Because Terraform can make change repeatable, but it cannot force good operating discipline. If teams bypass cleanup, override modules, or leave non-production resources running, the bill grows quietly even when the code is valid. Overspend usually reflects weak lifecycle governance, not a tooling failure.
Why This Matters for Security Teams
Terraform can codify infrastructure, but it does not enforce whether resources should still exist, who owns them, or when they should be removed. That is why overspend persists in environments that look “managed” on paper. The real failure is lifecycle governance: skipped deprovisioning, temporary environments left alive, and exceptions that become permanent.
For security and platform teams, the cost problem is usually a control problem. If identity, secrets, and access are not tied to an explicit end state, cloud resources keep consuming budget long after their business purpose ends. That is especially visible in NHI-heavy environments, where service accounts, API keys, and automation tokens can continue to authorize usage even after the original workload has changed. NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs and Top 10 NHI Issues show how often weak lifecycle discipline shows up as a security issue first and a finance issue second. The NIST Cybersecurity Framework 2.0 is clear that governance and asset management are foundational, not optional add-ons.
In practice, many teams discover the overspend only after the resource bill has already climbed for weeks, rather than through intentional lifecycle controls.
How It Works in Practice
Terraform reduces configuration drift, but it does not solve operational drift. A team can still apply modules correctly while leaving behind development clusters, orphaned databases, oversized instances, or duplicate test stacks. When budgets creep upward, the usual pattern is not a broken plan file. It is a missing control loop around creation, ownership, and teardown.
The practical fix is to treat infrastructure as a lifecycle-managed asset, not a one-time deployment artifact. That means every resource should have an owner, expiry condition, and deletion path. In mature environments, policy and cost controls are paired with Terraform so they evaluate intent before provisioning and validate outcomes after deployment. Current guidance suggests using policy-as-code gates, tagging enforcement, scheduled cleanup, and approval workflows for exceptions. For NHI-dependent automation, the same discipline should apply to secrets and credentials. If a workspace or pipeline retains long-lived tokens, it can keep spending even after the workload is no longer needed. NHIMG’s NHI Lifecycle Management Guide and Ultimate Guide to NHIs — Regulatory and Audit Perspectives are useful references for translating that lifecycle thinking into control expectations.
- Define ownership and business purpose for every workspace, account, and environment.
- Use TTLs or expiry rules for temporary environments and review them automatically.
- Reconcile Terraform state with cloud inventory to find orphaned resources.
- Rotate or revoke credentials tied to abandoned stacks so automation cannot keep spending.
- Require exception expiry dates so “temporary” cost overruns do not become permanent.
Where this guidance breaks down is in large multi-account environments with shadow IT, because resources created outside Terraform can bypass state reconciliation and remain billed indefinitely.
Common Variations and Edge Cases
Tighter lifecycle controls often increase operational overhead, requiring organisations to balance faster delivery against stricter cleanup discipline. That tradeoff is real in environments with frequent experimentation, especially when product teams need rapid access to sandboxes or short-lived proof-of-concept stacks.
Some overspend is intentional and should be treated as a managed exception, not a defect. For example, pre-provisioned capacity for resilience, reserved test data stores, or always-on observability tooling may be justified if they are explicitly approved and regularly reviewed. The problem is that many teams do not distinguish approved baseline spend from forgotten waste. Best practice is evolving toward automated expiry, cost anomaly detection, and ownership attestations, but there is no universal standard for this yet.
Another common edge case is shared infrastructure. Central platform teams may own clusters while app teams drive usage, which makes cleanup accountability ambiguous. In those cases, the control needs to follow the workload and not just the subscription. The same is true for CI/CD and ephemeral preview environments: if the pipeline can create resources in minutes, it also needs to delete them with the same reliability. The Salesloft OAuth token breach is a reminder that unattended credentials and drift are often linked, because forgotten access keeps both risk and spend alive.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.AM-1 | Asset inventory helps spot orphaned cloud resources driving overspend. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Credential lifecycle gaps often let abandoned automation keep spending. |
| CSA MAESTRO | GOV-01 | Governance is needed to bind provisioning to ownership, expiry, and teardown. |
Track all cloud assets and reconcile them routinely so idle resources are identified and removed.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
