AI incidents hit 93% as governance lags, study finds

Spacelift has published survey findings showing that 93% of organisations have experienced AI-caused infrastructure incidents. The report also found that only 19% have built the governance foundations it classifies as necessary for AI readiness.

Its 2026 State of Infrastructure Automation report is based on a survey of 406 IT decision-makers and platform engineering leaders in North America at organisations with 250 or more employees. Research group Panterra conducted the study and used the results to create an AI Maturity Index that places organisations into four categories: Pioneer, Outpacing, Fragmented and Exposed.

The data points to a widening gap between the speed of AI adoption in software development and the controls used by infrastructure teams. Sixty-seven per cent of respondents said development is ahead of infrastructure in AI adoption, while 86% said AI has increased demands on infrastructure teams.

That pressure is showing up in operations. Forty per cent of respondents said security vulnerabilities are appearing faster, 40% said governance is becoming harder, 37% cited higher change volume, 35% reported increased pipeline strain and 35% said they are seeing more infrastructure drift.

The study also found a sharp divide between confidence and formal oversight. While 86% of infrastructure leaders said they were confident in their organisation's ability to govern AI, only 30% said they had a formal AI governance policy in place.

Among organisations classed as Exposed, 70% expressed confidence in their governance arrangements, yet only 4% had a formal policy. By contrast, 71% of Pioneer organisations said they actively enforce a formal governance policy, and 24% said they had no outstanding AI governance concerns because their controls make the risks manageable.

Code review

The report highlights how so-called vibe coding has spread beyond application development into infrastructure and policy work. According to the findings, 79% of respondents use AI to generate developer code without thorough review, while 78% do the same for infrastructure as code and policy as code.

One-third of infrastructure teams said they would apply AI-generated HCL directly to production without any review. A further 43% said they would do so with only minimal review.

Even among the most advanced organisations in the index, use of AI-generated infrastructure code is high. Pioneer organisations reported higher rates of AI-generated IaC than Exposed organisations, at 86% versus 69%. The report attributes the difference to the presence of governed pipelines with automated validation and policy enforcement.

The survey also suggests that many organisations lack the measurement systems needed to judge whether AI governance is effective. Only 15% track the volume of AI-generated infrastructure as code moving through their pipelines, and 20% track error rates for AI-generated changes.

Spacelift's index groups 19% of organisations as Pioneer, 25% as Outpacing, 32% as Fragmented and 24% as Exposed. It assesses AI integration depth, governance maturity, infrastructure automation maturity, risk exposure and platform readiness.

The report found that 89% of organisations plan to adopt agentic AI for infrastructure, adding to the urgency around governance. The findings suggest many are preparing to introduce more autonomous systems before putting policy, review and measurement frameworks in place.

Paweł Hytry, Co-Founder and Chief Executive Officer of Spacelift, said the latest results show that the core weakness has shifted. "The findings are unambiguous: organizations are using AI to generate infrastructure code at a rate their governance frameworks were never designed to handle," Hytry said.

He said the problem is no longer just automation maturity. "Last year we identified a gap between perceived automation maturity and actual execution. This year, the gap has moved to governance. Teams are confident they're governing AI well, but the incident data tells a very different story."

Hytry also pointed to the lack of AI-specific operational metrics. "Only 15% track the volume of AI-generated IaC moving through their pipelines, and just 20% track error rates of AI-generated changes. If organizations are not measuring AI-specific outputs, they are operating in the dark," he said.

Panterra also highlighted the difference between organisations adopting AI quickly and those building controls around it. "Last year, organizations overestimated their automation maturity. This year, they're overestimating their governance readiness," said John Garrett, Managing Director at Panterra Research.

He said the leading group in the survey was not simply using more AI than others. "The organizations that stand out are not the ones using AI the most aggressively. They are the ones that built governance frameworks before AI dramatically increased the speed and complexity of infrastructure demands on platform teams. That's the pattern every infrastructure leader should be studying," Garrett said.