Ian Amit examines how teams can leverage AI to move beyond alert management toward automated, standards-aligned remediation in infrastructure as code and cloud security contexts.

The Right Kind of AI for Infrastructure as Code

By Ian Amit

AI is rapidly permeating cloud security, with many tools claiming to be “AI-powered,” and copilots or chatbots offering to interpret a flood of alerts. However, as Ian Amit argues, real value lies not in understanding the problem but in reliably resolving it. For most platform teams, the true bottleneck is remediation—resolving security findings as fast as they arise in fast-changing cloud environments.

Where AI Fits in Infrastructure Security

There’s a spectrum of approaches to integrating AI into infrastructure security:

  • Automation tools like scripts, rules, policy-as-code, and guardrails address misconfigurations but still need manual oversight and intervention.
  • AI copilots (based on large language models) assist with summarization, code generation (“vibe coding”), and explanations, but often fail to produce actionable or production-ready fixes and may introduce new security gaps.
  • Agentic AI systems do lightweight remediation tasks—such as isolating a resource or updating tags—but lack context for safe, scalable actions.
  • Fix engines are built to apply trusted, standards-aligned solutions (such as generating merge-ready pull requests) that engineers can review and deploy with confidence, closing the loop between detection and resolution.

AI’s Limitations in Infrastructure Contexts

Most current AI tooling in IaC security falls short because:

  • Lacks architectural intent awareness, potentially breaking downstream resources.
  • Often ignores compliance with frameworks like CIS or NIST.
  • Outputs may contain hallucinations or insecure fixes, increasing the manual burden on engineering teams.
  • Lacks determinism and traceability, shifting workloads rather than streamlining them.

What Makes Effective AI in Cloud Security

The ideal AI system for cloud security and IaC should:

  • Integrate smoothly into existing pipelines without disrupting workflows.
  • Be context-aware, grasping both code syntax and the resource relationships within infrastructure.
  • Apply policy and compliance standards (e.g., CIS, NIST) directly and generate fixes that can withstand audits.
  • Deliver merge-ready, reviewable pull requests instead of just dashboard suggestions.
  • Offer transparency, explaining changes and mapping them to organizational policy.

Closing the Remediation Gap

Current security tools excel at surfacing issues—alerting to misconfigurations, risks, and policy violations. However, this often leaves engineering teams mired in alerts and manual ticket resolution.

AI’s greatest benefit arrives when it acts directly in the development workflow to automate well-scoped remediation: taking action where code is reviewed, tested, and shipped—automatically, safely, and in a way that remains reviewable.

What Matters Most: Security That Ships

The complexity of an AI model, or its ability to explain issues, is secondary to whether it can help resolve them efficiently and safely. Effective AI empowers engineers to ship secure code faster, integrating with proven practices and automating wherever possible without sacrificing control or visibility.

For further reading: Sonar Surfaces Multiple Caveats When Relying on LLMs to Write Code

This post appeared first on “DevOps Blog”. Read the entire article here