What would disprove this analysis? (Criterion 1)

Organizations using IaC maintain zero drift between declared and actual infrastructure state over 12 months

What would disprove this analysis? (Criterion 2)

Manual changes during incidents are consistently back-ported to IaC within 24 hours

What would disprove this analysis? (Criterion 3)

IaC state files accurately represent production infrastructure at all times without drift detection tooling

When should you avoid infrastructure as code drift?

Your team doesn't have the discipline to back-port every manual change to IaC. You don't have automated drift detection running continuously

What are alternatives?

GitOps with drift detection: Continuous reconciliation between declared state and actual state — auto-corrects drift. Immutable infrastructure: Never modify — destroy and recreate. Eliminates drift by design.. Platform engineering abstraction: Internal platform handles IaC complexity — developers interact with simpler abstractions

Catalog

T022

Technology

Infrastructure as Code Drift

MEDIUM(78%)

February 2026

4 sources

Context

Teams adopt Infrastructure as Code (Terraform, Pulumi, CloudFormation) to make infrastructure reproducible, version-controlled, and auditable. The initial setup is clean. Then someone makes a manual change in the console during an incident. Then another. Then a new service gets provisioned outside IaC because it was 'just a quick test.' Drift accumulates. The IaC state file says one thing, reality says another. The reproducible infrastructure is no longer reproducible, and nobody knows which version is correct.

Hypothesis

What people believe

“Infrastructure as Code ensures reproducible, auditable infrastructure that matches the declared state.”

Actual Chain

→

Manual changes during incidents create drift(60-70% of organizations report IaC drift)

└

Incident response requires speed — IaC is too slow in emergencies

└

Console changes made during incidents never get back-ported to IaC

└

Each manual change makes the next one more likely — drift normalizes

→

State file becomes source of truth that isn't true(State file diverges from actual infrastructure)

└

terraform plan shows changes that would break production if applied

└

Teams afraid to run terraform apply because they don't trust the state

└

State file corruption or loss can be catastrophic — no way to reconcile

→

IaC complexity grows faster than team expertise(Terraform codebases become as complex as application code)

└

Modules, workspaces, providers, and state management require deep expertise

└

Debugging IaC failures requires understanding both the tool and the cloud provider

└

Blast radius of IaC mistakes can be enormous — one bad apply destroys production

→

Reproducibility promise breaks down(Can't reliably recreate infrastructure from code alone)

└

Disaster recovery plans that depend on IaC fail when drift exists

└

New environments don't match production because of undocumented manual changes

Impact

Metric	Before	After	Delta
Organizations experiencing IaC drift	Expected 0%	60-70%	Majority
Manual console changes per month	Expected 0	5-20 per team	Regular occurrence
Confidence in terraform apply	High	Low (fear of breaking production)	Inverted
Time to provision new environment	Minutes (IaC promise)	Days (drift + manual fixes)	+1000%

Navigation

Don't If

•Your team doesn't have the discipline to back-port every manual change to IaC
•You don't have automated drift detection running continuously

If You Must

1.Run automated drift detection daily — alert on any divergence immediately
2.Establish a 'no manual changes' policy with exceptions requiring documented back-port within 24 hours
3.Use policy-as-code (OPA, Sentinel) to prevent manual changes that bypass IaC
4.Keep state files in remote backends with locking and versioning

Alternatives

GitOps with drift detection — Continuous reconciliation between declared state and actual state — auto-corrects drift
Immutable infrastructure — Never modify — destroy and recreate. Eliminates drift by design.
Platform engineering abstraction — Internal platform handles IaC complexity — developers interact with simpler abstractions

Falsifiability

This analysis is wrong if:

Organizations using IaC maintain zero drift between declared and actual infrastructure state over 12 months
Manual changes during incidents are consistently back-ported to IaC within 24 hours
IaC state files accurately represent production infrastructure at all times without drift detection tooling

Sources

1.
HashiCorp State of Cloud Strategy Survey
Survey showing majority of organizations experience infrastructure drift despite IaC adoption
2.
Spacelift: State of Infrastructure as Code
Analysis of IaC challenges including drift, state management, and complexity growth
3.
Gruntwork: Terraform Best Practices
Practitioner guide addressing drift prevention and state management challenges
4.
CNCF: GitOps Principles
GitOps framework that addresses drift through continuous reconciliation

T005 T001 I001