COMMENTARY: Every cloud leader I speak with today has made security a top priority. But when I ask what metrics they’re using to measure security posture, the answers get hazy:

Compliance scores. CVE dashboards. Tool-specific coverage stats.

These are all common answers, and they’re important. But they’re also diffuse: Some metrics live with cloud teams, some fall to security teams. There’s no single, unifying view that gives the team a sense of overall maximum potential risk.

Lately, I’ve started arguing for a new metric in these conversations. One I’m increasingly convinced will become foundational for security, and almost no one talks about it: Infrastructure as Code (IaC) coverage.

IaC has been the gold standard for scaling cloud delivery for years: It brings consistency, automation, and speed.

But even within some of the most advanced cloud teams, only a fraction of infrastructure actually gets managed in code. The rest lives in consoles, scripts, and tribal knowledge. Aka: “unmanaged resources.” Even teams that think they have high IaC coverage usually find they have lots of unmanaged resources when they do the analysis. And that’s the gap where security risks live.

So, while we often view IaC coverage as a DevOps concern, it’s now time for security leaders also to value it. Because unmanaged infrastructure isn’t just a cloud team problem—it’s a threat surface blind spot. That makes coverage not just something to monitor, but something to proactively own.

Low IaC coverage = high risk

That’s why IaC coverage has become a security metric.

Most conversations about coverage focus on operational consistency and disaster recovery. That makes sense: A high coverage percentage means fewer manual changes, faster remediation, and recoverable infra. But, it turns out, in addition to all those benefits:

Teams can also use IaC coverage as a metric for forecasting security.

In initial assessments across large-scale environments, we consistently find unmanaged resources carry twice the security risk of those governed by IaC. What’s more, cloud teams overestimate their actual coverage by one-third or more.

Little or no proactive validation: Unmanaged resources bypass CI/CD guardrails. There’s no static analysis, no policy-as-code, no preventative controls. Risks slip through unnoticed. Slow, riskier remediation: Fixing a misconfiguration manually takes time and it’s riddled with errors. Without code ownership, accountability gets fuzzy and remediation cycles drag. Lack of reusable security: If it’s not in code, it’s not in the team’s modules. That means no reusable guardrails, no consistent patterns, and no built-in policy enforcement. Security gaps compound over time: As the teams Terraform evolves and modules get updated, unmanaged resources don’t. They get left behind, further misaligned with the latest best practices and exposing drift and compliance gaps.

All this means most orgs underestimate security risk. Here are four reasons why:

That’s why IaC coverage isn’t just a hygiene metric—it’s a forward-looking indicator of risk.

So, how do we make it actionable for cloud and security teams?

Normally, security teams find the risk, and cloud teams get the ticket. And then? It sits. Or bounces. Or escalates. Not because security isn’t important, but because they have different priorities… the very definition of organizational friction.

IaC coverage gives both sides a metric they can act on. Security teams see what’s governed and where blind spots exist. Cloud teams know exactly what to fix.

The result IaC promises? Faster action, fewer dropped handoffs, and better outcomes across the board.

Think of IaC coverage as the missing link between DevOps and Security. It translates complexity into action. And it turns finger-pointing into shared responsibility.

Audit the team’s existing IaC coverage: Most orgs don’t know how much of their cloud is managed by code. Find out. Put coverage on all dashboards: Track it alongside vulnerability and compliance data. Use it to guide remediation and investment. Treat unmanaged resources as unmonitored risk: If a resource isn’t governed by code, the team’s security tooling likely can’t see it, scan it, or enforce policy on it. Include IaC coverage in posture reviews and remediation plans. Close the gap: Move fast to bring unmanaged resources under code. The tooling exists. The benefits compound. Shift the conversation: If the organization wants to unify cloud and security teams, give them a shared KPI. IaC coverage is measurable, actionable, and promises to improve everything it touches—especially security.

If we want to improve security outcomes, we need to make coverage actionable—for both cloud and security teams. Here’s how to operationalize it:

Infrastructure used to be plumbing. Today, it's the foundation for everything a business needs to move fast and stay secure. And while it may now be cliche to mention AI-- yes, AI means more teams will need more infrastructure faster, which will only make secure delivery harder.

Here’s the point: IaC coverage isn’t just an engineering best practice. It’s the only security metric that tells us whether our infrastructure was delivered right in the first place.

And it belongs on our dashboard.

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.