productive
    The work moves faster
  • Feels more intense
    The cognitive load is constant
  • Feels like progress
    But harder to measure what improved
In fact, 95% of companies see no ROI in AI tools (not peer reviewed!)
Backlash illustration
Left image
Right image
Where does this leave us mere mortals?
?
Questions
Home page