A survey of 406 IT decision makers at organizations with more than 250 employees in North America finds 93% have experienced at least one infrastructure incident caused by reliance on artificial intelligence (AI) tooling.
Conducted by Panterra Group on behalf of Spacelift, a provider of a platform for automating the management of infrastructure-as-code (IaC), the survey also finds 86% reporting that AI has increased demands on infrastructure teams, with security vulnerabilities appearing faster (40%), governance becoming harder (40%), change rates increasing (37%), more strain on pipelines experienced (35%) and growing infrastructure drift (35%) being seen.
In general, more than two thirds (67%) of respondents note application development is ahead of infrastructure in terms of AI adoption, the survey finds.
Nevertheless, 86% said they are confident in their organization’s ability to govern AI, even though only 30% currently have a formal AI governance policy in place.
More troubling still, only 15% track the volume of AI-generated IaC moving through pipelines, while just 20% track error rates of AI-generated changes.
Dimitri Vlachos, chief marketing officer for Spacelift, said the survey makes it apparent that AI is having a significant impact on DevOps teams as more code of uncertain quality is used to provision IT infrastructure.
In fact, one-third (33%) of infrastructure teams say they would apply AI-generated HashiCorp Configuration Language (HCL) code directly to production without any review, while an additional 43% only conduct a minimal review. That overreliance on AI coding becomes problematic because the tools being used often lack critical context about the runtime environment, resulting in flawed code either creating a vulnerability or simply not running at all, noted Vlachos.
In the absence of any meaningful code review, it’s not surprising that more organizations are encountering security issues that typically arise when cloud services are misconfigured, noted Vlachos. IaC is not much different than any other type of AI-generated code that DevOps teams are already struggling to effectively review, he added. Too many DevOps teams are relying on vibe coding tools to generate scripts that are all too often employed without a human scanning them for vulnerabilities and other weaknesses, said Vlachos.
The challenge is that without any ability to apply governance policies much of that code is going to create a vulnerability that malicious actors will, with help from AI, be able to discover and exploit in a few hours, he added.
Overall, the Spacelift segments survey respondents into four categories based on their AI maturity level using IaC tools. Pioneers account for 19% of the total, followed by outpacing (25%)
fragmented (32%) and exposed (24%). Pioneer organizations vibe-code IaC at a higher rate than Exposed ones (86% versus 69%), but they do it inside governed pipelines with automated validation and policy enforcement.
It may be a while yet before governance policies catch up with the rate at which AI tools are generating code, but the one thing that is certain is that as the amount of code moving through DevOps pipelines increases, so too does the probability there will be more incidents than ever that software engineers will need to investigate.