TL;DR: Terraform and OpenTofu are functionally similar IaC tools, but neither is a secrets manager, so provisioning workflows still depend on external controls for rotation, certificates, and repository hygiene, according to Infisical. The real governance issue is that infrastructure automation can scale secret distribution faster than teams can govern secret lifecycle and exposure windows.
NHIMG editorial — based on content published by Infisical: Terraform vs. OpenTofu: A Comprehensive Comparison
Questions worth separating out
Q: How should security teams govern machine identities used by IaC tools?
A: Treat every provider credential, token, and certificate as a non-human identity with an owner, a scope, and a revocation path.
Q: Why do Terraform and OpenTofu still create secrets risk if the infrastructure model is declarative?
A: Declarative infrastructure defines what should exist, not how secrets are stored or protected.
Q: What do teams get wrong about secret management in infrastructure pipelines?
A: They often assume the provisioning tool is also the security control.
Practitioner guidance
- Separate provisioning from secrets custody Keep IaC repositories free of long-lived credentials and route secret material through a dedicated secrets platform that can rotate and audit usage independently of deployment code.
- Inventory machine identities used by IaC pipelines Map every provider credential, token, and certificate used by Terraform or OpenTofu into an NHI register, including ownership, scope, and revocation path.
- Limit deployment credentials to narrow resource scopes Scope provider access to the smallest viable set of cloud accounts, subscriptions, and namespaces so compromise of one automation path does not expose the whole platform.
What's in the full article
Infisical's full blog post covers the operational detail this post intentionally leaves for the source:
- Side-by-side configuration examples for Terraform and OpenTofu provider setup.
- The article's licensing history and fork timeline in more detail, including the Business Source License shift.
- Practical notes on how Infisical integrates as a secrets platform alongside provisioning workflows.
- Examples of certificate and secret management features that sit outside IaC itself.
👉 Read Infisical's comparison of Terraform and OpenTofu for secrets-driven infrastructure →
Terraform vs OpenTofu: what it means for secrets governance?
Explore further
IaC standardisation does not equal identity standardisation: Terraform and OpenTofu can normalise how infrastructure is created, but they do not normalise how secrets and machine identities are governed. That distinction matters because the provisioning layer often gets modernised faster than the access layer. The implication is that platform teams still need a separate identity control plane for the non-human credentials that drive deployment.
A few things that frame the scale:
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
- That same survey found 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
A question worth separating out:
Q: How can organisations reduce the blast radius of deployment automation?
A: Reduce the permissions attached to each machine identity, separate environments, and avoid shared credentials across projects or teams. The goal is to ensure one compromised pipeline cannot touch unrelated systems. Lifecycle reviews should verify that no deployment credential has broader access than it truly needs.
👉 Read our full editorial: Terraform and OpenTofu expose the same secrets governance gap