Vibe coding produces software with no audit trail. When AI generates business logic from natural language prompts, the resulting code has no traceable author, no reviewable specification, and no way to verify that it implements the intended rules. For regulated industries and calculation-heavy workflows, that’s a compliance risk.
Vibe coding is fast. You describe what you want, an AI writes the code, and something appears on screen within minutes. For prototypes and internal tools that nobody regulates, that speed is real. But if your business runs on calculations that need to be correct, like pricing, commissions, risk scores, or financial models, speed without auditability is a liability.
Why vibe-coded business logic can’t be audited
The problem with vibe-coded business logic is that nobody understands it. Not the person who prompted it, and not the developer who inherits it six months later.
A vibe-coded pricing calculator might produce correct numbers today. But when a customer disputes an invoice, or an auditor asks how a margin was derived, you’re staring at AI-generated functions that no human wrote or reviewed. The reasoning behind each calculation is scattered across prompt history, if it was saved at all.
This isn’t hypothetical. According to Retool’s analysis of vibe coding risks, 48% of AI-generated code snippets contain at least one security vulnerability from the MITRE CWE Top 25. And as Builder.io documents, AI-generated code tends to handle the happy path while breaking in edge cases, with developers spending more time debugging unfamiliar AI patterns than they would debugging their own code. When that code is your business logic, debugging becomes an audit risk.
What auditors actually want
Compliance frameworks like SOX and HIPAA don’t care how your software was built. They care whether you can demonstrate four things: what the business rule is (stated in terms a domain expert can verify, not just what the code does), who defined it, that it hasn’t changed without authorisation, and that it produces correct results given the same inputs.
The four audit requirements
1. The rule
What the business rule is, stated so a domain expert can verify it, not just what the code does.
2. The author
Who defined the rule, a named person who can explain why it works the way it does.
3. The change history
Evidence that the rule has not changed without authorisation.
4. Determinism
The same inputs always produce the same outputs, every time.
Vibe-coded applications struggle with all four. The business rule is buried in generated code. The “author” is a language model. Changes happen through new prompts that may or may not be logged. And testing is often skipped because, well, it works on screen.
Spreadsheet formulas already pass the audit test
Spreadsheets already solve the auditability problem for business logic, and it’s strange how rarely this comes up in the vibe coding conversation.
An Excel formula like
=IF(B12>100000, B12*0.12, B12*0.15) is readable by anyone in the finance team. It’s the business rule and the implementation in a single expression. The person who wrote it can explain why the threshold is 100,000 and why the rates are 12% and 15%. Change the formula, and the cell shows the new version. No deployment pipeline, no code review backlog.Spreadsheets have survived forty years in regulated industries for exactly this reason. Auditors understand them. Domain experts author them. The logic is visible, not compiled away behind a framework.
The problem with spreadsheets isn’t the calculation layer. It’s everything around it: no authentication, no database, no multi-user access, no API integrations, no document generation. A great calculation engine trapped in a single-user file.
What Molnify keeps and what it replaces
Molnify takes the part of the spreadsheet that works, the formulas, and wraps a web application around them.
You author your business logic in Excel or Google Sheets. Colour a cell green for input, red for output. Upload the file, and Molnify generates a web application where the spreadsheet runs every calculation. The formulas don’t get transpiled into JavaScript or rewritten by an AI. They execute as-is, in the same engine that ran them in Excel.
So an auditor can open the original spreadsheet and trace any output back to its calculation. The person who knows why the discount threshold is 100,000 is the same person who typed the formula. The spreadsheet file is a versioned artifact: store it in SharePoint, Google Drive, or your own version control, and every change has a history. And results are deterministic. Same inputs, same outputs, every time. No probabilistic variation, no prompt sensitivity.
Everything that isn’t calculation, like authentication, database, UI, emails, API calls, PDF generation, and e-signatures, Molnify handles as a platform layer. For a deeper look at what the platform provides beyond the spreadsheet, see What Molnify Adds on Top of Your Spreadsheet. The business logic stays human-authored and auditable.
See your own spreadsheet running as an auditable web app.
