The first time I let an agent run terraform apply against a customer subscription, I learned something useful. It should never be allowed to do that.

An agent that can apply Terraform is a liability. An agent that can prove drift, write the PR, run the plan, and stop before apply is useful.

This session shows where that line lives in practice. I run an agent against a real tenant. The agent reads Azure state via Azure Resource Graph. It compares the live state against the IaC repo and detects drift. It writes a PR with the proposed fix. It runs terraform plan against the PR branch. It posts the plan output as a PR comment. It stops there.

Apply is a human decision. The session shows why that boundary matters, and where every shortcut around it has bitten me or someone I know.

The agent stack is public. agentic-alz for the orchestration, mcp-server-azure-architect for the Azure-aware tool surface, alz-graph-queries for the read-only ARG queries, azure-analyzer for the unified finding model. The session walks through how the agent decides what to look at, how it scopes a PR, and how it knows when to stop.

The hard part is not the agent. The hard part is the read-only contract. The session is honest about which Azure APIs are read-only by default, which look read-only but can mutate state, and how to guarantee the agent's identity has no apply path even if it tries.