Cloud security often overlooks the critical role of Infrastructure-as-Code (IaC) coverage, which can prevent security failures by addressing issues at their source rather than after they occur. While traditional security measures focus on compliance scores and penetration tests, these often miss the root causes linked to the delivery of infrastructure. Many organizations assume they have high IaC coverage, yet research indicates they typically overestimate by 30-40%, leaving a significant portion of their infrastructure unmanaged and vulnerable. This unmanaged infrastructure results in security blind spots, bypassing controls like CI/CD pipelines, static analysis, and policy validation. Firefly aims to address these challenges by tracking IaC coverage as a core security metric, helping teams identify unmanaged resources and bring them under governance. By providing a shared metric for security and cloud teams, IaC coverage facilitates faster remediation and aligns both teams towards common security goals. As organizations accelerate development and the attack surface expands, measuring and improving IaC coverage becomes essential for proactive cloud security, preventing issues before deployment rather than merely responding to incidents.