TL;DR: Infrastructure as code is reshaping how platform engineers and DevOps teams build, standardise, and secure delivery pipelines, with the source article arguing that reusable templates, policy-as-code, drift detection, and self-service can reduce friction while improving control. The governance question is no longer whether automation works, but whether identity and access processes keep pace with the speed of infrastructure change.
At a glance
What this is: A guide comparing platform engineering and DevOps through the lens of infrastructure as code, with a strong emphasis on automation, standardisation, and governance.
Why it matters: It matters because infrastructure delivery now depends on identity, access, and policy controls that have to work across human teams, machine accounts, and increasingly automated workflows.
👉 Read ControlMonkey's article on platform engineering, DevOps, and IaC
Context
Infrastructure as code changes the control point for infrastructure from manual change to versioned, repeatable configuration. That shift matters to identity programmes because the same pipelines that provision infrastructure also create, use, and sometimes overextend the identities that operate it.
The article frames platform engineers and DevOps as different approaches to the same delivery challenge, but the deeper governance issue is whether access, approvals, and policy enforcement are embedded at the point of change. When infrastructure is self-service, identity controls have to be just as repeatable as the code they protect.
Key questions
Q: How should security teams govern access for infrastructure as code pipelines?
A: Security teams should treat IaC pipelines as privileged production systems. That means inventorying every service account, constraining its scope to the minimum required environment, enforcing approvals for destructive actions, and reviewing pipeline credentials on a lifecycle schedule. The goal is to make the pipeline's access as explicit and reviewable as the infrastructure it deploys.
Q: Why do platform engineering teams need tighter identity controls than traditional DevOps teams?
A: Platform engineering concentrates access into reusable templates, shared modules, and internal platforms, so a single identity can influence many workloads at once. That increases the impact of any excessive permission or exposed secret. Traditional DevOps often spreads responsibility more widely, but platform teams need stronger identity boundaries because they centralise the controls that others consume.
Q: What breaks when CI/CD service accounts are over-privileged?
A: Over-privileged CI/CD service accounts break the separation between build-time automation and production control. A compromised token can alter infrastructure, bypass guardrails, or deploy unreviewed changes across multiple environments. That turns delivery tooling into a high-value access path, which is why pipeline identities should be scoped, rotated, and monitored like any other privileged credential.
Q: Who should own identity governance for internal developer platforms?
A: Ownership should sit with the teams running the platform, but the policy model should be shared with IAM, security engineering, and compliance. Platform teams own the technical controls, while identity teams define review, approval, and lifecycle requirements. If ownership is unclear, access reviews, drift remediation, and exception handling will all fail at handoff.
Technical breakdown
How infrastructure as code changes the control surface
Infrastructure as code turns infrastructure definitions into version-controlled artefacts that can be reviewed, tested, and deployed repeatedly. In practice, that means the security model shifts from ticket-based approvals to policy enforcement inside pipelines, templates, and modules. The technical benefit is consistency, but the governance burden moves to the quality of the code, the access granted to automation, and the drift between intended and actual state. If the pipeline can create infrastructure, it can also create privileged paths that are hard to see after deployment.
Practical implication: treat IaC pipelines as identity-bearing systems and control who can author, approve, and execute them.
Platform engineering, self-service, and policy-as-code
Platform engineering uses reusable internal platforms to abstract complexity from application teams. That abstraction improves speed, but it also concentrates trust in a smaller set of templates, modules, and guardrails. Policy-as-code is the mechanism that keeps those abstractions safe, because it lets organisations encode allowed configurations, security baselines, and compliance requirements directly into the delivery path. Without that layer, self-service can become self-provisioned exposure, especially when teams inherit broad permissions from shared automation roles.
Practical implication: constrain self-service with policy-as-code rules that block unsafe identity and infrastructure combinations before deployment.
CI/CD pipelines, drift detection, and privileged automation
CI/CD pipelines are the operational spine of modern delivery, and they often run with service accounts or tokens that can reach production systems. That makes privileged automation a governance problem, not just a tooling problem. Drift detection helps identify when live infrastructure no longer matches the approved code, but it does not solve the underlying issue of who or what can change state. The bigger risk is that automation identities accumulate scope over time, especially when teams optimise for delivery speed and treat access as an implementation detail.
Practical implication: review pipeline identities, scope, and secrets as rigorously as you review human administrator access.
NHI Mgmt Group analysis
IaC is an identity governance problem as much as an infrastructure problem. The article correctly shows that automation, standardisation, and self-service improve delivery, but those same mechanics shift trust into pipelines, modules, and service accounts. That creates a governance surface where access is no longer reviewed only at the human layer. The implication is that identity control has to be embedded where infrastructure is declared and executed, not applied after the fact.
Platform engineering concentrates privilege even when it decentralises delivery. Internal developer platforms reduce friction for application teams, but they centralise policy, template design, and runtime permissions in a smaller operational core. That is useful only if the core identities are tightly governed. Otherwise, the platform becomes the place where standing privilege, over-broad automation tokens, and shared trust assumptions accumulate fastest.
