{"id":1861,"date":"2026-03-05T05:47:29","date_gmt":"2026-03-05T05:47:29","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/all-things-azure\/?p=1861"},"modified":"2026-04-10T01:02:18","modified_gmt":"2026-04-10T01:02:18","slug":"platform-engineering-for-the-agentic-ai-era","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/all-things-azure\/platform-engineering-for-the-agentic-ai-era\/","title":{"rendered":"Platform Engineering for the Agentic AI era"},"content":{"rendered":"<p>For the last decade, platform engineering has relied on <strong>explicit API interaction layers<\/strong>: CLIs, SDKs, pipelines, wrappers, and UI workflows that translate human intent into machine\u2011safe API calls. AI agents are now short\u2011circuiting much of that stack. By combining natural language understanding, reasoning, and direct access to <strong>API specifications and control schemas<\/strong>, agents can convert human intent directly into validated platform actions, often without a bespoke interaction layer in between.<\/p>\n<p>Nowhere is this shift more visible than in <strong>Infrastructure as Code (IaC)<\/strong> and <strong>pipeline workflows<\/strong>, where agents are increasingly acting as the \u201ccontrol plane interpreter\u201d between engineers and cloud APIs, whether the output is <strong>Bicep\/ARM<\/strong>, <strong>Terraform<\/strong>, or direct API calls.<\/p>\n<h2>The Traditional Model<\/h2>\n<p>In the traditional model, Infrastructure as Code (IaC) sits in a multi-layer intent-to-execution stack: <strong>human intent<\/strong> (architecture goals and requirements) is translated through an explicit <strong>interaction layer<\/strong> (CLI commands, GitOps\/CI workflows, pull requests, and UI processes) into an <strong>IaC abstraction<\/strong> (for example <strong>CloudFormation<\/strong>, <strong>ARM templates\/Bicep<\/strong>, <strong>Terraform HCL<\/strong>, modules, providers), which ultimately drives <strong>provider APIs<\/strong> (AWS, Azure, GCP, and SaaS platforms).<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/abstractionlayers.webp\"><img decoding=\"async\" class=\"aligncenter size-large wp-image-1878\" src=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/abstractionlayers-1024x453.webp\" alt=\"abstraction layers image\" width=\"1024\" height=\"453\" srcset=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/abstractionlayers-1024x453.webp 1024w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/abstractionlayers-300x133.webp 300w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/abstractionlayers-768x340.webp 768w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/abstractionlayers.webp 1328w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>These layers exist to enforce correctness and safety, translate intent into valid API calls, and compensate for the fact that humans don\u2019t naturally speak API schemas making the approach robust, but often slow, verbose, and dependent on deep fluency in syntax and tooling.<\/p>\n<h2>The Agentic Shift<\/h2>\n<p>AI agents fundamentally change this flow. Modern agents can ingest natural language intent, reason over API schemas, generate and validate IaC, and apply changes directly via provider APIs\u2014all while enforcing guardrails and approvals inline.<\/p>\n<p>As a result, the interaction stack collapses into a single intelligent layer:<\/p>\n<p><figure id=\"attachment_1885\" aria-labelledby=\"figcaption_attachment_1885\" class=\"wp-caption aligncenter\" ><img decoding=\"async\" class=\"wp-image-1885 size-large\" src=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/shift2agent-1024x311.webp\" alt=\"Human intent \u2192 Agent (reasoning + policy) \u2192 IaC \/ APIs\" width=\"1024\" height=\"311\" srcset=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/shift2agent-1024x311.webp 1024w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/shift2agent-300x91.webp 300w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/shift2agent-768x233.webp 768w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/shift2agent.webp 1332w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"figcaption_attachment_1885\" class=\"wp-caption-text\">Human intent \u2192 Agent (reasoning + policy) \u2192 IaC \/ APIs<\/figcaption><\/figure><\/p>\n<p>The &#8220;API interaction layer&#8221; still exists\u2014but it becomes implicit, dynamically constructed by the agent using API specs, provider schemas, and organizational controls.