Agentic AI · Day-2 Operations

Shipping the agent
was the easy part.

Agent operations is what happens after launch — the SLOs, the on-call rotation, the incident response loop, the runbooks, and the cost dashboards that keep a fleet of agents running reliably at 3 a.m. as well as it did in the demo.

overview SLIDE 01 — AGENT OPERATIONS Cover slide: Agent Operations
Quick answer

Agent operations (AgentOps) is the SRE-style discipline of keeping a fleet of production AI agents reliable after they've shipped — service-level objectives, on-call rotations, incident response, runbooks, and cost and capacity management, applied to systems that don't fail the way traditional software does. Detection has to rely on statistical anomaly detection rather than hard thresholds, since agent outputs vary by design. On-call itself is changing shape too: a tiered autonomy model lets agents handle a narrow, well-understood slice of incidents independently, while the judgment calls that don't match a known pattern still route to a human. Done well, the pattern that holds across teams is agents absorbing the boring eighty percent of on-call, and humans keeping the interesting twenty percent that actually needs judgment.

◷ T+0
scope SLIDE 02 — WHAT AGENT OPERATIONS ACTUALLY COVERS What agent operations covers: SLOs, on-call, incident response, cost management
Reliability isn't luck — it's engineering

Day-2 discipline for a fleet, not a demo

Deployment gets an agent version safely into production. Operations is everything that keeps it healthy after that — defined severities and on-call rotations, incident response with real runbooks, postmortems that produce lessons instead of blame, and cost and capacity models that don't get discovered for the first time when the monthly bill arrives.

Without service-level objectives, every agent change is a risk with unknown consequences — there's no way to balance reliability against the speed of shipping improvements. AgentOps exists to make that trade-off deliberate rather than accidental.

◷ T+0
SLOs SLIDE 03 — SLOs FOR SYSTEMS THAT VARY BY DESIGN Composite SLOs and statistical anomaly detection for agent reliability
A hard threshold assumes the wrong thing

Learn what normal looks like, then watch for drift

Traditional SRE thresholds assume a metric that's stable when healthy. Agent outputs vary by design even when everything is working correctly, which makes a fixed threshold either too noisy or too blind. The alternative is statistical anomaly detection: learn an agent's normal behavioral range, then alert when it drifts outside configurable bounds — not when a single output looks unusual on its own.

Composite SLOs combine multiple signals into one reliability target, since no single metric captures whether an agent fleet is actually healthy. Reliability, quality, speed, and cost all need their own target, tied together, not tracked as four disconnected dashboards.

◷ T+0
When something breaks

The five-phase incident response loop

A single bad prompt can cascade across thousands of runs before the first alert lands — the loop exists to contain that before it compounds further.

incident SLIDE 04 — DETECTION → CONTAINMENT → ERADICATION → RECOVERY → POSTMORTEM Five-phase incident response loop for agentic workflows
Every eradication action should be reversible

Roll it back, but keep the evidence

Roll back a broken prompt, but capture the broken version for the postmortem. Pin a model, but keep logging the failure on the version that was rolled back so the upgrade can be safely re-attempted. A team that eradicates by deleting evidence loses the lesson the incident was trying to teach.

01
Detection

Statistical signals flag drift before it's visible to a user.

02
Containment

Stop the bleeding — quarantine the failing component.

03
Eradication

Remove the cause reversibly, preserving evidence for later.

04
Recovery

Unpause in measured tranches, verifying between each one.

05
Postmortem

Find the real cause, not just the symptom that was visible.

◷ T+0
detection SLIDE 05 — THE SIGNALS THAT CATCH AGENT FAILURES Detection signals that catch agent-specific failures classical monitoring misses
Every minute of detection is an order of magnitude of cost

Watching for agent failures, not web failures

Classical-web monitoring instincts miss agent failures by design — cost can spike fifty-fold in an hour without a single traditional error rate moving. A fuller detection panel watches for agent decision drift against a baseline, human-escalation rate to the operator queue, tool selection entropy for a given workflow, and tenant-level outlier rates.

None of these signals exist without trace coverage at tool-call granularity and per-workflow cost attribution underneath them — the instrumentation layer detection depends on entirely.

◷ T+0
How much should the agent do alone

Autonomy is a property of the action, not the agent

The same agent can operate at a different autonomy level for different actions — cache invalidation, a service restart, and a database change don't deserve the same leash.

on-call agents SLIDE 06 — THREE-TIER AUTONOMY MODEL Three-tier autonomy model for AI agents in on-call incident response
On-call isn't going away — it's changing shape

Not replacing on-call, augmenting it

On-call isn't just running a runbook — it's noticing what isn't in the runbook and making a judgment call under pressure. Agents don't do that part well, and a realistic autonomy model doesn't ask them to. It reserves independent action for a narrow, pre-approved set of low-risk, high-frequency patterns.

Advisory

Suggests, human decides

Agent reads logs and matches the incident to a runbook signature, suggesting a remediation. A human decides whether to run it.

