The 6 % Club: Why Most Teams Fail at Full IaC

89% of engineering teams claim to use Infrastructure as Code (IaC). But only 6% actually manage 100% of their infrastructure in code.

That gap should make every DevOps, platform, and cloud security leader pause. It means the vast majority of companies are operating in “partial IaC” mode: some resources defined in Terraform or Pulumi, others still living as unmanaged cloud resources.

The consequences? Configuration drift, hidden security risks, and blind spots that only surface when an outage, audit, or breach forces attention.

IaC adoption is high in theory, but low in practice. And until more teams close the gap, partial IaC remains one of the biggest unspoken risks in cloud operations today.

Partial IaC: Why Most Teams Stop Halfway

Adoption usually begins with the easy parts:

• Compute resources? Codified.
• Some networking? Codified.

But what about:

• IAM roles and policies?
• Storage buckets?
• Legacy stacks from a few CTOs ago or some acquisitions?
• SaaS configurations scattered across tools?

These are almost always left unmanaged. And as multi-cloud becomes the norm (68% of companies), this problem multiplies. Each console tweak bypasses Git. Each untracked resource adds risk.

The result is “source of truth” isn’t truth at all.

The Hidden Cost of Partial IaC

Leaving parts of your infrastructure outside code is more than untidy, it’s dangerous:

• Security blind spots → Untracked IAM roles or orphaned services become backdoors.
• Audit failures → If it’s not in code, you can’t prove compliance.
• Slow recovery → Outages take longer when infra can’t be rebuilt from Git.
• Operational debt → Console fixes accumulate until teams don’t trust their own state.

The gap between 89% adoption and 6% full coverage is the difference between thinking you’re safe and actually being safe.

Two Levers to Achieve Full IaC

The data and what we see in the field shows that the few who break into the 6% club focus on two levers.

1. Importing Legacy Infrastructure Into Code

Legacy resources are the biggest blocker to full codification. These are often ignored because they’re messy, business-critical, or “too hard to touch.” But unmanaged resources don’t age well - they become invisible risks.

Steps to import legacy infra:

1. Discovery – Map what exists vs. what’s in Terraform/Pulumi.
2. Import – Use terraform import, wrappers, or products like Cloudgeni to bring unmanaged resources into state.
3. Refactor – Modularize, apply naming standards, and commit to version control.

This isn’t just about compliance. If it’s not in code, it’s outside your safety net. You can’t review it. You can’t test it. You can’t reliably rebuild it.

2. Automated Drift Detection and Remediation

Even when everything is in code, drift is inevitable. Someone will change a setting in the console. Automation will provision outside your IaC.

The leaders handle drift as a closed loop process:

• Continuous drift scans (Terraform plan, driftctl, or vendor tooling).
• Auto-generated pull requests to reconcile live infra with code.
• Policy-as-code gates to block unauthorized changes from ever reaching production.

This enforces a single source of truth in Git, with every change whether a new feature or a hotfix going through the same review and approval pipeline.

Cloudgeni’s Codification Loop

At Cloudgeni, we see codification not as a one-time project, but as a continuous codification loop:

• Discover everything – Unmanaged resources, SaaS configs, and short-lived workloads.
• Import automatically – Pull them under Terraform without disrupting live services.
• Restructure intelligently – Match your existing modules, naming standards, and policies.
• Enforce in CI/CD – Block non-IaC changes and validate every PR against source of truth.
• Auto-remediate drift – AI-generated pull requests restore compliance in minutes.

This loop ensures infrastructure doesn’t just start codified - it stays codified.

Why Full IaC Matters Now

Partial IaC is today’s default—but it’s also a risk multiplier hidden from most dashboards.

Teams that reach full IaC:

• Deploy faster, because every change is automated.
• Audit easier, because evidence lives in Git.
• Recover faster, because infra can be rebuilt from scratch.
• Reduce attack surface, because every configuration is peer-reviewed.

Meanwhile, teams stuck in partial IaC? They’re one misstep away from the breach headline no one wants to write.

How to Start Moving Toward Full IaC

Don’t aim for perfection on day one. Instead:

1. Pick one environment.
2. Run discovery.
3. Import unmanaged resources.
4. Set up drift detection.
5. Expand iteratively.

Every step compounds. Each resource brought under code is one less liability.

Code Is Control

Infrastructure-as-Code was never about neatness—it’s about control, security, and resilience.

If you’re still living in partial IaC, the most dangerous strategy is to wait until an incident forces your hand.