<\/p>\n<h2>Present Day Reality vs. Future State<\/h2>\n<h3>Why IaC Still Matters Today<\/h3>\n<p>Today, <strong>Infrastructure as Code (IaC) remains the system of record<\/strong> for enterprise platforms. This is not accidental. IaC provides:<\/p>\n<ul>\n<li>a deterministic desired\u2011state model,<\/li>\n<li>versioned change history,<\/li>\n<li>reviewable plans (\u201cwhat\u2011if,\u201d \u201cplan,\u201d \u201cchange sets\u201d),<\/li>\n<li>and a reconciliation mechanism for drift.<\/li>\n<\/ul>\n<p>Even in agent\u2011assisted workflows, <strong>IaC functions as the canonical ledger<\/strong> against which platform state is validated and remediated. Agents may generate IaC, validate it, or reconcile drift back into it, however the ledger itself remains explicit, declarative, and human\u2011reviewable. This is a requirement for auditability, rollback, incident response, and regulated change management.<\/p>\n<p>In other words, <strong>agents operate <em>through<\/em> IaC today; they do not replace it<\/strong>. However, as the rapid world of AI moves to Frontier transformations this will not remain the same.<\/p>\n<h3><strong>Future\u2011state hypothesis<\/strong><\/h3>\n<p>The longer\u2011term shift introduced by agentic systems is not the elimination of APIs or IaC, but a <strong>redefinition of where \u201ctruth\u201d lives in the delivery system<\/strong>.<\/p>\n<p>As agents gain the ability to:<\/p>\n<ul>\n<li>reason directly over provider schemas and API specifications.<\/li>\n<li>execute changes with inline policy enforcement.<\/li>\n<li>produce complete, immutable execution traces (<strong>intent<\/strong> \u2192 <strong>plan<\/strong> \u2192 <strong>API calls<\/strong> \u2192 <strong>validation<\/strong> \u2192 <strong>evidence<\/strong>).<\/li>\n<li>and continuously reconcile live state against declared intent.<\/li>\n<\/ul>\n<p>So, the <em>function<\/em> of IaC will change. In this future state, IaC no longer needs to serve as the <strong>primary expression of intent<\/strong>. Instead, it becomes one of several <strong>compiled execution formats<\/strong>, generated from higher\u2011order inputs such as:<\/p>\n<ul>\n<li>security and compliance policy,<\/li>\n<li>architecture decision records,<\/li>\n<li>reference diagrams and approved patterns,<\/li>\n<li>and explicit human intent.<\/li>\n<\/ul>\n<p>The authoritative record shifts <strong>upstream<\/strong>, from <strong><em>how infrastructure is expressed<\/em><\/strong> to <strong><em>why it is allowed to exist<\/em><\/strong>, with the agent\u2019s execution trace providing the binding evidence between intent and outcome.<\/p>\n<p><span data-teams=\"true\">This does not remove the need for IaC or APIs. It reframes them as <strong>implementation artifacts<\/strong>, rather than the sole source of truth thus shortcutting the API layer.<\/span><\/p>\n<h2>What &#8220;Shortcutting the API Layer&#8221; Really Means<\/h2>\n<p>Agents don&#8217;t bypass APIs\u2014they bypass humans as API translators. The traditional interaction layer (CLIs, wrappers, bespoke tooling, pipeline glue) becomes increasingly implicit. Instead, the agent becomes the control-plane interpreter, continuously mapping intent to the underlying API layer with governance enforced end-to-end.<\/p>\n<h3>Architecture Artifacts as the New Ledger<\/h3>\n<p>A natural question follows: why use IaC at all if an agent can read a provider schema directly and infer every valid configuration? In an agentic model, the ledger becomes your governed documents: security standards (NIST, HIPAA, corporate policies), architecture decision records, approved reference architectures, and canonical diagrams\u2014combined with the agent&#8217;s change trace as verifiable evidence.<\/p>\n<p>Traditional IaC tools can still serve as an execution format or compatibility layer. However, they no longer need to be the universal source of truth when the policy and architecture corpus, plus agent telemetry, acts as the authoritative reference.<\/p>\n<h3>Examples in Practice<\/h3>\n<p>A few concrete patterns illustrate this shift:<\/p>\n<ul>\n<li><strong>Network segmentation<\/strong>: The agent reads an approved hub-and-spoke diagram to govern which VNets, route tables, NSGs, and DNS zones may be created\u2014then applies changes via ARM APIs and records evidence back to the ADR.<\/li>\n<li><strong>Identity boundaries<\/strong>: The agent references an identity architecture diagram to determine permitted Microsoft Graph operations, blocking any change that crosses an undefined trust boundary.