Vibe coding leaks and the governed path.

Last Wednesday, Axios published findings from Israeli security firm RedAccess: 380,000 publicly accessible applications built on Lovable, Base44, Replit, and Netlify, with about 5,000 of them carrying sensitive corporate data. The list included an internal application detailing active clinical trials at a UK health company, full unredacted customer service conversations from a cabinet supplier, internal financial information at a Brazilian bank, and an app for a hospital with doctor-patient summaries and patient complaints.

The platforms responded as platforms do. Replit's CEO pointed out that public apps are public by user choice. Wix's Base44 spokesperson noted that some apps were deliberately set public by their owners. Both observations are true. Both miss the point.

The point is that a category of risk which did not exist eighteen months ago is now distributed across every employee with a credit card. AI tools that let non-engineers ship working software have collapsed the gap between "I have an idea" and "the application is live on the internet" from weeks to minutes. The cybersecurity training, the access reviews, the procurement gate, the code review, none of it is in the loop. RedAccess's CEO put it cleanly: "I don't think it's feasible to educate the whole world around security."

He is right. And the architectural answer to his observation is the only thing that scales.

The shape of the leak.

Two distinct exfiltration paths run through the Axios findings, and they want different controls.

The first is connection-based. An employee builds an internal tool on Lovable. The tool needs data. The employee pastes a Postgres connection string into the prompt. Lovable wires the application to the database. The deployed app, public by default until the user clicks a setting, now serves whatever the database returns to whoever finds the URL.

The second is content-based. An employee pastes a CSV of customer records into a prompt and asks the AI to "build me a dashboard." The data is baked into the application as static content. There is no connection to govern. The data was already in the LLM's session, and is now in the deployed bundle.

Different problems, different controls. Any honest governance story has to name them separately.

Govern the path, not the people.

The first path, the connection path, is the one DataDam was built for, and it is also the one that closes most of what RedAccess found. The architectural answer is older than AI. Enterprise IT controls what their managed devices and networks are allowed to talk to.

If the egress policy is "the only host allowed to reach prod Postgres on port 5432 is the DataDam proxy," then a Lovable application running on a corporate laptop cannot establish a working connection. The connection string is correct. The network refuses it. The vibe-coded app sees no data. There is nothing to leak. DataDam does not need to know Lovable exists for this control to fire. The network does.

DataDam closes the agent-side flank of the same control. Anthropic's Team and Enterprise plans expose MDM-deployable MCP allowlists through Jamf, Kandji, and Intune. IT sets DataDam's URL as the only sanctioned MCP endpoint, sets the local-dev override off, and the developer's IDE refuses to talk to anything else. Two enforcement points, same policy, both sitting in the network and device layers where social engineering does not reach.

The pattern is the answer. Govern the path, not the people. Make the sanctioned path the only path that works. Education does not scale. Topology does.

Education does not scale. Topology does. The sanctioned path has to be the only path that works.

What governance cannot fix.

The second path, the content path, is honestly outside what a connection-layer control can address. If an employee pastes a spreadsheet of patient records into a prompt and the platform persists it as static content in the deployed app, no proxy ever saw the data. Nothing flowed through any connection we can govern. The data went into the LLM's session and out into the deployed bundle. That is a data-handling problem at the LLM-egress layer, not at the agent-data layer.

Egress DLP is a separate control. It scans what gets sent to model vendors before it leaves. It is on our roadmap. It is not in the product today. We are not going to claim the connection-layer control fixes this problem. It does not. If your threat model includes employees pasting regulated data into AI tool prompts, you need DLP at the prompt layer, and you need it from a product whose job is that layer.

What we will say is this. The leak inventory in the Axios article is overwhelmingly the first kind. Vessels at ports. Active clinical trials. Customer service histories. Financial dashboards. These are connection-driven. They came from the database the application was wired to. The sanctioned-path architecture closes that flank.

The procurement-grade answer.

A CISO reading the Axios article and asking the right question, "what stops a developer at our company from shipping the same kind of app on Monday," deserves a grounded answer.

The grounded answer is two layers. Network egress policy: the only outbound route to your data is through the DataDam proxy. Device MDM policy: the only MCP server your fleet's AI tools can talk to is DataDam. Both policies live in the customer's existing IT tools. DataDam supplies the sanctioned endpoint that those policies allowlist. Every tool call goes through masking, denial, audit, and kill-switch infrastructure before it reaches the database.

Add the audit log, and "what stops a developer from shipping a vibe-coded app that leaks our data" becomes a question with a one-line technical answer and a one-line evidence answer. The technical answer is the policy. The evidence answer is the audit log that proves the policy is in force.

Closing.

The category of leak the Axios article describes is going to get worse before it gets better. The platforms named are not going away. The employees using them are not going to stop. Education at the user layer is not the answer the security team's headcount budget can afford. The answer that scales is architectural. Govern the path. Make the sanctioned path the only path. Write the policy in the layer the user cannot reroute around.

Source: RedAccess findings via Axios, 2026-05-07.

If your team is sitting in the same meeting Axios just ran on the front page, we would like to talk. Email hello@mydatadam.com.