TL;DR: Infrastructure-as-Code is accelerating DevOps and DevSecOps adoption because teams want faster, repeatable delivery with embedded policy, drift detection and compliance checks according to ControlMonkey. For identity teams, the shift matters because cloud change control increasingly depends on codified access, secrets and environment governance rather than manual review.
NHIMG editorial — based on content published by ControlMonkey: DevOps vs DevSecOps in the IaC era
Questions worth separating out
Q: How should security teams govern access in infrastructure-as-code pipelines?
A: Security teams should treat infrastructure-as-code pipelines as part of the access control plane.
Q: When does DevSecOps add real value over standard DevOps?
A: DevSecOps adds real value when delivery speed is already high enough that manual security review cannot keep up.
Q: What breaks when Infrastructure-as-Code is treated only as an operations tool?
A: What breaks is governance visibility.
Practitioner guidance
- Map identity controls into IaC pipelines Treat repositories, pull requests, build steps and deployment approvals as control points where access and policy are verified before infrastructure changes are applied.
- Track security technical debt alongside delivery metrics Report remediation age, vulnerability discovery rate and policy exception counts next to deployment frequency so security risk is visible to engineering leadership.
- Make drift detection an escalation path Define what happens when live infrastructure diverges from declared state, including who owns the exception, who reviews the change and when rollback is required.
What's in the full article
ControlMonkey's full blog covers the operational detail this post intentionally leaves for the source:
- A side-by-side breakdown of DevOps and DevSecOps responsibilities across IaC, CI/CD and monitoring.
- A metrics table covering deployment frequency, MTTR, vulnerability discovery rate and security technical debt.
- A tool-by-tool view of how pipeline, observability and incident response platforms fit into the workflow.
- A practical explanation of how the platform claims to support drift detection and remediation in cloud environments.
👉 Read ControlMonkey's analysis of DevOps vs DevSecOps in the IaC era →
IaC, DevOps and devsecops: what changes for identity teams?
Explore further
IaC has turned delivery pipelines into identity governance infrastructure. Once access, policy and environment state are all defined in code, the pipeline becomes a governance system rather than a build utility. That changes the operating model for human IAM, NHI controls and machine-operated change processes because the control plane itself now provisions effective access and configuration. Practitioners should treat pipeline governance as part of identity governance, not a separate engineering concern.
A few things that frame the scale:
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: How do organisations know whether drift detection is actually working?
A: Drift detection is working when it consistently identifies unauthorised or untracked changes before they become accepted state. Good signals include fewer unexplained production differences, faster ownership assignment for exceptions and a clear record of which changes were approved versus corrected. If drift alerts are frequent but unresolved, the control is producing noise rather than governance.
👉 Read our full editorial: DevOps vs devsecops in the IaC era: what changes for identity