{"slug": "can-ai-effectively-approve-production-infra-changes", "title": "Can AI Effectively Approve Production Infra Changes?", "summary": "Masterpoint is exploring whether AI can effectively review and approve infrastructure-as-code plans for production environments, aiming to auto-approve low-risk changes while flagging risky ones for human review. The company is building an agent that reads code and plans, sends notifications, and applies safe changes, potentially reducing the bottleneck of manual plan review.", "body_md": "[IaC Insights](../)- Posts\n- Can AI Effectively Approve Production Infra Changes?\n\n# Can AI Effectively Approve Production Infra Changes?\n\n## One of the biggest bottlenecks in IaC at scale is plan review.\n\nHey folks,\n\nOne of the biggest bottlenecks in IaC at scale? Plan review.\n\nYou know the story. Someone pushes a change, a plan gets generated, and then... it sits there. Waiting for a human to eyeball it and say \"yeah, that looks safe to apply.\"\n\nFor your lower environments (dev/qa/UAT)? Hell ya, auto-apply away.\n\nBut for production databases, networking, IAM, all the critical stuff? Nobody wants to be the one who rubber-stamped a `destroy`\n\non a production RDS instance. ([A variant of FRD](https://newsletter.masterpoint.io/p/gitops-iac-and-frd-fear-of-resource-deletion).) So these plans sit because reviewing them is tedious.\n\nAt Masterpoint, what we're starting to wonder is: “Is AI good enough to actually review infrastructure plans?”\n\nI’m coming around to “yes”.\n\nNot just \"does this plan have a `destroy`\n\naction\" -- that's boring.\n\nI'm talking about contextual review. Understanding that dropping a security group rule while adding a new one is probably intentional. Flagging that a create then destroy on a stateful resource is almost certainly a bad day waiting to happen and therefore a human needs to be in the loop.\n\nWe're building a dream setup where an agent auto-approves the boring stuff (tag changes, scaling adjustments, new resources in dev/qa/UAT).\n\nBut the agent also flags genuinely risky changes for human-in-the-loop review with context on **why** they're risky. Things like:\n\nforce replace on databases\n\nremoving critical IAM policies\n\nundoing drift that looks like it was put in at 1am last night due to a sev1 issue\n\nThis would turn plan review, which we've seen be a bottleneck pretty much everywhere, into a focused review of only changes that actually matter. We already have manual gates when using tools like Claude Code (unless you use `-auto-approve`\n\n) so this concept is a change in degree, not a change in kind.\n\nWe're just saying that an agent will look at the plan and if it looks safe, an agent can say \"Yes apply\". If it doesn't supply a \"Yes\", then that plan will still wait around for a \"Yes\" from a human, which is the current state of affairs.\n\nThis doesn’t solve the entire problem of plan review, but the goal is to decrease the amount that an engineer needs to review by saying \"The boring stuff will be approved by agent\".\n\nWhen I’ve discussed this, there’s often AI hesitancy. But AI plus infra is coming. I don't think there is anything we can do to stop that. The software industry as a whole won't see application engineers get 10x faster and then not expect a response from the SREs and platform engineers on our side of the house. The issues surrounding \"AI gaslights, lies, and hallucinates\" are challenges that will be overcome.\n\nGuardrails around the agent can be applied by limiting the tools the agent has available to it. You don’t want it modifying IaC code to try to get the plan in better shape! For this use case, we limit the agent to:\n\nreading the code\n\nreading the plan\n\nsend notifications\n\nsending an \"Apply\" action (when the plan is looking good)\n\nI've been noodling on this one for a minute. I'm curious, do you know anybody using AI to review and approve critical infrastructure plans today? Please tell me what's working and what's not before we reinvent the wheel over here.\n\nMatt @ Masterpoint\n\nPS If you want to chat about how we put this together, [grab some time on my calendar here](https://calendly.com/matt-at-masterpoint/project-chat?utm_source=newsletter.masterpoint.io&utm_medium=referral&utm_campaign=can-ai-effectively-approve-production-infra-changes). Also, did you know we have a referral program where you can make some extra cash? Know someone who needs some IaC expertise? [Intro us](https://masterpoint.io/referrals/?utm_source=newsletter.masterpoint.io&utm_medium=referral&utm_campaign=can-ai-effectively-approve-production-infra-changes) and help out Masterpoint, one of your colleagues, and yourself at the same time.", "url": "https://wpnews.pro/news/can-ai-effectively-approve-production-infra-changes", "canonical_source": "https://newsletter.masterpoint.io/p/can-ai-effectively-approve-production-infra-changes", "published_at": "2026-06-25 20:10:20+00:00", "updated_at": "2026-06-25 20:13:57.710902+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "ai-tools"], "entities": ["Masterpoint", "Claude Code", "RDS", "IAM"], "alternates": {"html": "https://wpnews.pro/news/can-ai-effectively-approve-production-infra-changes", "markdown": "https://wpnews.pro/news/can-ai-effectively-approve-production-infra-changes.md", "text": "https://wpnews.pro/news/can-ai-effectively-approve-production-infra-changes.txt", "jsonld": "https://wpnews.pro/news/can-ai-effectively-approve-production-infra-changes.jsonld"}}