Skip to content
DERKONLINE
Infrastructure

Give Autonomous Fixes Guardrails Before They Touch Production

Approval gates, dry-runs, and blast-radius limits that let an AI act on your servers without turning automation into the outage.

Derrick S. K. Siawor8 min read
A server rack full of equipment with cables and status lights in a dim room
Photo · Kevin Ache / Unsplash

The pitch for self-healing infrastructure is intoxicating. An AI watches your systems, notices a problem at 3am, and fixes it before you wake up, while you sleep through what would have been an outage. The reductions teams report are real: combining anomaly detection with automated remediation can cut mean time to recovery by large margins and shrink downtime substantially. The problem is the other version of the same story, the one where the AI notices a problem at 3am, decides the fix is to restart a service, gets the diagnosis wrong, and takes down something that was actually healthy, turning a minor blip into a real outage that you now wake up to. Both stories use the same technology. The difference is entirely in the guardrails.

An autonomous system that can touch production is a system that can break production, and the question is never whether to let AI act on your infrastructure but how to bound what it is allowed to do so that a wrong decision is recoverable instead of catastrophic. Get the guardrails right and you get the version where you sleep through the fix. Get them wrong and you get the version where the automation is the incident. The good news is that the right guardrails are well understood, and they all serve one principle: act fast where risk is low, and require a human where the consequences are high.

The guardrails that make autonomy safe

A safe self-healing system is not one that acts boldly. It is one that acts within limits designed so that no single action can do unbounded damage. The established set of controls is specific.

  • Blast-radius limits. Bound how much any single remediation can affect. An action permitted to restart one instance is very different from one permitted to restart a fleet. Cap the scope so a mistake stays small by construction, not by luck.
  • Dry-run mode. Before an action runs for real, simulate it and show what it would do. A dry run that reveals the AI was about to restart the wrong service catches the error before it happens, at zero cost.
  • Approval gates for high-consequence actions. Low-risk, reversible fixes can run automatically. Anything that is irreversible or materially affects production, a failover, an infrastructure change, a destructive operation, passes through human review and an auditable approval before it executes.
  • Rate limits and change windows. Cap how many actions the system takes in a span of time, and restrict risky changes to safe windows. A system flailing through twenty remediations a minute is a system making the problem worse; a rate limit forces it to slow down and surface the situation to a human.
  • Canary remediation. Apply a fix to a small slice first, watch whether it actually helps, and only then roll it wider. If the canary gets worse, you stop before the fix touches everything.
  • Automatic rollback. Every action has a defined way to undo it, and the system reverts automatically if the remediation does not produce the expected improvement. This is the autonomous cousin of a deploy script that rolls itself back when health checks fail. An action you cannot roll back is an action that should require approval, full stop.

These controls share a logic. Each one ensures that when the AI is wrong, and it will sometimes be wrong, the wrongness is contained, reversible, and visible, rather than silent, irreversible, and total.

Govern before you automate

The mistake teams make is granting autonomy first and adding guardrails after the first scare. The correct order is the reverse: the governance has to exist before the agent is allowed to take any action in production. That means the agent has a clear identity so every action is attributable, blast-radius limits are enforced, rollback infrastructure actually works, policy is defined as code so the rules are explicit and testable, audit logging that survives an incident captures everything, and cost guardrails prevent a runaway loop from spending you into a hole. When you do hand the pipeline itself over, you can do it and still sleep at night precisely because these controls are in place first. All of that is in place before the agent touches anything real.

Then you expand scope gradually, earned by evidence. An agent that can auto-implement changes in development should still require approval in staging and explicit engineering review in production, and that scope moves outward only as measured performance justifies it. You do not start by trusting the AI with production. You start by letting it act where mistakes are cheap, watch how it does, and widen its authority as the data shows it has earned it. Trust is built from results, not granted on faith.

The principle behind the controls: classify before you act

Underneath every one of these guardrails is a single idea. Before any action runs, the system has to know how dangerous that action is, because the whole policy of "act fast on low risk, require approval on high risk" depends on correctly sorting actions into those buckets. An autonomous system that cannot tell a safe read from a destructive write cannot be safely autonomous, because it has no basis for deciding what needs a human. The same classify-before-you-act discipline is what makes agent tool calls idempotent before they double-charge a customer: knowing an action's consequences is the prerequisite for letting it run unattended.

Self-healing remediation decision tree classifying low risk auto-fix versus high risk approval gate

This is exactly the principle we built into LadenX, the AI site-reliability engineer we built. Every command it considers is classified before anything runs, and it refuses destructive operations without a human signing off. The classification is also what lets it diagnose root cause rather than just restart the service, because knowing what an action does is inseparable from knowing whether it actually fixes the problem. That classification is not a feature bolted on the side; it is the foundation that makes autonomy safe, because it is what lets the system act instantly on the routine while stopping cold on the irreversible. It is the kind of system we build into the server administration we run for clients, so autonomy never outruns its guardrails. An AI that can read logs, diagnose a problem, and restart a stuck process on its own is enormously useful. The same AI deciding on its own to drop a database or wipe a volume is a disaster waiting for an excuse. The line between those is classification plus an approval gate, and it is not optional.

Why "it usually gets it right" is not enough

The seductive failure in this space is to look at an AI that diagnoses correctly 95 percent of the time and conclude it is safe to let it act unsupervised, because 95 percent sounds high. It is not high enough for unbounded action on production, because the 5 percent it gets wrong includes the cases where it confidently does the wrong destructive thing, and a single such action can erase far more value than the 95 percent of correct actions saved. The math of autonomy is not about the average case. It is about the worst case, and the guardrails exist precisely to make the worst case survivable.

This is why the framing of "act fast where risk is low, ask for approval where consequences are high" is the whole design, not a caveat. The AI does not need a human for the routine restart it has done correctly a thousand times. It absolutely needs one for the failover that, done wrong, takes you offline. Matching the level of human oversight to the consequence of the action is what lets you capture the speed of autonomy on the common case while keeping a human between the AI and the actions that could really hurt.

The version where you sleep through it

Built this way, self-healing infrastructure delivers the good story honestly. The AI watches your systems, catches the anomaly, dry-runs the fix, confirms it is a low-risk reversible action, applies it to a canary, sees the metrics recover, rolls it wider, and writes a span for every step so you can see exactly what the agent did when it goes off the rails. You wake up to a resolved incident and an audit trail explaining exactly what happened and why. The 3am outage became a 3am non-event, and no human had to be awake for it.

And on the night the AI is wrong, the same guardrails turn the catastrophe back into a non-event of a different kind. The dangerous action hits an approval gate and waits for a human instead of executing. The blast-radius limit keeps a bad call contained to one instance. The rollback reverts a remediation that did not help. You wake up to a notification asking for a decision, not to a smoking crater. That is the entire promise of self-healing infrastructure, and it is only real when the guardrails are real. Autonomy without bounds is not a faster operations team. It is an unsupervised actor with root access, and the cost of finding out the hard way is the outage the automation was supposed to prevent. Done right, this is the path to AI site reliability that cuts your on-call burden to near zero without trading away the safety that made it worth doing.

devopsaiautomationsreguardrails
All of the Journal

Related reading

InfrastructureBuild a Deploy That Rolls Back When Health Checks FailRead
AI & AutomationTeach an AI SRE to Diagnose Root Cause, Not RestartRead
InfrastructureHand Your Deploy Pipeline to an Agent and Still Sleep at NightRead

Where to next

More from the JournalEvery piece
What we doThe nine services
Start a projectDesign it live