Subscribe to the Non-Human & AI Identity Journal

Infrastructure as Code coverage

The share of infrastructure that is created, changed, and governed through code rather than manual console actions. In practice, it measures how much of the environment can be reviewed, reproduced, and remediated through a controlled delivery path instead of ad hoc operator behaviour.

Expanded Definition

Infrastructure as Code coverage is the proportion of infrastructure assets, configuration states, and change pathways that are expressed in version-controlled code rather than handled through manual console work. In NHI security, the term matters because code-defined infrastructure can be reviewed, tested, approved, and remediated through the same controls that govern secrets, service accounts, and agent permissions.

Coverage is not just about whether Terraform, CloudFormation, or similar tooling exists. Definitions vary across vendors, but operationally the question is whether the real control plane is codified: network rules, IAM bindings, secret references, pipeline permissions, and rollback logic. When coverage is high, teams can trace who changed what and when, and can apply change control consistently with NIST Cybersecurity Framework 2.0. It also supports the governance model described in Ultimate Guide to NHIs, where identity and infrastructure drift must be visible before they become incidents.

The most common misapplication is counting only greenfield IaC modules, which occurs when production changes still happen outside code through ad hoc hotfixes, console edits, or untracked agent actions.

Examples and Use Cases

Implementing Infrastructure as Code coverage rigorously often introduces delivery constraints, requiring organisations to weigh deployment speed against the overhead of codifying every supported change path.

  • A platform team manages VPCs, security groups, and IAM roles in code, then blocks manual edits so review history remains authoritative.
  • A security team measures what share of cloud accounts, clusters, and secret-store policies are rebuilt from pipelines instead of repaired through emergency console access.
  • An AI operations team limits autonomous agents to code-based change requests so every infrastructure mutation has an approval trail and rollback path, consistent with the governance concerns raised in The 2026 Infrastructure Identity Survey.
  • A compliance team uses policy-as-code to enforce tagging, encryption, and logging requirements across environments, aligning those checks with NIST Cybersecurity Framework 2.0.
  • An incident response team recreates a compromised environment from code to compare intended state with live state and isolate drift introduced by emergency changes.

In practice, coverage is strongest when the IaC scope includes the control plane that affects NHI exposure, not just application hosting resources.

Why It Matters in NHI Security

Infrastructure as Code coverage is a security control because NHIs often inherit their privileges from infrastructure definitions. If a service account, workload identity, or API key reference is created outside code, it becomes harder to review, rotate, or revoke in a disciplined way. That is how secret sprawl and privilege drift begin. The Ultimate Guide to NHIs reports that 30.9% of organisations store long-term credentials directly in code, and 96% store secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools.

Those conditions make coverage more than an engineering metric. They determine whether a team can prove where identities exist, which systems they can reach, and how quickly they can be remediated after exposure. When coverage is low, manual exceptions accumulate, review trails fracture, and least privilege becomes difficult to enforce at scale. This is especially important when infrastructure is being changed by AI agents, because undocumented changes can expand access before anyone notices. Organisations typically encounter the operational cost only after a breach, outage, or failed audit, at which point Infrastructure as Code coverage becomes unavoidable to reconstruct and contain the blast radius.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 IaC coverage reduces secret sprawl and unmanaged NHI configuration paths.
NIST CSF 2.0 PR.IP-3 The framework emphasizes change management and secure configuration through controlled processes.
NIST Zero Trust (SP 800-207) Zero Trust requires consistent policy enforcement that IaC helps automate and audit.

Track infrastructure changes in code and enforce approvals, testing, and rollback for all production changes.

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.