Rule #1: Enforce MFA everywhere, except for CI service accounts. Humans must rotate passwords every 30 days. Meanwhile, your CI pipeline logs in as root using an unencrypted secret last updated five years ago.

Rule #2: Don’t give developers prod access. They can’t SSH into production. But their YAML files on their CIs can still delete all your VMs. That’…