Cloud at scale can often mean cloud waste at scale. (But it doesn't have to.)

In 2025, cloud has gone from a line item to one of the largest budget categories in enterprise IT. Global IT spend is projected at $5.43 trillion, with cloud infrastructure eating a bigger slice than it ever has.

But here's the reality check:

  • 27% of cloud spend is wasted, according to Flexera's 2025 survey.
  • BCG puts it closer to 30% of spend lost: specifically to unused, unmanaged, or forgotten resources.
  • By Firefly's own estimates, for many organizations, as much as 40% of their infrastructure remains unmanaged: built through clickops instead of code, making waste and drift inevitable.

This is the first layer of the Bad IaC Tax: you're not just paying for cloud, you're paying for chaos.

Misconfigurations That Turn Into Million-Dollar Events

Bad IaC isn't just about wasted spend; it's about risk.

The result? Outages and breaches. And they’re rarely freak accidents. In fact, most often, they're the direct result of unmanaged, inconsistent, and poorly governed IaC.

Executives Are Losing Confidence

This problem doesn't stop at the engineering team. It climbs the chain:

  • 68% of orgs are now multi-cloud users, but Gartner predicts that more than half will fail to get the expected results from their multi-cloud implementations by 2029.
  • Only 2% of companies have enterprise-wide cyber resilience practices fully implemented, and leaders say cloud-related threats are the area they feel least prepared for.
  • Firefly's State of IaC 2025 Report revealed that while ~85% of orgs use Terraform, the number of teams embracing the adoption of best practices (like consistent directory structures, CI/CD, and policy-as-code) is likely far lower. 

What's worse? The gap between "using IaC" and "doing IaC well" is exactly where executive confidence erodes.

The Bad IaC Tax: Do the Math

Here's how the tax adds up annually:

  • Cloud Waste: Cloud spend × 27–30% (BCG).
  • Outages: # of significant incidents × $100K–$1M.
  • Breaches: Breach probability × $4.44M–$10.22M.
  • Unmanaged/Drifted Resources: Up to 41% unmanaged, 36% drifted (per Firefly estimates)

That's a recurring, compounding tax on your cloud strategy, and one that leadership certainly notices.

What Good IaC Looks Like

The good news: this tax is avoidable. But only if leaders demand better practices. Good IaC isn't just "Terraform in Git." It's disciplined, enforced, and measurable:

  • Codify everything: infra, policies, costs, and tags.
  • Shift-left governance: enforce policies and cost checks pre-merge, not post-incident.
  • Drift detection: continuous reconciliation, not quarterly audits.
  • Golden paths: platform engineering modules and templates that developers can't accidentally break.
  • Track the right KPIs: % codified infra, drift rates, policy pass rates, and cost attribution.

Firefly's IaC Best Practices eBook lays out these steps in detail, from naming conventions and Terraform structure, to CI/CD workflows, policy guardrails, and AI-powered optimization. Explore the resource here, or dive into some ways real Firefly customers have embraced IaC maturity.

Why This Matters Now? It's Well Overdue

Cloud isn't cheap. Boards are pressing CFOs about waste. CISOs are worried about drift and breaches. CIOs are staring at rising bills and declining satisfaction. In short, the Bad IaC Tax is real. 

But paying it is optional. 

(Hint: if you want to stop the waste, cut outage and breach risk, and regain executive confidence, you need to mature your IaC.)

Want a pulse check on the market first? Start with our State of IaC 2025 Report, which shows just how much unmanaged infrastructure and drift are costing teams like yours.

Because weak IaC isn't just a technical nuisance. It's a tax. And the bill is due.