"IaC at provisioning" means (in practice) a webapp and an eternal root access token that does login over SSH for you behind the scenes.
That's sctrictly worse from a security point of view.
In an ideal world we would have private CAs and short-lived certificates that get bubbled through all the layers of the software stack. Going back to webapps and tokens is a step backwards.
That's a bad practice. I have better security experience from the infrastructure around IaC than SSH.
Because for IaC we used Gitlab, hidden by a Keycloak, or connected to an Azure AD, protected by a MFA VPN. And for provisioning we used containers, no SSH required there either.
The major revolution that allowed me to move away from SSH in server provisioning is container hosts, ignition (or cloud-init), and these days the cutting edge is bootc.
That's sctrictly worse from a security point of view.
In an ideal world we would have private CAs and short-lived certificates that get bubbled through all the layers of the software stack. Going back to webapps and tokens is a step backwards.