Policy-as-code is the missing bridge between delivery speed and governable access. The article points to compliant blueprints and guardrails, which is the right direction for modern IaC programmes. The deeper lesson is that manual approval chains cannot keep pace with machine-speed provisioning. Organisations need identity controls that are encoded, testable, and repeatable at the same layer as infrastructure change.
Identity blast radius: The real risk in IaC environments is not just misconfiguration, but how far a single automation identity can reach once it is granted reusable access. When a pipeline token or service account can provision across environments, the impact of compromise expands well beyond one workload. Practitioners should treat scope design as a first-class control, because the blast radius is determined by identity reach as much as by code quality.
DevOps and platform teams are converging on the same governance question. Both roles now depend on the same delivery primitives, but they often inherit different accountability models. That split creates ambiguity around who owns access review, drift remediation, and policy enforcement. The field is moving toward shared infrastructure governance, and identity ownership has to follow the same consolidation.
From our research:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
- With 70% of organisations granting AI systems more access than they would give a human employee performing the exact same job, the access model is already diverging from conventional IAM assumptions, according to The 2026 Infrastructure Identity Survey.
- For teams building governed delivery paths, the next step is to align identity lifecycle and automation controls with the NHI Lifecycle Management Guide before access sprawl becomes operational debt.
What this signals
Identity control is moving into the delivery layer. As platform teams build more self-service infrastructure, identity decisions are no longer confined to IAM tickets and periodic reviews. They are being encoded into pipelines, templates, and platform abstractions, which means governance failures will surface as delivery failures unless access ownership is made explicit.
Policy-as-code is becoming the practical boundary between scale and sprawl. Teams that cannot express access rules in machine-readable form will struggle to govern fast-moving infrastructure programmes. The next maturity step is not more manual oversight, but better control placement inside the delivery path, backed by the OWASP Non-Human Identity Top 10 for machine identity risk.
Identity blast radius should become a core design metric. If a single deployment identity can reach many environments, recovery and containment become slower even when configuration quality is high. That is why infrastructure governance now has to track scope, reuse, and lifecycle together instead of treating them as separate teams' problems.
For practitioners
- Map every automation identity used in IaC delivery Inventory the service accounts, tokens, and keys used by Terraform, CI/CD, and platform templates. Record where each identity can deploy, what it can change, and whether it is reused across environments.
- Move access controls into policy-as-code Encode baseline checks for environment scope, privileged actions, and approval requirements into the pipeline itself so unsafe changes fail before deployment rather than after review.
- Review privileged automation separately from human admin access Run a distinct entitlement review for pipeline roles, deployment bots, and platform service accounts, because their blast radius and lifecycle are different from those of human users.
- Track drift as an identity signal, not just a configuration signal When live infrastructure diverges from declared state, check whether the change came from an approved identity, an over-privileged token, or an unauthorised workflow execution.
Key takeaways
- Infrastructure as code improves speed, but it also moves trust into machine identities and automated workflows that need explicit governance.
- Platform engineering concentrates access around reusable templates and shared platforms, which can magnify the blast radius of over-privileged automation.
- Practitioners should embed policy, review, and lifecycle controls into delivery pipelines so identity governance keeps pace with infrastructure change.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | IaC pipelines rely on machine identities and secrets that need explicit governance. |
| NIST CSF 2.0 | PR.AC-4 | Shared platform access and privilege boundaries map to least-privilege access management. |
| NIST Zero Trust (SP 800-207) | Self-service infrastructure needs continuous verification and explicit trust boundaries. |
Apply least-privilege controls to platform roles, pipeline identities, and deployment permissions.
Key terms
- Infrastructure as Code: Infrastructure as code is the practice of defining infrastructure in version-controlled files that can be reviewed and deployed repeatedly. It shifts infrastructure management from manual operations to repeatable automation, which improves consistency but also creates new governance demands around access, approvals, and drift.
- Internal Developer Platform: An internal developer platform is a standardised set of tools, templates, and workflows that lets development teams provision and operate services with less friction. It centralises control to improve usability, which means the platform team's identities and policies become critical security boundaries.
- Policy as Code: Policy as code is the practice of writing security, compliance, and operational rules in machine-readable form so they can be enforced automatically. In IaC environments, it helps ensure that identity and infrastructure rules are applied consistently at deployment time instead of relying on manual review.
- Identity Blast Radius: Identity blast radius is the amount of systems, environments, or data that a single identity can influence if it is misused or compromised. In automated delivery environments, this is often determined by the scope of service accounts, tokens, and platform roles rather than by the code alone.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by ControlMonkey: Infrastructure-as-Code (IaC) and the differences between platform engineers and DevOps. Read the original.
Published by the NHIMG editorial team on 2025-12-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
