NCSC urges a risk-based approach to AI-assisted software development

The UK’s National Cyber Security Centre has published guidance encouraging developers to treat AI-assisted software writing as a continuum rather than an all-or-nothing choice. The agency says so-call...

The UK’s National Cyber Security Centre has published guidance encouraging developers to treat AI-assisted software writing as a continuum rather than an all-or-nothing choice. The agency says so-called “vibe coding” can be useful, but the level of AI autonomy should depend on the sensitivity of the system being built.

AI tools are now widely used to generate code from high-level prompts, with users often iterating on output rather than writing every line themselves. The NCSC says this can speed up development, but it also raises concerns about security flaws, unclear architecture and long-term maintainability. Because AI systems are trained on large volumes of existing code, they may reproduce insecure patterns if developers rely on them without enough review.

Different systems carry different risk

According to the NCSC, the main question is not whether AI should be used, but where it is used and how much oversight is applied. Low-risk work, such as proof-of-concept demonstrations, internal tools or mock-ups, may be suitable for heavier AI involvement. By contrast, code that handles authentication, sensitive personal data, credentials or safety-critical functions needs stronger controls.

The agency describes this as a “vibe coding spectrum.” At one end is traditional human-led development with AI assisting through autocomplete and small suggestions. At the other is full autonomy, where an AI system designs, writes and iterates on code with minimal human intervention. Between those extremes are many hybrid approaches, including AI-generated functions, human-written architecture and test-driven workflows where developers define the tests and the model writes the implementation.

Oversight remains essential

The NCSC said using AI for important software does not have to be off-limits, but it does require careful oversight. Developers should review generated code, understand how it works, test it for vulnerabilities and confirm that it behaves as intended. The wider system should also be designed to limit the impact of any compromise.

For higher-risk projects, the NCSC points to baseline cyber security requirements developed with international partners through ETSI’s Technical Committee on Securing AI. The guidance arrives as AI coding tools continue to improve rapidly, prompting organisations to rethink how much trust they place in automated development workflows.

  • Low-risk projects can tolerate more AI autonomy.
  • Security-sensitive systems need more human review.
  • The right balance depends on context, not a fixed rule.