<\/li>\n<li><strong>Data classification controls<\/strong>: The agent maps a diagrammed data flow to concrete controls\u2014private endpoints, TLS enforcement, retention policies\u2014and validates with read-back API queries.<\/li>\n<li><strong>Golden paths as blueprints<\/strong>: A reference architecture diagram for a workload type becomes a machine-consumable blueprint; the agent selects the pattern, fills in parameters, generates repos and config, and opens a PR with the diagram-linked justification.<\/li>\n<\/ul>\n<h2>Implications for Platform Engineering<\/h2>\n<p>This shift has four direct implications for platform teams:<\/p>\n<ul>\n<li><strong>Interaction shifts from syntax to intent.<\/strong> IaC becomes an implementation detail; design conversations move upstream to <em>what<\/em> we want, not <em>how<\/em> to express it.<\/li>\n<li><strong>Guardrails move into the agent.<\/strong> Policy enforcement for security, cost, and compliance lives in agent instructions, with human-in-the-loop checkpoints at high-risk boundaries.<\/li>\n<li><strong>Modules become knowledge.<\/strong> They evolve into agent-consumable patterns that encode architectural standards and preferred defaults the agent selects automatically.<\/li>\n<li><strong>Drift remediation becomes continuous.<\/strong> Agents detect drift, propose fixes, generate plans, request approval, and apply remediations\u2014collapsing the gap between observability and action.<\/li>\n<\/ul>\n<h2>What Does Not Change<\/h2>\n<p>Even so, the fundamentals remain. Provider APIs are still the ultimate source of truth, and human accountability remains essential for approvals and risk decisions.<\/p>\n<p>What <em>does<\/em> change is your system of record. Rather than IaC files serving as the primary execution ledger, organizations can treat policies, security controls, and architecture artifacts (ADRs, reference architectures, diagrams, runbooks) as the governing ledger. Agents then produce a verifiable trail\u2014plans, API calls, validations, evidence\u2014reviewed and approved like any other change.<\/p>\n<h2>Module-First vs. Agents + Policy<\/h2>\n<table>\n<thead>\n<tr>\n<th>Stage<\/th>\n<th>Before: module-first<\/th>\n<th>After: agents + policy<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Authoring<\/td>\n<td>Write modules and expose variables<\/td>\n<td>Provide prompt + context \u2192 generate native IaC<\/td>\n<\/tr>\n<tr>\n<td>Compliance<\/td>\n<td>Baked into modules (rigid)<\/td>\n<td>Policy-as-code checks at generation, plan, and runtime<\/td>\n<\/tr>\n<tr>\n<td>Consumption<\/td>\n<td>Search registries, read docs, wire inputs<\/td>\n<td>Describe the outcome; the agent resolves it to code<\/td>\n<\/tr>\n<tr>\n<td>Maintenance<\/td>\n<td>Version bumps and migration guides<\/td>\n<td>Regenerate from current provider\/API schemas<\/td>\n<\/tr>\n<tr>\n<td>Validation<\/td>\n<td>Unit tests and examples<\/td>\n<td>Plan-time checks + cloud policy enforcement<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Three Layers of Enforcement<\/h2>\n<p>AI applies your patterns at generation time. Static analysis tools like <a href=\"https:\/\/github.com\/terraform-linters\/tflint\">tflint<\/a>, <a href=\"https:\/\/www.hashicorp.com\/sentinel\">Sentinel<\/a><a href=\"https:\/\/www.hashicorp.com\/sentinel\">,<\/a> and <a href=\"https:\/\/www.openpolicyagent.org\/\">OPA <\/a>catch anything that slips through at plan time. The same idea applies beyond Terraform: validate <strong>Bicep\/ARM<\/strong> with template validation and \u201cwhat-if\u201d previews, and validate <strong>CloudFormation<\/strong> with linting\/guardrails in CI. And for Azure, <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/governance\/policy\/overview\">Azure Policy<\/a> acts as the final enforcement layer thus denying or auditing non-compliant resources at deployment time.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/3layersenforcements.webp\"><img decoding=\"async\" class=\"aligncenter size-large wp-image-1887\" src=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/3layersenforcements-1024x531.webp\" alt=\"3layersenforcements image\" width=\"1024\" height=\"531\" srcset=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/3layersenforcements-1024x531.webp 1024w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/3layersenforcements-300x156.webp 300w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/3layersenforcements-768x398.webp 768w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/3layersenforcements.webp 1300w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<h3>Speed with Modern Providers<\/h3>\n<p>AI agents can read the live API spec and generate resources using day-zero features\u2014without waiting for a module update. Moreover, mapping between specs and existing resources makes importing previously provisioned infrastructure far easier. In effect, your &#8220;golden module&#8221; becomes a well-structured prompt referencing the live API spec.