Approval-gated

Proposes, human confirms

Agent proposes a specific action — "roll back the last deploy?" — and shows exactly what will change. Waits for explicit human confirmation before acting.

Conditional autonomy

Acts, within a narrow scope

For a small set of pre-approved, low-risk patterns — restarting a crash-looped stateless service — the agent acts independently, expanding scope only as safety metrics prove out.

◷ T+0
runbooks SLIDE 07 — FROM WIKI PAGES TO MACHINE-READABLE PLAYS Converting static runbooks into structured, agent-readable playbooks
A dusty wiki is too slow for an incident

Structured plays an agent can actually execute

A static runbook page is fine for a human reading it at their own pace; an incident doesn't wait for that. The practical migration path starts small: pull the last few months of incidents, group them into recurring patterns, and convert the three to five highest-frequency, lowest-risk ones into structured steps an agent can dry-run before executing.

Wire those plays into the incident tool as an advisor first — showing the suggestion, letting a human execute manually — and only extend to one-click or automatic execution for the safest steps once the data shows the suggestions are reliably matching what the team would have done anyway.

◷ T+0
cost & capacity SLIDE 08 — QUOTAS, BUDGETS, AND COMPOUNDING FORECASTS Cost and capacity operations: quotas, budgets, and forecasting for agent fleets
Cost is an operational metric, not a finance surprise

Budget per agent, alert on the surge before the invoice

Set quotas and cost budgets per agent and per user, monitor token and dollar cost per task continuously, and tie the resulting dashboards directly to SLOs rather than reviewing them separately once a month. Alerting on a surge the moment it starts is what turns a runaway cost incident into a five-minute fix instead of a line item someone discovers weeks later.

Capacity planning compounds in the same way: agentic forecasting models ingest operational telemetry — incident frequency, vendor lead times, request seasonality — that classical forecasts typically ignore, and every quarter's outcome sharpens the next quarter's prediction.

◷ T+0
postmortem SLIDE 09 — POSTMORTEMS THAT FIND THE REAL CAUSE Postmortem discipline that avoids agent-blame and finds the real root cause
"The agent hallucinated" is a symptom, not a cause

Force the postmortem to look at the system

The single most common failure mode in an agent postmortem is writing "the agent hallucinated" as the root cause and closing the ticket. That sentence describes what happened, not why — the real cause is almost always a missing guardrail, an eval-coverage gap, a context-engineering bug, or a mismatch between a tool's schema and what the agent expected.

A working postmortem template forces that system view with explicit prompts at each section, rather than trusting the writer to remember to look past the obvious symptom on their own.

outcomes SLIDE 10 — THE BORING 80%, HANDLED Summary: agents handling the boring 80% of operations, humans keeping the interesting 20%
The result worth measuring

MTTR halved, without a different runbook

The pattern that holds across teams that do this well: incident-response augmentation roughly halves mean-time-to-resolution within a quarter of deployment, without changing the underlying severity matrix or escalation policy. The win comes entirely from removing the slowest human steps inside the existing runbook — reading logs, finding the right one, drafting the update — not from a fundamentally different process.

New roles emerge around this rather than fewer people: an Incident Commander who manages the human-agent boundary live during response, and a Capacity Analyst whose compounding forecasts become one of the most influential inputs into operational leadership decisions over time. The goal was never fewer humans in operations — it's better-used ones.

Frequently asked

Agent operations FAQ

Deployment gets a new agent version safely into production through staged rollout gates. Operations is everything that keeps it healthy after that point — SLOs, on-call, incident response, runbooks, postmortems, and cost and capacity management for the ongoing life of the system, not just the release moment.

Because agent outputs vary by design even when the system is working correctly, so a fixed threshold is either too noisy to be useful or too blind to catch a real problem. Statistical anomaly detection instead learns an agent's normal behavioral range and alerts on meaningful drift from that baseline, rather than comparing every output to a single static number.

Detection (statistical signals flag drift), containment (stop the failure from spreading), eradication (remove the cause reversibly, preserving evidence), recovery (unpause in measured, verified tranches rather than all at once), and postmortem (find the actual root cause, not just the visible symptom).

Only for a narrow, pre-approved set of low-risk, high-frequency actions, and autonomy should be scoped per action rather than per agent — the same agent might act independently on cache invalidation while requiring explicit human confirmation for a service restart and full manual review for anything touching a database.

Because it describes the symptom of the failure, not its cause. The actual root cause behind a hallucination is almost always something more specific and fixable — a missing guardrail, a gap in evaluation coverage, a context-engineering bug, or a mismatch between what a tool expected and what the agent sent it.

Teams that deploy agentic triage, log synthesis, and root-cause hypothesis generation commonly see mean-time-to-resolution cut roughly in half within a quarter — without changing the underlying severity matrix or escalation policy. The improvement comes from removing the slowest cognitive steps inside the existing runbook, not from a new process.

Get started

Ready to build your agent operations playbook?

Define composite SLOs before your next incident, convert your three highest-frequency runbooks into structured plays, and scope autonomy per action from day one.