IT orgs cautiously try AI agents for infrastructure as code

TD Bank: 'not open season' for IaC agents

Reps from TD Bank presented a deep dive into an ambitious network automation project using Ansible Automation Platform -- assisted by Microsoft's Copilot -- during a breakout session at Red Hat Summit on May 13. The project, which began last year, comprised 12,850 lines of code to perform non-disruptive network rebuilds in 90 minutes in each of the bank's 1,300 branch locations in Canada. The project took three engineers about 3.5 months to create and saved 1,360 work hours, according to the session presentation.

Along the way, TD Bank engineers used Copilot to help with repetitive IaC tasks such as test generation -- but only after ensuring the agents had human-generated code that adhered to strict standards to learn from, said session co-presenter Jade Wu, a senior network engineer at TD Bank.

"We spent a lot of time building this framework and making sure we always follow the same coding style, and it benefited us tremendously when Copilot came," Wu said. "We can train the agent exactly how we want a test to be written."

Copilot was helpful with this kind of low-risk, repetitive work, but human engineers still control the core system and code logic, Wu said during an interview after the session. Copilot came in relatively late in the project, and she estimated it accounted for about 15% of the overall work, always under close human oversight.

When asked during a Q&A at the end of the breakout session how much autonomy the bank will give coding agents over infrastructure in the future, co-presenter Drew Yates, vice president of infrastructure, network and data center at TD Bank, said it would be limited, at least in the near term.

"It's not open season," Yates said. "I'm not going to get it to do runtime playbooks. … Having an AI agent to help make a determination about which path something should go, and then use the automation that we've already done, I think that makes a lot of sense, and it will probably be one of the first steps that we would look to take instead of just opening the gate."

EY brings in IBM Bob, with guardrails

EY's Global Tax Platform, which services the consulting firm's corporate tax clients and internal practitioners, is incorporating the IBM Bob coding agent and harness for functions including .NET code modernization, application development and IaC using HashiCorp Terraform and other tools, according to Christopher Aiken, principal, tax technology services at EY.

EY also co-developed an EY.ai assistant using IBM watsonx and Granite AI models in 2025; EY.ai is used by IBM's internal tax department. IBM Bob appealed to Aiken because of its built-in memory and model routing features, which have earned it some autonomy internally.

We're not putting any code into production that Bob has produced that hasn't gone through human review.

"I was a little apprehensive at first about wanting to have full control over the models that Bob is using," Aiken said during a panel session at IBM Think in Boston on May 5. "We've actually discovered that you should let Bob take the wheel."

When it comes to software deployment to production, including IaC, however, Bob doesn't get to steer yet, Aiken said in an interview following the panel session.

"We do let Bob have a reasonable level of autonomy in making code changes," Aiken said. "But of course, all that code goes through our pull request review process, where humans are always in the loop. So we're not putting any code into production that Bob has produced that hasn't gone through human review."

AI-generated infrastructure code is subject to multiple types of scrutiny before deployment, Aiken said, and governed using guardrails within cloud provider platforms such as AWS to avoid infrastructure cost overruns and other quality issues.

"We set those in our underlying cloud providers," he said. "We can instruct Bob to follow those limits. But of course, your instructions only go so far."

'It will be wrong. And it won't tell you.'

An April 15 blog post by a DevOps engineer for a medical device company dug into the details of exactly what's required of the human in the AI-generated IaC loop, and it goes beyond the usual automated tests and code review.

While the productivity gains from using a Claude Code agent on OpenTofu code over three months were real, so were the reasons for caution, according to the post.

"[Catching a bug in AWS code] probably saved us a painful production incident and a compliance finding. We ship modules faster. I'm not going back," wrote Heinan Cabouly, DevOps team lead and architect at a medical device company based in Israel and the U.S. that he has requested not be named due to policies prohibiting him from representing it in the press.

The question isn't whether AI will replace DevOps engineers. It's whether you understand your systems well enough to know when it's wrong.

The agents were good at catching bugs, generating OpenTofu module scaffolding such as variable definitions and output blocks, and writing validation rules, Cabouly wrote. However, they also repeatedly fabricated infrastructure variables that didn't exist -- infrastructure variables that would have passed standard validation tests. The AI agents also proved poor at distinguishing between application and infrastructure code.

Cabouly conceded that operating in a highly regulated environment made this particularly tricky, whereas other types of organizations might have taken it more in stride. Still, moving forward, every engineer on Cabouly's team will be required to "explain the behavior of every resource argument in terms of what AWS actually does. Not 'the AI said so,'" according to the post. 

"The question isn't whether AI will replace DevOps engineers. It's whether you understand your systems well enough to know when it's wrong," the post concluded. "It will be wrong. And it won't tell you."

Platform engineer weighs AI for IDP facelift

Another company in a regulated industry, Vega, is proceeding with caution with AI agents for IaC -- but proceeding nonetheless.

Vega has been using Spacelift's Intent as a proof of concept since last year to help its internal development platform (IDP) users experiment with OpenTofu IaC in an AWS playground environment before developing it for production.

"It's really quite powerful, and we don't really use the full power of the product, and this is where I would like to try and find a safe way for us to do this in the future," Vega's Hutchinson said in an interview with Informa TechTarget on April 29. "Intent can help you ideate in your first environment, and that thing can change … [but] then once you're happy with the shape of that, you can then say, 'Right, I want to take that to the next environment.' It will deploy the resources that you've got to the next environment -- it's deterministic."

Long term, Hutchinson said he hoped AI agent-based tools such as Spacelift Intent will form a new kind of interface for developers to interact with the company's IDP, which would replace static bespoke developer portals created using tools such as Backstage.

"Backstage was a link to everything -- your deployments, software catalog, tech radar, tech docs, all baked in," Hutchinson said. "But Backstage projects, even at small companies, can run into six figures and beyond for their engineering effort. … I don't think the world's moving this way."

AI agents: the new IaC DDevX?

AI agents as a new kind of top-level interface or surface-level trigger for deeper, deterministic infrastructure automation was the tack Red Hat took with the rollout of Ansible automation orchestrator during Summit.

Other updates in AAP version 2.7, rolled out the same week, added a Model Context Protocol server and code extension plugin that can connect the platform to a user's AI agent of choice. But a keynote presentation emphasized that the automation orchestrator, a canvas that links task-driven, event-driven and AI-driven automation, demonstrates how the vendor expects AI agents to be incorporated into infrastructure management in the long term.

"Automation orchestrator will give you a single visual control plane to design, govern and execute workflows across the three automation modes, all with consistent approval gates and audit trails, regardless of what triggers the workflow," said Ashesh Badani, chief product officer at Red Hat, during a keynote presentation on May 13. "First, human-approved single actions, then supervised agentic workflows, and finally, for the right systems with the right track record, fully autonomous operations."

While AI agents might not replace deterministic workflows for IaC, they are likely to add a new abstraction layer in front of it, said Rob Strechay, an analyst at TheCube Research and Smuget Consulting.

"I give Red Hat a little bit of credit on this, that they make it task-based … automating the playbooks versus just wrapping up APIs, and they're also building in event-driven automation," Strechay said. "So, eventually, is Ansible, more or less, just a playbook engine that is triggered by other agents, [and] handling the tasks underneath? I think that's where most people are going to go."

Beth Pariseau, senior news writer for Informa TechTarget, is an award-winning veteran of IT journalism. Have a tip? Email her or connect on LinkedIn.