<\/p>\n<h3>Compliance Built into the Workflow<\/h3>\n<p>GitHub&#8217;s platform becomes the new control plane, with compliance enforced at multiple layers:<\/p>\n<ul>\n<li><strong>Context layer<\/strong>: Copilot Spaces let you curate what the AI knows\u2014your architecture docs, approved patterns, and security policies. The AI reads your standards; it doesn&#8217;t guess them.<\/li>\n<li><strong>Instruction layer<\/strong>: Repository and organization-level custom instructions encode guardrails in natural language\u2014for example, &#8220;Always use azapi for Azure resources&#8221; or &#8220;Tag all resources with cost centre.&#8221; These instructions version alongside your code, so when standards evolve, instructions evolve with them in the same PR.<\/li>\n<li><strong>Agent layer<\/strong>: Copilot Custom Agents bundle your instructions, skills, and context into a coherent, domain-specific agent. Skills package reusable capabilities\u2014like checking your CMDB or validating naming conventions\u2014that any agent can invoke.<\/li>\n<li><strong>Validation layer<\/strong>: GitHub Actions and organization rulesets act as the backstop. Microsoft Defender for DevOps integrates directly into CI\/CD, running IaC security scanners (such as Checkov) across Terraform, Bicep\/ARM, and CloudFormation. Non-compliant code is blocked before merge.<\/li>\n<li><strong>Cloud enforcement layer<\/strong>: Even after merge, Azure Policy provides runtime governance\u2014denying non-compliant deployments, auditing resources, and remediating drift at the control plane.<\/li>\n<\/ul>\n<h3><span class=\"token token title\"> Code-to-Cloud Security with Defender for Cloud<\/span><\/h3>\n<p>Microsoft Defender for Cloud connects everything\u2014from GitHub repos and IaC scan results to deployed resources and runtime posture. With Defender for DevOps, you get IaC scan results surfaced in a single dashboard, code-to-cloud mapping that shows which repo produced which cloud resource, and PR annotations with security findings directly in GitHub.<\/p>\n<p>As a result, when Defender for Cloud detects a misconfiguration in your deployed resources, it traces back to the exact line of IaC that caused it. The &#8220;which repo deployed this?&#8221; detective work disappears.<\/p>\n<p><span data-teams=\"true\">\u00a0In short, compliance isn\u2019t a gate you pass through. It\u2019s inherent in the process<\/span><\/p>\n<h2>Beyond Provisioning: AI in Operations<\/h2>\n<p>The story doesn&#8217;t stop at provisioning. <a href=\"https:\/\/azure.microsoft.com\/en-us\/products\/sre-agent\">Azure SRE Agent<\/a> extends AI into day-2 operations\u2014incident detection, root cause analysis, and remediation suggestions. Like your infra agent, it consumes your runbooks, architecture context, and escalation policies. It doesn&#8217;t replace your SRE team; instead, it gives them leverage.<\/p>\n<p>This completes the loop: AI generates compliant infrastructure, Defender for Cloud monitors from code to cloud, Azure Policy enforces at runtime, AI helps operate it, and humans remain in control of the decisions that matter.<\/p>\n<h2>What AI Enables That Modules Never Could<\/h2>\n<p>Modules were a solid abstraction\u2014but they were static. AI unlocks capabilities that module registries simply can&#8217;t match:<\/p>\n<ul>\n<li><strong>API fidelity<\/strong>: Generates against current specs, not last year&#8217;s abstraction, and validates at plan time.<\/li>\n<li><strong>Compliance at multiple layers<\/strong>: Across generation, static analysis, plan, deploy, and runtime\u2014with Defender for Cloud providing end-to-end visibility.<\/li>\n<li><strong>Living documentation<\/strong>: Explanations, diagrams, and dependency graphs on demand, instead of stale READMEs.<\/li>\n<li><strong>Simulation<\/strong>: Teams can test infrastructure changes against policy before committing a single line.