Companies are not looking before they're leaping into the AI playpen

AI vendors have been pushing organizations to board the AI hype train as it races by at full speed. But many of the companies doing so, unable to move quite that fast, have stumbled along the way. According to a survey of 406 IT decision makers, 93 percent of organizations have experienced AI-caused infrastructure incidents, but a mere 19 percent had the necessary governance to respond. The survey, conducted in April by Panterra Group at the behest of Spacelift, forms the basis of the orchestration platform's 2026 State of Infrastructure Automation report [PDF]. It posits an "AI Readiness Gap," meaning that companies are adopting AI before they're ready to do so and are paying the price. "The findings are unambiguous: organizations are using AI to generate infrastructure code at a rate their governance frameworks were never designed to handle,” said Paweł Hytry, co-founder and CEO of Spacelift, in a statement. The consequences of these incidents, respondents say, consist of reworking AI-generated changes (37 percent), security misconfigurations that reached production (36 percent), compliance violations (36 percent), infrastructure drift attributable to AI changes (35 percent), and incidents caused by agentic systems (33 percent). The report characterizes 24 percent of organizations as "exposed." "Exposed organizations are using AI, but without the governance or frameworks to support it safely," the report says. "What they are doing diverges significantly from what they have in place to manage it." And then there are the "fragmented" entities, 32 percent of respondents, that use AI sometimes, unevenly, and have some governance, but no coherent plan. The two remaining categories, "outpacing" and "pioneer," at 25 percent and 19 percent respectively, describe heavy AI adoption that's ahead of business controls, and AI use in conjunction with structural discipline, respectively. In terms of AI-caused infrastructure incidents, 97 percent of "exposed" organizations reported at least one such snafu. Meanwhile, among "pioneer" entities, 17 percent said they had no AI-related infrastructure incidents. Spacelift, an infrastructure-as-code (IaC) platform, contends that automated validation accounts for the difference here because it outperforms manual code review. Across the board, respondents report greater use of AI for generating code – 82 percent say between 25 percent and 74 percent of their code was created with help from AI. This has a downstream effect on the infrastructure teams that deploy said code: 40 percent of respondents say security vulnerabilities are showing up more frequently, 40 percent say governance has become more challenging, 37 percent cited higher change volume, 35 percent see strains on the development pipeline, and 35 percent report infrastructure drift. Spacelift's report calls out the cognitive dissonance – a blameless formulation of "self-delusion" – among organizations adopting AI: 86 percent say they can govern it, while only 30 percent actually have a formal AI governance policy in place. The report advises organizations to start paying attention to AI-oriented metrics that few organizations bother to track, specifically the volume of AI-generated IaC in deployment pipelines, error rates due to AI-generated changes, and infrastructure drift attributable to AI changes. It also stumps for greater automation through IaC, for building governance to cover that automation, getting AI-generated code into governed IaC orchestration workflows, and planning for the governance of AI agents. ®