Vibe coding and the intent gap
There’s a concept in software engineering research called the “intent gap,” the distance between what a person wants the software to do and what the code actually does. A recent paper from Microsoft Research calls intent formalization “the grand challenge” of AI-assisted coding: as AI generates more code, the gap between what was requested and what was built grows wider, not narrower.
When you prompt an AI to “build a commission calculator with tiered rates,” the AI fills in every detail you didn’t specify. What are the tiers? How are edge cases handled? Is the calculation pre-tax or post-tax? The AI picks answers. They might be wrong, and you might not notice until a customer does.
With a spreadsheet, there’s no intent gap. The formula
=VLOOKUP(B5, TierTable, 2, TRUE) * B3 isn’t an approximation of the business rule. It is the business rule. The person who wrote it chose VLOOKUP because the rates are in a table. They chose TRUE because the lookup should match the nearest lower bound. Every decision is explicit.Vibe coding optimises for “does it look right on screen.” Spreadsheet formulas optimise for “is it actually right.” When compliance matters, the formula wins.
When vibe coding fits and when it doesn’t
Vibe coding is a good fit for marketing sites, prototypes, dashboards that display data but don’t calculate it, and tools where the cost of a bug is low.
It’s a poor fit for pricing and commission calculations, financial models with regulatory reporting, insurance underwriting, and any workflow where an auditor might ask “how was this number calculated?”
The dividing line: if the logic matters more than the interface, keep the logic somewhere humans can read it.
A practical example
Say your sales team prices custom manufacturing jobs. The pricing model accounts for material costs, labour hours, tooling, margin targets, and volume discounts. Today it lives in an Excel file that the sales manager maintains.
With vibe coding
You’d prompt an AI to build a pricing web app. The AI generates a React application with the pricing logic embedded in JavaScript functions. It works. But when the sales manager wants to change the volume discount breakpoints, they can’t, because it’s in code now. When finance asks how a specific quote was calculated, nobody can trace it. When the AI is prompted to make a change, it might restructure the entire calculation, and you’d need a developer to verify it didn’t break anything.
With Molnify
The sales manager keeps maintaining the pricing model in Excel. Same formulas, same structure, same person. Molnify turns it into a web app that the whole team uses, with authentication, saved quotes in a database, PDF generation, and email notifications. When finance asks how a quote was calculated, the sales manager opens the spreadsheet and shows them. When the volume discounts change, the sales manager updates the formula, uploads the new file, and it’s live.
The business logic never left the hands of the person who understands it.
What comes after vibe coding
Vibe coding solves a real problem: most people can’t write code, and they shouldn’t have to for simple applications. But it creates a new one. Applications that nobody can audit, debug, or confidently hand to a regulator.
For calculation-heavy business processes, the spreadsheet was already the right abstraction. What was missing was the application layer around it. That’s what Molnify adds.
FAQ: vibe coding, spreadsheets, and auditability
Can vibe-coded software be audited?
Not easily. AI-generated business logic has no traceable author, no reviewable specification, and changes often happen through prompts that are not logged. For regulated or calculation-heavy work, that missing audit trail is a compliance risk.
Why are spreadsheet formulas considered auditable?
A formula like
=IF(B12>100000, B12*0.12, B12*0.15) is the business rule and its implementation in one readable expression. A domain expert can read it, explain why the threshold and rates are what they are, and see every change. Spreadsheets have met this bar in regulated industries for forty years.What does Molnify keep from the spreadsheet, and what does it replace?
Molnify keeps your formulas, which run as-is in the same engine, so the logic stays human-authored and auditable. It adds everything around them: authentication, a database, multi-user access, the UI, emails, API calls, PDF generation, and e-signatures.
When is vibe coding a good fit, and when is it not?
Vibe coding fits marketing sites, prototypes, and tools where a bug is cheap. It is a poor fit for pricing, commissions, financial models, insurance underwriting, or anything an auditor might question. If the logic matters more than the interface, keep it where humans can read it.
Are results from a Molnify app deterministic?
Yes. The same inputs produce the same outputs every time, because the spreadsheet runs the calculation. There is no probabilistic variation and no prompt sensitivity.
See it with your own spreadsheet
Upload an Excel file and get a working web app in minutes. Your formulas stay auditable.