Vibe Coding in Finance: The Governance Gap

Somewhere in your finance org, someone is building software on a Saturday. An actual application, maybe a 13-week cash forecast dashboard or a close checklist that updates itself as journal entries post, described in plain English to an AI tool that writes the code. That's vibe coding. You say what you want, the model builds it, and you refine it by talking to it. In early 2026 BCG published a report titled "Vibe Coding Is Coming to Finance. CFOs Need Guardrails," which is a fair sign the practice has moved from a weekend hobby to a boardroom topic.

The capability is real, and the numbers move fast. McKinsey's research on AI and developer productivity found that AI tools can help engineers finish some coding tasks up to twice as fast. EY connected AI coding agents to its internal engineering standards and reported four to five times the output on internal tools. Gartner has projected that citizen developers will outnumber professional developers four to one. In finance the apps are already concrete: procurement intake tools that route requests through approvals, headcount reconcilers that tie HRIS data to GL payroll, board memo drafters that pull from the general ledger and flag variances. None of them needed a software engineer. For a team that has waited two sprints for every dashboard, this is the first time AI has felt like a lever finance can pull on its own.

Then the CFO asks the questions a CFO asks. These are non-engineers writing production code, so who reviewed it? What data does it reach? If a buyer's diligence team asks where our payroll data went, can we answer? The excitement and the unease show up together, and both are earned.

The unease has evidence behind it. Roughly 63% of the people vibe coding identify as non-developers, and the code they ship carries real defects. Veracode's 2025 testing across more than 100 models found about 45% of AI-generated code fails security tests, a pass rate that stayed flat even as the models got better at writing code that runs. The tools optimize for code that works, and they treat security as a secondary concern. An app passes its happy-path tests, looks clean in a demo, and exposes data the moment someone probes it. BCG put the finance version plainly: a CFO who lets the team build without a governance framework trades shadow Excel for shadow code.

In finance the stakes are specific. A cash-forecast app reaches the operating account, the AP and AR subledgers, and payroll, which is the exact multi-system pull where a leak hits hardest. A risk committee can't sign off on applications it can't even list, and SOC 2, SOX, and GDPR all assume you can enumerate the systems touching sensitive data and show how that data flows. IBM now prices a shadow-AI breach at about $670,000 above the average, roughly $4.63 million, and 97% of the organizations hit by an AI-related breach lacked basic access controls on their AI systems. The exposure is live, it's discoverable, and it routes to your desk.

I kept running into the same thing. I work with mid-market and PE-backed finance teams, and over and over a controller would show me a genuinely useful app they'd built, and then I'd ask who owned it, what data it pulled, and whether anything was logged. The answer was usually a shrug. The app worked. Nobody could say what it touched, and nobody could turn it off. The capability was clearly here to stay, and the controls to make it safe were missing. So I decided to build them.

That became Trustward, a RoboCFO product now in private beta. It sits between your team's AI coding tool and your real systems. Your team keeps the tool they already use. Trustward runs the app, hands it only the data it's cleared for, masked and logged, and keeps real credentials behind a broker the AI tool never touches. You get a live map of every app, who owns it, the data each one reaches, an audit trail, and an off switch, in plain language, without reading a line of code. One side gets the app and the speed. The other side gets the inventory and the attestation a CFO can sign honestly.

Vibe coding in finance has stopped being a question of whether. The apps your team ships this year are the first wave, and they're already running. The CFOs who get ahead of it will be the ones who let their people build and can still answer the question a regulator or a buyer will eventually ask. What are we running, and where is our data going?

That question is the one Trustward is built to answer. It governs what your AI-built apps can reach and where they run, gives finance a live inventory and a clean audit trail, and contains anything that goes wrong. We're accepting access requests for the private beta now. If your team is building with AI and you want the controls to keep pace, request access at trustward.ai.