AI applications introduce a new class of resources to cloud environments. Agents, model endpoints, vector databases and even guardrails that govern them are core cloud resources, often defined and deployed via AI-assisted Infrastructure-as-Code (IaC). This makes visibility into how they are written, deployed, and managed more critical than ever.
The challenge is that no single system connects them. IaC configurations live in code repositories. State lives in scattered backends. Resources run in the cloud. When a misconfiguration appears, teams are forced to stitch context across tools just to answer basic questions: What created this resource? Who owns it? And what else does it affect?
The problem is also getting worse. Security misconfigurations have risen to #2 in the OWASP Top 10. This is not a coincidence. As organizations build and deploy AI applications faster, IaC will only become more critical to how that infrastructure is provisioned and managed. With AI-assisted development, more engineers are defining infrastructure directly, often without the security context that platform teams have historically owned.This makes prevention critical. But prevention alone is not enough. Teams still need visibility into what already exists in production.
Today, Wiz addresses both. Our new IaC Inventory gives security and platform teams a unified view of how code becomes cloud, connecting every module to every deployment it created and every live resource it manages. And with new Pulumi support, Wiz extends IaC scanning to developer-first languages putting infrastructure authorship in the hands of application teams across AWS, GCP, and Azure.
Securing AI Resources from Code-to-Cloud
Wiz approaches IaC security with a simple principle: the same policies that govern your cloud at runtime should apply to the code that defines it. In most environments, they don’t. Infrastructure is validated late, after deployment, when CSPM alerts surface issues that have already reached production. By that point, fixing them is slower, riskier, and often disconnected from the teams that introduced them.
Wiz connects these worlds. With Wiz Code, policies are enforced directly in development using a unified policy engine. Teams can use Wiz's built-in best practice rules, for example "Bedrock Agent should be associated with Bedrock Guardrails," or create custom rules, and enforce it consistently across code, pipelines, and cloud. Critical misconfigurations are caught pre-deployment, not hours later by a CSPM alert.
For risks that are found in the cloud, Wiz simplifies remediation through code-to-cloud traceability. Every live resource is automatically mapped back to the exact module, file, line of code, and author that defined it. When a misconfiguration surfaces, Wiz identifies the owner and surfaces a targeted PR to fix it at the source.
IaC Inventory: A Unified View for Code, Deployments, and Cloud
Until now, even with scanning and traceability, there was no single place to see how your IaC actually maps to your cloud. This is especially critical as AI workloads like agents, models, datasets, guardrails become first-class infrastructure resources defined and managed through IaC
The IaC Inventory changes that. Wiz uses state files as the bridge to automatically connect resources and modules declared in IaC to the live resources running in the cloud. This gives security, DevOps, and platform teams a unified view across their entire IaC estate without needing to manually cross-reference across disparate tools.
The value is immediate across three workflows:
Scope risk instantly. When a vulnerable module is identified, whether it’s an AI training dataset or Bedrock Agent, the blast radius is no longer a mystery. See every deployment it backs and every live resource it manages in one click, turning hours of detective work into a single interaction.
Govern your estate. Spot modules sourced from unapproved or ungoverned origins, surface unused modules as explicit technical debt, and identify deployments running outdated versions all without writing a query or enforcing tagging hygiene.
Catch drift and close the gap between code and runtime. When a resource drifts from its declared state, it sits outside your governance boundary, unreviewed and unprotected. The IaC Inventory surfaces drift explicitly so teams can catch and resolve them before they become incidents.
Pulumi Support: Meeting Developers how they build
Wiz already secures IaC across several frameworks such as Terraform, CloudFormation, and Bicep. Today, that coverage expands to include Pulumi.
As infrastructure is increasingly authored in developer-first languages, and as LLMs generate more infrastructure code than ever before, the need for a guardrail that understands the context of that code has never been higher. This shift increases the surface area for misconfiguration, making automated oversight a necessity rather than a luxury.
With Wiz CLI support for native Pulumi scanning across AWS, GCP, and Azure, misconfigurations are caught before they ever reach production. Whether that is a developer inadvertently leaving public access enabled on a GCP storage bucket or an overly permissive IAM policy generated by an AI-assisted tool, Wiz catches it before it ships.
Closing the loop from visibility to remediation with agents
Visibility is only valuable if it leads to action. And action is only as good as the context behind it.
Consider a common scenario. Your team uses a third-party Terraform module to provision AWS Bedrock Agents. The third-party maintainer is compromised and a new malicious version of the module introduces a misconfiguration that removes any Bedrock Guardrails that were applied, and on the next deployment, the change propagates silently across every environment using that module.
But some of those agents were designed not to have guardrails, and adding them blindly can break production. Now you need to act, but carefully. Where is this module used? What resources has it deployed? Which of them have drifted from their IaC configuration? Which of them are actually at risk? What will break if you change it?
Without IaC Inventory, answering these questions requires hours of manual investigation across repositories, state files, and cloud consoles. With it, the full context is immediately available. By connecting modules, deployments, and live resources, Wiz enables teams to understand not just where the issue exists, but how it propagates and where different behaviors are actually required.
This makes genuinely safe remediation possible. The problem is no longer finding the issue. It’s understanding its impact. Instead of a blanket fix that breaks legitimate use cases, teams can make informed architectural changes, reducing risk while preserving intended functionality. Our Green Agent orchestrates fixes by understanding the context of the code, cloud, and runtime environment. Developers know exactly where to make the change. Platform teams understand the full blast radius. Remediation workflows operate with precision and confidence.
This is how visibility turns into safe, scalable remediation.
Get started
Existing Wiz Code customers can connect their repositories and IaC platforms to begin exploring IaC Inventory today. As part of Wiz Code, it gives security, DevOps, and platform teams a unified view of their entire IaC estate, connecting every module to every deployment it created and every live resource it manages, so teams can trace risk, catch drift, and remediate with confidence from code to cloud.
For a deep dive into how IaC Inventory works, visit the documentation (login required).
New to Wiz? Book a demo to see how the Security Graph connects your IaC estate to your runtime environment.
