AI can write your application code. It can refactor, debug, and even ship PRs. But give it access to your cloud infrastructure and things get interesting fast.
Infrastructure has history, dependencies, permissions, and consequences that are easy for an agent to misunderstand.
I have been experimenting with agents that apply infrastructure changes, update clusters, adjust IAM, and coordinate with other automated tools. Some of the behavior was genuinely helpful. Some of it created surprising side effects that were unpredictable until they happened.
This talk shares what I found testing and experimenting with agentic tools that operate real infrastructure.
- The gap: Why infrastructure behaves differently for agents than application code
- What goes wrong: Confusing goals, ignored constraints, overly broad permissions, stale state, drift amplification, and automated changes that impact production
- Patterns that work: Human review steps, preview-before-apply flows, narrow permissions, audit logs, policy boundaries, and explicit approvals
- Agents talking to agents: How planner and executor chains increase both capability and risk
- Emerging protocols: MCP, structured tool definitions, and early standards for agent-to-agent communication
- What is developing: The beginning of a practical ecosystem for AI-assisted infrastructure operations
This talk focuses on the current reality rather than speculation. It covers what appears useful today, where careful boundaries are required, and the parts of the problem that still need research and engineering.
Anyone considering agent access to real infrastructure will leave with a clearer understanding of the risks, the techniques that reduce them, and the areas where experimentation is still underway.