<\/li>\n<\/ul>\n<h2>The New Artifacts<\/h2>\n<p>The module registry isn&#8217;t dead\u2014but it&#8217;s no longer the center of gravity. The new artifact is the agent:<\/p>\n<ul>\n<li><strong>Repo-level agents<\/strong> understand a specific codebase (patterns, dependencies, deployment targets) and generate infrastructure that fits.<\/li>\n<li><strong>Org-level agents<\/strong> encode enterprise-wide standards\u2014security baselines, naming conventions, network topology\u2014so every repo-level agent inherits consistent guardrails by default.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/overview.webp\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-1898\" src=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/overview.webp\" alt=\"overview image\" width=\"650\" height=\"304\" srcset=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/overview.webp 650w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/overview-300x140.webp 300w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><\/a><\/p>\n<p>Policies, context documents, and examples become <em>inputs<\/em> the agent consumes. The agent itself is what the platform team produces\u2014versioned, tested, and deployed like any other software. Furthermore, the maintenance burden shifts from &#8220;update 50 modules&#8221; to &#8220;update the agent&#8217;s context.&#8221;<\/p>\n<h2>What&#8217;s the Platform Team&#8217;s Job Now?<\/h2>\n<p>Here&#8217;s a practical starting stack:<\/p>\n<ol>\n<li><strong>Write instructions and context.<\/strong> Create your <code>.github\/copilot-instructions.md<\/code> with baseline rules. Add architecture decision records, reference implementations, and approved patterns to a Copilot Space. This is the foundation\u2014the AI reads it before generating anything.<\/li>\n<li><strong>Build reusable skills.<\/strong> Decompose your agent&#8217;s work into discrete skills: check your CMDB for environment metadata, validate naming conventions, look up cost centre codes, check for breaking changes. Skills are\u00a0callable from any chat or agent.<\/li>\n<li><strong>Create custom agents.<\/strong> Bundle instructions, skills, and context into a coherent agent. Users invoke it with <code>@your-infra-agent<\/code> in Copilot Chat. It knows your patterns and has access to your systems.<\/li>\n<li><strong>Let the Coding Agent execute.<\/strong> Once configured, Copilot Coding Agent works autonomously\u2014reading your instructions, invoking skills, generating IaC, opening PRs, and iterating on review feedback.<\/li>\n<\/ol>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-1897\" src=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/finalstate.webp\" alt=\"finalstate image\" width=\"653\" height=\"369\" srcset=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/finalstate.webp 653w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/finalstate-300x170.webp 300w\" sizes=\"(max-width: 653px) 100vw, 653px\" \/><\/p>\n<p>The platform team&#8217;s deliverable is no longer &#8220;here&#8217;s a module, good luck with the 47 variables.&#8221; It&#8217;s &#8220;here&#8217;s an agent that knows our entire infrastructure context and generates compliant code on demand.&#8221;<\/p>\n<p>In the end, the user experience would be something like this:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/agent-screenshot.webp\"><img decoding=\"async\" class=\"aligncenter size-large wp-image-1906\" src=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/agent-screenshot-1024x819.webp\" alt=\"agent screenshot image\" width=\"1024\" height=\"819\" srcset=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/agent-screenshot-1024x819.webp 1024w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/agent-screenshot-300x240.webp 300w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/agent-screenshot-768x614.webp 768w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/agent-screenshot-1536x1228.webp 1536w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/agent-screenshot.webp 1928w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>If AI can generate compliant infrastructure on demand, the platform team&#8217;s job shifts\u2014from writing IaC to shipping guardrails, patterns, and agents.