Over the past year, I’ve run multiple hackathons where non-technical teams build real software in hours. An automated monitoring system that proactively proposes services to future clients. Fully automated video avatars that reach out to prospects with personalized messages in the prospect’s language. An applicant screening tool.

An automated client qualification system. A customized content creation engine. All built by people who had never written a line of code in their lives.

Every time, the same thing happens. The energy in the room is electric. And then it hits me.

Not one team asks about data protection. Not one asks what happens if their video avatar says something wrong, or if their screening tool discriminates, or who’s liable when the monitoring system flags a false positive. They don’t skip these questions on purpose. They don’t know the questions exist.

This is the paradox nobody’s talking about. The same AI tools that give small companies and non-technical builders unprecedented power also hand them unprecedented responsibility. And responsibility without knowledge is a dangerous combination.

The Power Is Real

Let me be clear: the competitive shift is happening, and it’s massive.

I built a client portal two weeks ago. Full authentication, database, user management. Two days. That used to require a pre-project budget, a dev team, and several weeks of scoping before a single line of code got written.

A colleague shared data from CJS Agency, the company behind GoDaddy’s website. They cut 50% of their workforce. Same revenue. They shifted their entire business model from one-time project fees to revenue-share and equity deals with builders. The agency model itself is being disrupted.

And it’s not just agencies. Small companies now hold structural advantages that enterprise can’t match. No legacy systems to maintain. No approval hierarchies to navigate. No multi-culture disasters from forced acquisitions. Pure agility. One subscription. Four parallel sessions. The output of a team.

You don’t fight the big ones. You just provide real value at a fraction of their budget. They’ll struggle on their own.

68% of U.S. small businesses now use AI regularly, up from 48% just a year ago. This isn’t hype. It’s a structural inversion. Small is becoming the advantage.

But Power Without Knowledge Is a Problem

And this is where it gets uncomfortable.

Professional development teams have entire functions dedicated to what non-technical builders skip. Security reviewers who check for vulnerabilities before deployment. Compliance officers who ensure GDPR and data protection requirements are met. Legal counsel who assess liability exposure. QA engineers who test edge cases. These roles exist because decades of software failures taught us they’re necessary.

Non-technical builders skip the entire curriculum. Not because they don’t care. Because they don’t know it exists. If you’ve never worked in software, you don’t know it needs security review. The same way someone who’s never built a house doesn’t know about load-bearing walls. You can’t check for something you’ve never heard of.

Veracode’s 2025 GenAI Code Security Report] tested over 100 large language models across 80 coding tasks. The finding: AI-generated code failed security tests in 45% of cases. Nearly half the time, the code contained vulnerabilities from the OWASP Top 10, the industry’s standard list of critical security flaws.

And here’s what should concern you: the models got better at writing functional code. They did not get better at writing secure code. Speed improved. Safety didn’t.

The Liability Chain Nobody Talks About

Right now, there’s a gap in accountability that most builders don’t even see.

The AI providers have their disclaimer: “AI can make mistakes. Verify the output.” That language exists for a reason. It shifts liability from the platform to whoever deploys the code.

The builder says: “I didn’t know.” Genuine ignorance. Not malice, not negligence in the traditional sense. They simply weren’t aware that their coaching bot could give harmful advice, that their health tracker wasn’t encrypting user data, or that their financial tool was storing credentials in plain text.

The user? They just got harmed.

So who pays?

Right now, often nobody. The legal frameworks haven’t caught up. But they will. The Colorado AI Act, effective in 2026, already imposes a duty of reasonable care on deployers of high-risk AI systems. The EU AI Act is applying similar principles. The regulatory machinery is warming up.

The first serious incident involving a vibe-coded app will accelerate everything. A health app that gives dangerous advice. A financial tool that exposes personal data. A coaching bot that drives someone to harm. When that happens, regulation won’t just target the app. It could stifle the entire builder movement. The same democratization that makes this moment so exciting could get locked down because a few people built fast without building responsibly.

The Safety Manual That Should Exist

So what do you actually need to know before shipping?

Not four hundred things. Four things.

1. Does your app handle personal data? If yes, you’re likely subject to GDPR (or your local equivalent). That means consent, encryption, the right to deletion, and a data processing record. Most vibe-coded apps handle personal data. Most builders never check.

2. What happens when your app is wrong? If your app gives advice, makes recommendations, or processes anything related to health, finance, or legal matters, you need to think about the consequences of bad output. Not “what if it glitches” but “what if someone acts on wrong information.” This isn’t hypothetical. It’s happening.

3. Who can access what? Access control is the thing non-technical builders get wrong most often. OWASP created an entire Top 10 security risk list specifically for low-code/no-code platforms, and excessive permissions and account impersonation sit near the top. If everyone who uses your app can see everyone else’s data, you have a problem.

4. Have you tested it like someone who wants to break it? A few weeks ago, I asked Claude to pen-test my client portal. Unprompted, it offered to check for vulnerabilities. It found issues I wouldn’t have thought to look for. The AI that helped me build it also helped me secure it. Most builders never take this step. They ship and move on.

That’s just enough. Everything else is noise. For now.

Build Fast AND Build Responsibly

The safeguard isn’t slowing down. I’m not arguing for less building. I’m arguing for informed building.

The good news: the same AI tools that create the risk can help manage it. You can ask Claude or ChatGPT to review your code for GDPR compliance. You can run security scans in natural language. You can ask “what regulations apply to an app that handles health data in the EU?” and get a reasonable starting point.

But you have to know to ask. That’s the gap.

When I build automation systems for clients through my Done-for-You work, this is baked in. Security review, compliance checks, proper data handling. Not because the client asked for it. Because they shouldn’t have to ask. That’s what professional building looks like. The safeguard is part of the delivery, not an afterthought.

For those building themselves, my Sprint program teaches teams to move fast and build responsibly. Speed and safety aren’t opposites. They’re partners. The teams that learn both will outlast the ones that only learned speed.

The Question That Matters

We’re at a remarkable moment. Small companies can compete with giants. Non-technical founders can build real products. Solo consultants can ship what used to require entire engineering departments.

This power is real. And it’s not going away.

But the builders who will thrive long-term aren’t the ones who ship fastest. They’re the ones who know what to check before they ship. The ones who build the house and understand which walls are load-bearing.

AI gave you superpowers. The safety manual is your responsibility.

The question is whether you’ll read it before or after something goes wrong.

Damian Nomura helps companies adopt AI through a human-centered approach. His Done-for-You Automation builds systems with security and compliance baked in, and his 5-Day Sprint teaches teams to build fast and responsibly. Swiss Ambassador for the Responsible AI Governance Network.

Follow for weekly essays on AI adoption that’s Simple. Clear. Applicable.