AI agents capable of completing tasks independently have found their first widespread application in the software industry. This raises questions regarding both the intellectual property rights to the developed software and compliance with new legal requirements for software security.
Artificial intelligence capable of not only generating content but also planning and executing entire tasks has been the subject of intense debate for several months under the term “Agentic AI” or “AI agents”.
While many industries are still experimenting with early concepts, this technology is already widely used in software development projects. AI agents are indeed increasingly being used by companies to develop software. In practice, this is also referred to as “vibe coding”.
AI Agents Enter the Software Industry
Vibe coding means that developers no longer write the source code themselves but rather provide the AI agent with a description of the software to be developed. The AI agent then conducts supplementary online research to complete the provided description with certain assumptions, decides which programming languages and third-party open-source components to use, and ultimately writes the software independently. AI agents often switch between different AI models for different sub-tasks based on which model is best suited for the job. This allows AI agents to produce executable software within 30 minutes – work that might take an experienced developer several days.
Who Owns the Developed Software?
Copyright law provides comprehensive protection for software. However, in most jurisdictions, this applies only to the extent that the software constitutes an original work of authorship, meaning a creative work of a human being. But whose creation is the software in the case of vibe coding?
A general principle of copyright law is that abstract ideas alone are not subject to legal protection. Rather, only the creative expression of an idea enjoys copyright protection. In the case of vibe coding, however, the human developer usually contributes only the description of the software (i.e., the idea), while the AI agent handles the creative implementation. Since the developer is not directly involved in the creative process and the AI agent is not a human and therefore cannot acquire or hold rights, no copyright typically arises if a pure form of vibe coding is practiced.
The position under UK law is more nuanced. Section 9(3) of the Copyright, Designs and Patents Act 1988 provides that, in the case of a “computer‑generated” work, the author is deemed to be “the person by whom the arrangements necessary for the creation of the work are undertaken”. Unlike most jurisdictions, UK copyright law therefore contains a mechanism for allocating authorship where no human author can be specifically identified on creation of the work, potentially avoiding the copyright vacuum that may arise in pure vibe coding. However, applying this provision to agentic AI workflows raises difficult attribution questions in comparison to the computer programmes of the 80s/90s that it was designed to cover. Where an AI agent independently determines design choices, conducts supplementary research and selects programming tools or models, it may be unclear whether the relevant “arrangements” are undertaken by the individual developer providing high‑level prompts, the company deploying the agent, or the AI vendor supplying the underlying system. As the autonomy of AI agents increases, the link between human decision‑making and the resulting source code may become too attenuated to provide certainty as to authorship, even under the UK’s comparatively interventionist statutory framework.
Under Swiss law, copyright protection requires a human intellectual creation and Swiss law does not recognise computer‑generated works. This has particular consequences where vibe coding occurs in the context of an employment relationship. While software developed by an employee as part of their duties is automatically owned by the employer under Art. 17 Swiss Copyright Act, this statutory allocation presupposes that a protectable computer program exists in the first place. In cases of pure vibe coding this requirement is typically not met. As a result, unlike traditional employee‑developed software, vibe‑coded software is generally not owned by the employer under Swiss law, because no copyright arises at all absent sufficient human creative input by the employee.
No Protection for Digital Rights Management
In most jurisdictions, copyright law also prohibits the circumvention of Digital Rights Management (DRM) systems. Violations may result in consequences under civil law such as injunctions or damage claims, or even criminal sanctions, depending on the laws of the relevant jurisdiction. However, in most jurisdictions, all of this applies only to the extent that the software developer holds an exclusive right to the software. Since this is generally not the case where vibe coding is practiced in a pure form, the legal protection against the circumvention of DRM systems also does not apply.
Open-Source Compliance as a Structural Risk
The fact that software created through pure vibe coding does not enjoy copyright protection in most jurisdictions does not mean that it could not infringe the copyrights of third parties. For example, if the AI agent incorporates source code from an open source project whose license terms are not complied with when distributing the vibe-coded software, a copyright infringement occurs.
Most open source licenses require, at a minimum, the retention of a copyright notice within the source code. In addition, many popular open source licenses, such as the GNU General Public License (GPL) stipulate that software containing GPL-licensed code must also be made available in source code under the GPL. Companies are therefore well-advised to conduct additional quality checks to ensure that open source code fragments have not been included in their software in an unauthorized manner. Automated software tools to perform such checks are well-established on the market.
On Collision Course with the EU’s Cyber Resilience Act?
Starting 11 December 2027, the EU Cyber Resilience Act requires that software may only be placed on the EU market if it has been designed and developed to provide an appropriate level of cybersecurity. In practice, a company will only be able to ensure conformity with this requirement if the code developed by an AI agent has been reviewed by a sufficiently experienced developer. Without such a review, design flaws in the software can easily arise, which may constitute serious cyber security vulnerabilities.
Controlled Vibe Coding
Not least to ensure that software developed today can still be sold after December 2027, companies should adopt a model of controlled vibe coding, also known as responsible AI-assisted development. In this context, the AI agent essentially assumes the role of a junior software developer but does not relieve the company of the need to employ experienced software developers for quality control.
Conclusion
Vibe coding is driving structural changes in the software industry. As a result, the software industry is facing the challenges of widespread AI agent deployment before many other industries. Companies developing software would be well-advised to permit vibe coding only in a controlled setting. This way, the quality of the developed software, the compliance with license terms of integrated open source software as well as compliance with the EU Cyber Resilience Act can be ensured. Additionally, if an experienced software developer makes sufficiently significant changes to the source code, the software will retain copyright protection despite the use of vibe coding.
