Pulumi’s AI Agent Tackles Infrastructure Compliance Backlogs

We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game. Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups. Follow TNS on your favorite social media networks. Become a TNS follower on LinkedIn. Check out the latest featured and trending stories while you wait for your first TNS newsletter. Organizations struggling with massive backlogs of infrastructure policy violations can now look to Pulumi for relief, as the company today announced that its Neo AI platform engineer can automatically identify and fix compliance issues across cloud infrastructure at scale.According to Craig Symonds, vice president of Pulumi Insights, the new offering addresses a key pain point for platform teams: While security and governance tools excel at detecting policy violations, remediating them has remained a manual, time-consuming process. For companies pursuing frameworks like HITRUST or FedRAMP, those backlogs can exceed 100,000 violations.“Platform teams tell us they can’t keep pace with the volume of policy violations their tools identify,” said Joe Duffy, CEO and co-founder of Pulumi, in a statement. “Detection is necessary but not sufficient. Neo addresses the remediation gap by understanding policy violations in context, generating appropriate Infrastructure as Code [IaC] fixes, and applying them automatically when teams choose.”Pulumi’s approach tackles what IDC analyst Jim Mercer calls a critical shift in infrastructure governance.“The infrastructure governance challenge has shifted from detection to remediation at scale,” Mercer said in a statement. “Organizations are drowning in policy violation backlogs that grow faster than teams can manually address them.”The new capabilities extend Pulumi’s Policy as Code framework beyond prevention into active remediation. While the platform already blocked noncompliant infrastructure from being deployed, it now scans existing infrastructure, identifies violations and uses AI to generate fixes, Symonds told The New Stack in a briefing.Neo analyzes policy violations in context, generates appropriate IaC changes, and can either apply them automatically with configurable guardrails or route them through approval workflows for human review. The AI agent also has built-in safeguards — it cannot make changes that violate organizational policies, as those guardrails are baked into Pulumi’s IaC engine itself.Symonds said one customer facing 30,000 HITRUST compliance violations — work they estimated would take over a year to remediate manually — has already resolved approximately 20% of those issues in just a few weeks using Neo’s bulk remediation capabilities.Michael Hunter, CEO at Spear AI, highlighted the broader compliance benefits. “We gave our auditors access to our policy packs because it’s far easier to understand and prove controls in code than in docs and diagrams,” Hunter said in a statement. “With Pulumi’s Policy as Code approach, that manual review process has gone away. We’ve reduced our ATO [Authority to Operate) timeline from a year and a half to expecting approval in three months.”The enhanced platform follows a three-stage workflow:Pulumi’s strategy differs from traditional security operations tools by embedding compliance directly into developer workflows, Symonds said. Rather than requiring engineers to context-switch into separate security tools, policy violations appear in the same IaC platform they use daily.“Developers love doing things the right way initially, if they’re given the information,” he noted. “They hate having to go back three months to work they did three months ago, bring it back up and figure out how to fix security issues they should have fixed then.”This shift-left approach aims to bridge the gap between security teams that identify violations and engineering teams that must fix them — a friction point that has spawned billions of dollars in security tooling investment, Symonds said.The policy capabilities are available to all Pulumi Cloud customers, including Team, Enterprise and Business Critical tiers. Audit scanning and AI-powered remediation through Neo are included for Enterprise and Business Critical customers. Community created roadmaps, articles, resources and journeys for developers to help you choose your path and grow in your career.