Can AI Effectively Approve Production Infra Changes?

Hey folks,

One of the biggest bottlenecks in IaC at scale? Plan review.

You know the story. Someone pushes a change, a plan gets generated, and then... it sits there. Waiting for a human to eyeball it and say "yeah, that looks safe to apply."

For your lower environments (dev/qa/UAT)? Hell ya, auto-apply away.

But for production databases, networking, IAM, all the critical stuff? Nobody wants to be the one who rubber-stamped a destroy on a production RDS instance. (A variant of FRD.) So these plans sit because reviewing them is tedious.

At Masterpoint, what we're starting to wonder is: “Is AI good enough to actually review infrastructure plans?”

I’m coming around to “yes”.

Not just "does this plan have a destroy action" -- that's boring.

I'm talking about contextual review. Understanding that dropping a security group rule while adding a new one is probably intentional. Flagging that a create then destroy on a stateful resource is almost certainly a bad day waiting to happen and therefore a human needs to be in the loop.

We're building a dream setup where an agent auto-approves the boring stuff (tag changes, scaling adjustments, new resources in dev/qa/UAT).

But the agent also flags genuinely risky changes for human-in-the-loop review with context on why they're risky. Things like:

• force replace on databases

• removing critical IAM policies

• undoing drift that looks like it was put in at 1am last night due to a sev1 issue

This would turn plan review, which we've seen be a bottleneck pretty much everywhere, into a focused review of only changes that actually matter. We already have manual gates when using tools like Claude Code (unless you use -auto-approve) so this concept is a change in degree, not a change in kind.

We're just saying that an agent will look at the plan and if it looks safe, an agent can say "Yes apply". If it doesn't supply a "Yes", then that plan will still wait around for a "Yes" from a human, which is the current state of affairs.

This doesn’t solve the entire problem of plan review, but the goal is to decrease the amount that an engineer needs to review by saying "The boring stuff will be approved by agent".

When I’ve discussed this, there’s often AI hesitancy. But AI plus infra is coming. I don't think there is anything we can do to stop that. The software industry as a whole won't see application engineers get 10x faster and then not expect a response from the SREs and platform engineers on our side of the house. The issues surrounding "AI gaslights, lies, and hallucinates" are challenges that will be overcome.

Guardrails around the agent can be applied by limiting the tools the agent has available to it. You don’t want it modifying IaC code to try to get the plan in better shape! For this use case, we limit the agent to:

• reading the code

• reading the plan

• send notifications

• sending an "Apply" action (when the plan is looking good)

I've been noodling on this one for a minute. I'm curious, do you know anybody using AI to review and approve critical infrastructure plans today? Please tell me what's working and what's not before we reinvent the wheel over here.

Matt @ Masterpoint

PS If you want to chat about how we put this together, grab some time on my calendar here. Also, did you know we have a referral program where you can make some extra cash? Know someone who needs some IaC expertise? Intro us and help out Masterpoint, one of your colleagues, and yourself at the same time.