TL;DR: Infrastructure as Code coverage should be treated as a security metric because unmanaged resources sit outside preventative controls, remediation, and auditability, and the post links low coverage to twice the risk of governed infrastructure, according to ControlMonkey. The editorial takeaway is that coverage now functions as a forward-looking indicator of cloud identity and control-plane exposure, not just delivery consistency.
At a glance
What this is: This analysis argues that Infrastructure as Code coverage is a security metric because unmanaged resources create blind spots where policy enforcement, validation, and accountability break down.
Why it matters: For IAM, NHI, and cloud security teams, IaC coverage matters because it reveals where controls cannot reliably see, govern, or remediate infrastructure risk.
👉 Read ControlMonkey's analysis of why IaC coverage belongs on security dashboards
Context
Infrastructure as Code coverage is the share of cloud infrastructure that is defined and managed through code rather than console changes, scripts, or tribal knowledge. The core problem is not delivery speed but governance opacity: if a resource is outside code, it is often outside consistent policy enforcement, validation, and audit.
That makes coverage relevant to identity security because unmanaged infrastructure tends to hide the access paths, exceptions, and change histories that IAM, PAM, and security teams depend on. The article’s central claim is that coverage is a shared security metric, not a cloud-team-only hygiene indicator.
For teams already tracking vulnerability management and compliance scores, the missing question is where those controls cannot even reach. In practice, IaC coverage becomes a proxy for the size of the unmanaged control surface.
Key questions
Q: How should cloud teams measure Infrastructure as Code coverage in practice?
A: Measure the percentage of cloud resources managed through approved code paths versus those created manually or by script. Then segment the result by account, environment, and resource type so the score shows where governance is weakest. A single overall number is useful, but breakdowns reveal where remediation effort will have the biggest security impact.
Q: Why do unmanaged cloud resources increase security risk?
A: Unmanaged resources sit outside the controls that make cloud change governable, including policy checks, version control, and auditable approvals. That means they are harder to inspect, slower to fix, and easier to forget when standards evolve. In practice, they create a security blind spot that survives even when the rest of the environment is well managed.
Q: What do security teams get wrong about IaC coverage?
A: They often treat coverage as a DevOps efficiency measure rather than a control-plane visibility measure. That mistake matters because the security value comes from what code makes governable, not from how quickly infrastructure can be deployed. If coverage is low, the organisation is accepting a larger unmanaged attack and audit surface.
Q: Who should own remediation when cloud resources are outside IaC?
A: Ownership should sit with the team that can either codify the resource or retire it, but security should track the risk until that happens. The key is to avoid orphaned exceptions. If no one is accountable for bringing a resource under code, it will remain outside policy enforcement indefinitely.
Technical breakdown
Why unmanaged infrastructure bypasses policy-as-code controls
IaC systems work because configuration is reviewed, versioned, and validated before deployment. When a resource is created directly in a cloud console, it skips that pipeline entirely. That means no static analysis, no policy-as-code gates, and no repeatable approval trail. The result is not just inconsistency but a structural blind spot where security tooling has weaker context and fewer opportunities to stop risky change before it lands.
Practical implication: identify every resource type that can still be created outside code and treat it as outside preventative control coverage.
How coverage gaps create drift and remediation debt
Unmanaged resources rarely stay static. They drift from module standards, accumulate exceptions, and miss the security updates that managed infrastructure inherits through shared code. Because there is no reusable module ownership, remediation becomes manual and slower, and accountability is harder to trace. Over time, the gap widens between current policy intent and the actual deployed state, especially in fast-moving cloud environments with multiple teams and stacks.
Practical implication: map unmanaged resources to owners and remediation paths before the drift becomes an operational backlog.
Why IaC coverage functions as a security signal
Coverage matters because it tells you what proportion of the environment can actually be governed by the controls you trust. High coverage means better consistency, clearer auditability, and stronger change accountability. Low coverage means the opposite: more ClickOps, weaker visibility into who changed what, and more dependency on manual investigation after something goes wrong. In that sense, coverage is not a vanity metric. It is a leading indicator of control-plane exposure.
Practical implication: put coverage alongside risk and compliance metrics so leaders can see where governance is missing, not just where findings exist.
NHI Mgmt Group analysis
IaC coverage is now a security control boundary, not an engineering preference. The article is right to separate managed from unmanaged infrastructure because the boundary determines whether preventative controls can operate at all. Once resources exist outside code, policy enforcement becomes inconsistent and auditability becomes partial. For practitioners, the important shift is to treat coverage as a governance boundary that defines where security can and cannot reliably intervene.
Unmanaged infrastructure creates identity and change blind spots that cloud teams often underestimate. Even when the workload itself is not an IAM system, the access paths used to create, modify, and recover it are identity events. Console-created resources weaken change attribution, complicate access review, and make remediation slower because ownership is often informal. The practitioner conclusion is that identity governance and IaC governance now need to be measured together.
