Is the Code Your AI Wrote Safe — and Compliant — to Ship?
"Vibe coding" — describing what you want and letting an AI agent write most of the code — is now how a large share of software gets built. Cursor, Claude Code, and Copilot make it fast. But speed moved the risk: you are now shipping code you did not read line by line, into production, often to EU users. Three problems hide in that gap — and the third one is the one most teams never check.
This is a practical pre-ship checklist for AI-generated code: what to verify, and where the EU AI Act (Regulation (EU) 2024/1689) actually applies. It is a starting point, not legal advice.
The new risk surface: code you didn't write, shipping anyway
Independent studies in 2025–2026 paint a consistent picture: a large fraction of AI-generated code ships with security flaws, AI-assisted commits leak secrets at a measurably higher rate, and scans of "vibe-coded" apps routinely surface exposed keys and unguarded data flows. None of that is an argument against AI coding — it is an argument for a check in the loop, because the human review step that used to catch these things is exactly what vibe coding removes.
Before you ship a feature your AI wrote, three checks matter.
1. Secrets and sensitive-data leakage
AI agents happily inline API keys, paste real connection strings into examples, and pipe user data (PII/PHI) into LLM prompts, vector stores, and logs — new sinks that legacy data-loss tooling was never built for. Catch it at commit time, not after a breach:
- Scan diffs for secrets before every push (a pre-commit hook or CI gate).
- Watch for personal data flowing into prompts, third-party AI APIs, and logs — these can carry GDPR obligations independently of the AI Act.
Ist Ihr KI-System hochriskant?
Finden Sie es in 2 Minuten heraus — kostenlos, ohne Anmeldung.
Jetzt prüfen2. License contamination and provenance
AI models are trained on public code under many licenses. A generated snippet can reproduce copyleft-licensed code (e.g. GPL) without attribution — and in some teams that has meant forced rewrites late in a release. Before shipping, ask: do I know where this code came from, and can I license it the way I ship it? Provenance is becoming the quiet, felt-now risk of AI-generated code.
3. The EU AI Act — the obligation most vibe-coders miss
Here is the part teams routinely skip: if your AI feature reaches EU users, the EU AI Act may impose obligations on you — and the fact that an AI wrote your code is not the trigger. What the AI feature does is the trigger.
- Transparency (Article 50). User-facing AI — chatbots, AI-generated content, deepfakes, emotion recognition — must disclose that users are interacting with or seeing AI output. These transparency duties apply from 2 August 2026.
- High-risk systems (Annex III). AI used in areas like employment, credit, education, or critical infrastructure carries the heaviest obligations (risk management, data governance, human oversight, technical documentation). After the Digital Omnibus, these apply from 2 December 2027 for standalone Annex III systems.
- General-purpose AI models have had obligations since 2 August 2025; prohibited practices (Article 5) since 2 February 2025.
Not sure whether the Act applies to you, or at what risk tier? Run the free, no-account EU AI Act applicability checker or the free AI Act assessment — both give you a cited result in a couple of minutes. For the full picture, the EU AI Act guide covers every key Article in plain language.
A 5-minute pre-ship checklist for AI-generated features
- Secrets: no keys, tokens, or live connection strings in the diff.
- Data flows: no PII/PHI piped into prompts, third-party AI APIs, vector stores, or logs without a basis.
- Licensing: you can account for where generated code came from and ship it under your license.
- AI Act applicability: you have classified whether the feature triggers the Act — and at what tier. (Check it →)
- Transparency (Art. 50): user-facing AI discloses that it is AI.
- A record: you have a dated, cited record of the above you can show a teammate, customer, or auditor.
That last item is the one that turns "we think we are fine" into something you can actually defend.
Put the check where you already code
Doing this by hand on every PR does not scale. Legalithm runs the EU AI Act check in your coding loop — a free, open-source CLI, an offline MCP server for Cursor and Claude Code, and a GitHub Action. It classifies the risk tier with the cited Article, generates the Article 50 disclosure, and writes a dated compliance/legalithm.json record into your repo that re-verifies in CI:
npx legalithm setup # wire it into Cursor, Claude Code, and CI
npx legalithm init # classify + write the cited, dated record
npx legalithm check # fail the build on drift
See the developer docs to get started in your editor.
Honest limits
Legalithm detects patterns and cites the Article it matched — and when it is not confident, it flags the result for human review instead of guessing. It is a cited starting point that tells you when to bring in a qualified person. It is not legal advice and not a certification. For high-risk systems and edge cases, get a human in the loop — the point of the check is to tell you when.
The takeaway: vibe coding is here to stay, and it is genuinely productive. The discipline that keeps it safe is a fast, automatic check in the loop — for secrets, for provenance, and for the EU AI Act obligations the speed makes easy to miss.
