Notifications
Clear all
Topic starter
12/06/2026 9:15 pm
TL;DR: Infrastructure that lives outside code loses traceability, approval flow, policy enforcement and recoverability, according to ControlMonkey’s checklist for IaC platforms. The governance gap is not just operational convenience, it is a control boundary that determines whether cloud change remains auditable, repeatable and resilient.
NHIMG editorial — based on content published by ControlMonkey: a checklist for what to look for in an IaC platform
Questions worth separating out
A: Security teams should require identity-related resources, such as permissions, policies and access paths, to move through the same version-controlled workflow as the rest of the stack.
Q: Why does unmanaged infrastructure create security and audit risk?
A: Unmanaged infrastructure creates security and audit risk because it breaks the chain of evidence between approved change and actual change.
Q: How do teams know if drift detection is actually working?
A: Drift detection is working when it reliably flags differences between declared infrastructure and deployed reality, and those findings lead to timely ownership and remediation.
Practitioner guidance
- Inventory unmanaged identity-relevant resources Map resources that sit outside Terraform across accounts, regions and services, with special attention to IAM, storage, networking and container configurations that affect access paths.
- Make Terraform state part of the control plane Require every imported stack to produce accurate state before it is treated as governed, and block promotion when state is missing or incomplete.
- Enforce policy checks before merge Run plan and policy evaluation in pull requests so exceptions are visible before deployment rather than discovered during incident response.
What's in the full article
ControlMonkey's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step criteria for choosing an IaC platform that can discover unmanaged resources across accounts and regions.
- Practical guidance on generating clean Terraform code and matching state files at scale without manual import loops.
- The article's own checklist for PR creation, CI/CD integration and automated drift detection in large environments.
- Implementation-oriented examples of how to bring unmanaged cloud resources back under version control.
👉 Read ControlMonkey's checklist for evaluating infrastructure as code platforms →
Infrastructure as code coverage: what it means for IAM teams?
Explore further
12/06/2026 11:12 pm
Infrastructure as code coverage is now an identity governance issue, not just a DevOps preference. Once cloud resources are created outside code, identity-adjacent controls lose traceability, approval context and repeatability. That weakens governance for permissions, access paths and audit evidence across the environment. Practitioners should treat unmanaged infrastructure as part of the identity surface, not a separate engineering nuisance.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- More than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: What is the difference between Terraform code and Terraform state for governance?
A: Terraform code describes the intended configuration, while Terraform state records the managed relationship between that code and real resources. Governance depends on both. Code without state cannot reliably support import, drift detection or recovery, and state without discipline can quickly become stale or misleading.
👉 Read our full editorial: Infrastructure as code coverage defines control, recovery and scale