Coverage debt is a better name for this risk than configuration drift alone. Drift describes a state change, but coverage debt captures the accumulated governance deficit created when whole resources never enter code in the first place. That gap compounds over time because modules improve while unmanaged resources stay frozen outside policy evolution. Practitioners should read this as a programme-level debt problem, not a point-in-time misconfiguration issue.
Shared metrics are the only practical way to reduce friction between cloud and security teams. The article correctly identifies org friction as part of the problem, because separate dashboards lead to separate priorities. A shared coverage metric gives both teams a common language for blind spots, ownership, and remediation sequencing. The practitioner takeaway is straightforward: if the metric is not shared, the accountability will stay fragmented.
Infrastructure defined outside code is also infrastructure defined outside evidence. If the control plane cannot see a resource through versioned infrastructure, it cannot easily prove when it changed, who changed it, or whether policy was present at the point of change. That matters for audit, incident response, and compliance alike. The implication is that evidence quality should be considered part of coverage maturity.
From our research:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- Only 13% of organisations feel extremely prepared for the reality of agentic AI, even as most are racing toward autonomous adoption.
- For the broader identity and access picture, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.
What this signals
Coverage metrics are likely to become a standard part of cloud governance scorecards because teams can no longer rely on deployment velocity alone to prove control. The practical shift is toward evidence-driven operations, where every unmanaged resource is treated as an exception that must either be coded or explicitly retired.
With 67% of organisations still relying heavily on static credentials despite the risks they pose to agentic AI deployments, per The 2026 Infrastructure Identity Survey, the wider pattern is clear: governance gaps rarely stay isolated. What begins as a cloud delivery exception often becomes a security blind spot once identity, automation, and infrastructure change start to intersect.
For practitioners
- Inventory unmanaged infrastructure by control plane Map every cloud account, subscription, and project to resources created outside IaC so you can see where policy-as-code does not apply. Include console-created assets, one-off scripts, and legacy stacks that bypass standard modules.
- Track coverage as a risk metric in leadership dashboards Place IaC coverage next to vulnerability and compliance indicators so cloud and security leaders can review the same exposure picture. Use the metric to prioritise remediation work instead of treating it as a delivery-only KPI.
- Assign ownership for every unmanaged resource class Give each unmanaged resource a named owner, remediation path, and target system of record so it can be folded into code or explicitly retired. Without ownership, coverage gaps become permanent exceptions.
- Tie review cycles to out-of-band change detection Use periodic reviews to identify resources changed outside approved pipelines and measure how quickly those changes are reconciled into code. This exposes where control enforcement is weakest and where drift is compounding.
Key takeaways
- IaC coverage is a governance metric because unmanaged infrastructure sits outside the policy, validation, and audit mechanisms that make cloud change controllable.
- The security issue is not abstract. Unmanaged resources create a larger blind spot for visibility, accountability, and remediation than teams usually assume.
- Practitioners should measure coverage, assign ownership for unmanaged resources, and use the metric to drive both remediation sequencing and leadership reporting.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Coverage gaps expose where access and change controls no longer apply consistently. |
| NIST Zero Trust (SP 800-207) | Unmanaged resources weaken continuous verification and control-plane trust. | |
| NIST CSF 2.0 | GV.OV-01 | Coverage should be visible as a governance outcome, not just an engineering metric. |
Treat infrastructure created outside code as outside trusted verification until it is brought under policy.
Key terms
- Infrastructure as Code coverage: The proportion of infrastructure that is created, changed, and governed through code rather than manual console activity. Higher coverage usually means stronger consistency, better auditability, and fewer blind spots. In security terms, it measures how much of the environment can actually be controlled by preventative policy and reviewed change history.
- Unmanaged resources: Cloud assets that exist outside approved infrastructure code, such as console-created systems, ad hoc scripts, or legacy exceptions. They are difficult to validate, hard to audit, and often miss the security updates that managed modules inherit automatically. These resources create a hidden governance surface that tends to grow over time.
- Policy-as-code: A method of encoding security and governance rules so they can be tested and enforced before deployment. In cloud environments, this helps prevent risky configuration from reaching production and creates a repeatable approval trail. It depends on infrastructure being represented in code, which is why coverage is so important.
- Control-plane blind spot: A part of the environment where security and governance tools cannot reliably see, validate, or enforce change. When resources are created outside code, the control plane has less context and weaker evidence about who changed what and when. Blind spots are where misconfiguration and accountability failures tend to persist.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.
This post draws on content published by ControlMonkey: IaC coverage as a security metric. Read the original.
Published by the NHIMG editorial team on 2025-07-25.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
