93% of orgs saw AI-caused infrastructure incidents, but only 19% had governance to respond

AI vendors have been telling organizations to sprint into the AI playpen. Spacelift’s new 2026 State of Infrastructure Automation report says plenty of companies did exactly that, but they brought a seatbelt made of wishful thinking.

In a survey of 406 IT decision makers conducted in April, 93 percent of organizations said they have experienced AI-caused infrastructure incidents. Here is the part that should keep boards up: only 19 percent said they had the necessary governance to respond. The report frames this as an “AI Readiness Gap,” a mismatch between adoption speed and the frameworks meant to keep infrastructure changes safe.

That mismatch matters because infrastructure changes are not harmless. When AI generates infrastructure-as-code (IaC), it can produce the exact artifacts teams deploy. The report argues organizations are using AI to generate infrastructure code at a rate their governance frameworks were never designed to handle. And the damage is not theoretical. Respondents said AI-caused incidents led to reworking AI-generated changes (37 percent), security misconfigurations reaching production (36 percent), compliance violations (36 percent), infrastructure drift attributable to AI changes (35 percent), and incidents caused by agentic systems (33 percent).

Spacelift also slices organizations into categories based on their AI posture. It characterizes 24 percent as “exposed,” meaning they are using AI but without governance or frameworks to support it safely. The report warns that what these companies do diverges significantly from what they have in place to manage it. Another 32 percent are “fragmented”: they use AI sometimes, unevenly, and have some governance, but no coherent plan. Meanwhile 25 percent are “outpacing,” where adoption is heavy and ahead of business controls. The remaining 19 percent are “pioneer,” which the report describes as AI use with structural discipline. The incident data tracks these labels. Among “exposed” organizations, 97 percent reported at least one AI-caused infrastructure incident. Among “pioneer” entities, 17 percent said they had no AI-related infrastructure incidents. Spacelift attributes the gap to automated validation, saying it outperforms manual code review.

If you are thinking, “Okay, but are we even using that much AI in the first place?” The survey answers that too. Across the board, respondents reported greater use of AI for generating code. Eighty-two percent said between 25 percent and 74 percent of their code was created with help from AI. That level of AI assistance shifts workload and risk downstream for infrastructure teams, not just for developers upstream. Respondents said it has led to security vulnerabilities showing up more frequently (40 percent), governance becoming more challenging (40 percent), higher change volume (37 percent), strains on the development pipeline (35 percent), and infrastructure drift (35 percent).

There is also a governance credibility gap inside the companies themselves, according to the report. It points to cognitive dissonance, described as a “blameless” formulation of “self-delusion.” The numbers are the tell: 86 percent of respondents said they can govern AI, but only 30 percent actually have a formal AI governance policy in place. In other words, many organizations believe they can manage the risks, but the documented controls lag behind reality.

So what does Spacelift want organizations to do? The report advises paying attention to AI-oriented metrics that few organizations bother to track. Specifically: the volume of AI-generated IaC in deployment pipelines, error rates due to AI-generated changes, and infrastructure drift attributable to AI changes. It also pushes for more automation through IaC, building governance to cover that automation, getting AI-generated code into governed IaC orchestration workflows, and planning for governance of AI agents.

Zoom out for a second, because the second-order implications are where executives should focus. Infrastructure automation is a core lever for speed, but it also becomes a core channel for mistakes at scale. Regulatory frameworks and security expectations increasingly treat operational risk as board-level risk. The survey’s pattern suggests many companies are generating more infrastructure change, with higher odds of misconfiguration and compliance gaps, without governance systems that can validate and monitor at the same throughput. If you are a CEO, CIO, CISO, or risk leader, the stakes are simple: you can either slow AI down to fit old governance models, or modernize governance so it can keep pace. This report argues the current default is neither, which is why the incidents are already showing up.