Question
A teammate wants to let an agent generate the core of a new authentication flow — token issuance, signature verification, session rotation, and the password-reset path — to move fast on a deadline. You're uneasy. Make the case for when you would and wouldn't let an AI agent own security-critical code like this, what specific failure modes make it the wrong tool here, and how you'd still use the agent without ceding the dangerous parts.
Treat the AI’s output as a draft to verify, not an answer to trust. Name the specific flaw and the input that triggers it, say how you’d catch it — tests, edge cases, reading critically — and how you’d re-prompt or decompose to get it right.
Vibe coding: describe the solution in plain language (or narrate it) and the coach grades your approach. Generating runnable code from your description is coming next.