If you really want to prevent drift at all you should start using deployment stacks. Using stacks you will be able to prevent any changes happening outside of the deployment stack. Currently what-if is not very reliable as it produces what-if noise on many of the resources. From the Bicep community calls we have learned that improvement to what-if is planned but that improvement will be only when using deployment stacks. So even if you do not use the deny option of deployment stacks I will suggest to start using it now as when the what-if improvements are introduced you will be ready to take advantage of it. You can still do what-if validation now but overall you will have to review the changes somehow manually due to the amount of noise. For example, you can have pipelines with two stages. One stage runs only what-if. You validate the results. Based on the validation you decide to run the second stage where the actual deployment will be done.