What’s Happening
Stacklet, the commercial company behind the open-source Cloud Custodian project, is doubling down on autonomous cloud governance at FinOps X 2026. The company is positioning its policy engine and expanding its agentic AI layer, branded Juno, to move customers from automated remediation toward genuinely autonomous cloud control. Stacklet is also adding broader coverage for AI-specific cloud resources, including Amazon Bedrock, Google Vertex, Azure Foundry, and Azure OpenAI, reflecting the reality that AI workloads are now the fastest-growing governance gap in enterprise cloud environments. A FinOps benchmarking initiative is in development and expected to follow a separate AI-focused announcement.
The Bigger Picture
Cloud Governance Has an AI-Scale Problem
The core thesis Stacklet is working from is straightforward and defensible: the problem of cloud governance is already moving at machine scale, and human-operated tooling cannot keep pace. This was true before the current wave of AI investment, but AI has sharpened the urgency considerably. When developers, data scientists, and knowledge workers can spin up Bedrock inference endpoints or Azure OpenAI deployments with minimal friction, the blast radius of a misconfiguration or cost anomaly grows faster than any operations team can manually track.
What makes Stacklet’s positioning credible is that it is not a new entrant rebranding for the AI moment. Cloud Custodian, the open-source engine underlying Stacklet’s commercial product, has been accumulating policy logic and enterprise context for over a decade. That accumulated context is what makes agentic governance actually tractable. An agent without prior context about what “normal” looks like for a given workload or organization is just automation with extra marketing. Stacklet’s argument is that its decade-plus of policy-driven remediation history is the data substrate that gives its agents meaningful blast-radius awareness.
The Juno agentic layer targets the trust gap that still limits autonomous governance adoption. Stacklet describes two specific trust mechanisms already in production: blast-radius thresholds that return control to a human when proposed changes exceed a defined impact scope, and dry-run capabilities that let an agent prepare a full change manifest for human or agent review before execution. These are not aspirational features. They are the kind of concrete safety-belt mechanisms that give ITDMs a path from “we approve every change” to “we approve changes above a certain threshold” without requiring a leap of faith.
What This Means for ITDMs
The economics of AI cloud governance are getting harder to ignore. AI workloads are not governed by the same procurement discipline that covered traditional SaaS contracts or reserved-instance commitments. Token consumption scales with usage patterns that can shift dramatically within a single sprint cycle, and the teams consuming those tokens are often outside the traditional FinOps accountability loop. According to ECI Research, static budgeting practices falter in cloud environments where spending is metered by the minute rather than governed by annual procurement cycles. AI inference is the most extreme version of that dynamic the market has encountered so far.
Stacklet’s proposition for ITDMs is essentially a governance control plane that sits above the cloud providers themselves, applying uniform policy across heterogeneous AI and infrastructure resources without requiring a separate tool for each provider. For organizations running across AWS, Azure, and GCP simultaneously, that matters. ECI Research has found that the average enterprise now uses more than two public cloud platforms, with Kubernetes, Snowflake, and GenAI often coexisting across a patchwork of teams, workloads, and tools. A governance layer that only works for one provider is not a governance layer; it’s a compliance audit waiting to happen.
The specific capability that ITDMs should evaluate is the remediation-not-just-reporting distinction. A significant portion of the cloud governance tooling market produces findings. Stacklet’s differentiation is that its engine has always been oriented toward fixing and preventing, not surfacing. In an AI cost context, the difference between a tool that shows you an anomaly and one that can contain it autonomously is measurable in dollars per hour.
What This Means for Developers
For developers, the most relevant near-term capability in Stacklet’s announcement is the shift-left integration for AI-generated infrastructure code. When an AI coding assistant or agentic development workflow generates Terraform or Infrastructure as Code definitions, those artifacts need policy validation at the same point in the pipeline where human-authored code would be scanned. The challenge is that AI-generated IaC can be syntactically correct and operationally dangerous simultaneously. A human reviewer cannot be in every loop at the velocity modern AI-assisted development pipelines operate.
Stacklet’s approach is to apply Cloud Custodian policy checks at the IaC generation stage, catching misconfigurations before they reach a deployment pipeline. This is conceptually identical to the shift-left security patterns developers already accept as standard practice. ECI Research’s 2025 Application Development: Day 0 survey found that 83.8% of respondents use code scan tools during CI/CD processes. The logical extension of that practice is policy scanning for AI-generated infrastructure, and Stacklet is one of the few vendors with the open-source adoption and resource coverage to make that extension credible at enterprise scale.
The RBAC controls and asset inventory capabilities Stacklet references as foundational to its agentic trust model are also developer-relevant. When an autonomous agent is operating within a governed policy envelope, developers retain the ability to understand what changed, who authorized it, and what the downstream effects were. That auditability is what separates useful automation from automation that generates incident tickets.
Competitive Positioning
Stacklet’s competitive moat is genuinely unusual in this market. Open-source projects that generate enterprise commercial businesses typically face one of two failure modes: the community forks around the commercial layer, or the commercial product diverges far enough from the open-source version that the community advantage evaporates. Cloud Custodian at ten years old has neither problem, and the breadth of its resource coverage is a direct function of community contribution at a scale no proprietary alternative can replicate quickly.
The cloud providers themselves are the most obvious competitive threat, and Stacklet is explicit about positioning itself upstream of them. That framing is accurate insofar as a customer committed to Stacklet’s policy engine has a governance layer that travels across providers. The risk is that hyperscaler governance products continue to improve and reduce the cross-cloud governance deficit that creates Stacklet’s primary differentiation. For now, that deficit remains real and significant, particularly for organizations running AI workloads across multiple providers simultaneously.
What’s Next
The Benchmarking Gap Is the Next Battleground
Stacklet’s forthcoming FinOps benchmarking initiative deserves attention proportional to the gap it is targeting. The FinOps Foundation has established operational guidance and community standards, but quantitative benchmarks for AI cloud governance, specifically what “good” looks like for inference cost efficiency, token attribution, and autonomous remediation coverage, do not yet exist in any standardized form. Whoever publishes credible, defensible benchmarks in this space early will have a significant influence on how procurement conversations are framed for the next two to three years.
This is a strategic move, not just a marketing one. Benchmarks shape evaluation criteria. If Stacklet defines the measurement framework for AI FinOps governance maturity, competitors will be evaluated against Stacklet’s frame of reference by default.
Autonomous Governance Will Require a Maturity Model
The conversation around autonomous governance is real, but market adoption will be slower than vendor timelines suggest. The trust mechanisms Stacklet has built are necessary but not sufficient. What the market needs alongside those mechanisms is a clear maturity model that lets organizations understand which workloads are ready for autonomous remediation today, which require human-in-the-loop validation, and what the incremental steps look like. A blended maturity posture, where a single organization has workloads at different automation stages simultaneously, is the actual enterprise reality. Organizations that receive a clear, workload-level maturity framework will move faster than those asked to make an organizational commitment to autonomy as a binary decision.
Stacklet’s proof-of-work with existing customers who have already reached meaningful automation maturity is its most persuasive sales asset. The near-term opportunity is translating that customer evidence into a repeatable, documentable maturity path that the majority of the market, which is not yet at advanced automation, can act on.
Stay Ahead of Application Development Trends
Get weekly analyst insights, research notes, event coverage, and AppDevANGLE updates delivered directly to your inbox.
Subscribe for Weekly Insights
Join technology leaders, practitioners, and GTM teams following the trends shaping modern software delivery.
Looking for deeper research access?
Explore ECI Research reports, survey insights, and market analysis through the ECI Research Portal.