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/roleshift.webp\"><img decoding=\"async\" class=\"aligncenter size-large wp-image-1883\" src=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/roleshift-1024x421.webp\" alt=\"role shift image\" width=\"1024\" height=\"421\" srcset=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/roleshift-1024x421.webp 1024w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/roleshift-300x123.webp 300w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/roleshift-768x316.webp 768w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2026\/03\/roleshift.webp 1338w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<h2>What&#8217;s Next<\/h2>\n<p>This is the first in a series where we&#8217;ll go deeper with hands-on demos, videos, and code:<\/p>\n<ul>\n<li>Creating Copilot Skills that expose your internal systems.<\/li>\n<li>Setting up file-based instructions and Spaces for infrastructure context.<\/li>\n<li>Using provider\/API-first approaches for day-zero feature coverage across Terraform, Bicep\/ARM.<\/li>\n<li>IaC security scanning with Defender for DevOps, Template Analyzer.<\/li>\n<li>Policy-as-code workflows with OPA and Azure Policy.<\/li>\n<li>Code-to-cloud security posture with Microsoft Defender for Cloud.<\/li>\n<li>Azure SRE Agent in action for day-2 operations.<\/li>\n<\/ul>\n<p>If you want to follow along, subscribe or connect with us on LinkedIn. We&#8217;d love to hear your thoughts\u2014<\/p>\n<ul>\n<li>Are you still maintaining module registries?<\/li>\n<li>Have you started experimenting with AI-generated infrastructure?<\/li>\n<li>What&#8217;s working, what&#8217;s not?<\/li>\n<\/ul>\n<p>Try it out today, the repo with early implementation is now live at <a href=\"https:\/\/github.com\/Azure\/git-ape\">https:\/\/github.com\/Azure\/git-ape\u00a0<\/a><\/p>\n<p><iframe width=\"560\" height=\"315\" src=\"https:\/\/www.youtube-nocookie.com\/embed\/Td6rv_RGArQ?si=pylav7fwaHMM5osc\" title=\"YouTube video player\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/p>\n<p><em><a href=\"https:\/\/www.linkedin.com\/in\/arnaudlheureux\/\">Arnaud Lheureux<\/a>\u00a0is Chief Developer Advisor at Microsoft for Asia, focused on helping enterprise teams adopt modern developer platforms. Views are his own.<\/em><\/p>\n<p><em><a href=\"https:\/\/www.linkedin.com\/in\/david-wright-57336a4\/\">David Wright<\/a> is a Partner Solution Architect at Microsoft, focused on helping ISVs build modern SaaS and AI agents on Azure. Views are his own.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>For the last decade, platform engineering has relied on explicit API interaction layers: CLIs, SDKs, pipelines, wrappers, and UI workflows that translate human intent into machine\u2011safe API calls. AI agents are now short\u2011circuiting much of that stack. By combining natural language understanding, reasoning, and direct access to API specifications and control schemas, agents can convert [&hellip;]<\/p>\n","protected":false},"author":172645,"featured_media":1906,"comment_status":"open","ping_status":"open","sticky":true,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[112,35,1,105,19,90,109,89],"tags":[114,118,115,117,22,116,113],"class_list":["post-1861","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-agentic-devops","category-agents","category-azure","category-defender","category-github-copilot","category-operations","category-platform-engineering","category-thought-leadership","tag-arm","tag-azure-policy","tag-bicep","tag-devops","tag-github-copilot","tag-platform-engineering","tag-terraform"],"acf":[],"blog_post_summary":"<p>For the last decade, platform engineering has relied on explicit API interaction layers: CLIs, SDKs, pipelines, wrappers, and UI workflows that translate human intent into machine\u2011safe API calls. AI agents are now short\u2011circuiting much of that stack. By combining natural language understanding, reasoning, and direct access to API specifications and control schemas, agents can convert [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-json\/wp\/v2\/posts\/1861","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-json\/wp\/v2\/users\/172645"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-json\/wp\/v2\/comments?post=1861"}],"version-history":[{"count":2,"href":"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-json\/wp\/v2\/posts\/1861\/revisions"}],"predecessor-version":[{"id":2140,"href":"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-json\/wp\/v2\/posts\/1861\/revisions\/2140"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-json\/wp\/v2\/media\/1906"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-json\/wp\/v2\/media?parent=1861"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-json\/wp\/v2\/categories?post=1861"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-json\/wp\/v2\/tags?post=1861"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}