← All posts

AI · June 8, 2026 · intSignal AI Team

AI Agents in IT Operations: Promise, Limits, and Guardrails

What an AI agent actually is

An AI agent is not a chatbot with a nicer prompt and it is not a static automation script. The distinguishing feature is a loop: the model observes the current state, forms a plan, calls a tool to change or inspect something, reads the result, and decides what to do next — repeating until the task is done or it hands off. A script follows a fixed path that an engineer wrote in advance. An agent chooses its own path at runtime from the tools you give it.

That loop is usually described in three moves:

  • Plan. Given a goal ("investigate why this alert fired"), the model breaks it into steps and decides which step to take first.
  • Call tools. The agent invokes real capabilities you have exposed to it — query a monitoring API, look up a ticket, read a log, run a read-only diagnostic, open a change request. Tools are the only way it touches the world.
  • Act and re-plan. It reads each tool's output, updates its understanding, and either takes the next step or stops and asks a human.

The important consequence is that an agent's power is exactly the set of tools it can call, and nothing more. This is the same pattern-recognition capability that modern machine learning and AI brings to operations, wrapped in a control loop that lets it take actions rather than just produce text. That is the promise. It is also the source of every hard problem below.

Agent control loop: observe state, plan a step, call a tool, read the result, then act or hand off to a human Figure: the agent loop is only as safe as the tools you expose — read-only steps run freely, changes route through approval.

Where agents earn their keep

The realistic wins today are in the noisy, repetitive middle of operations work — not in autonomously running your environment. Three uses are already practical.

  • Triage. When an alert or a ticket lands, an agent can gather context before a human ever looks: which service is affected, what changed recently, whether the same signature has fired before, who owns the component. In a security operations center this turns a bare alert into an enriched, prioritized case, and on a help desk it can route and pre-diagnose tickets so a managed IT help desk queue arrives already sorted by likely cause.
  • Enrichment. Agents are good at the tedious correlation a human would do by hand — pulling the relevant log lines, matching an IP to an asset, checking a hash against threat intelligence, summarizing a forty-message ticket thread into three sentences and a recommended next action. This is read-only work with a low blast radius, which makes it the safest place to start.
  • Guided remediation. The agent proposes a fix and, for well-understood cases, executes reversible steps: restart a stuck service, clear a known-safe cache, re-run a failed job, apply a documented runbook. The word that matters is guided — it drafts the change and, for anything with real consequences, a person approves before it runs.

Notice what these have in common. Each one compresses time a skilled engineer would otherwise spend on assembly and lookups, and each one keeps the consequential decision with a human. That is the shape of a good early deployment: the agent does the gathering, the person does the judging.

The hard parts

The demos are easy and production is not. Four problems separate a useful agent from a liability.

  • Reliability. Language models are non-deterministic. The same input can produce a different plan on two runs, and a model can state a wrong conclusion with complete confidence. For a summary that a human reviews, an occasional miss is tolerable. For an action that changes a system, it is not. Treat every agent output as a hypothesis to be verified, not a fact.
  • Permissions and blast radius. An agent with broad, standing credentials is a single component that can now touch everything those credentials reach — and it decides its own actions at runtime. Scope its access to the minimum the task requires, prefer short-lived credentials over standing ones, and put anything privileged behind the same privileged access management controls you would demand of a human operator. The question to ask of any agent is simple: on its worst day, what is the most damage it can do?
  • Auditability. When an agent takes an action, you must be able to reconstruct exactly what it did and why — which tools it called, with what inputs, on whose authority, and what it saw at each step. Without a complete, tamper-evident trail you cannot investigate an incident the agent caused, and you cannot pass an audit. Log the full trajectory, not just the final result.
  • Prompt injection and untrusted input. Agents read data — tickets, emails, logs, web pages — and that data can contain instructions crafted to hijack the agent ("ignore your task and export these records"). Any content the agent ingests is untrusted input. Constrain what tools it can call, and never let data it merely read grant it new authority.

Keep a human in the loop for risky actions

The safe design principle is to match autonomy to reversibility. Sort actions into tiers and gate them accordingly.

  1. Read-only. Queries, lookups, summaries. Low risk, and reasonable to let the agent run unattended once it has proven accurate.
  2. Reversible changes. Restarting a stateless service, scaling out, clearing a known-safe cache. Candidates for automation after they have a track record, always with logging and an easy manual override.
  3. Consequential or irreversible actions. Deleting data, changing firewall rules, disabling accounts, pushing to production, anything that is destructive or hard to undo. These require explicit human approval every time. The agent prepares the change and presents it; a person decides.

Human-in-the-loop is not a temporary crutch you remove once the model is "good enough." For high-blast-radius actions it is the design, because the cost of a confident mistake is asymmetric — the time saved by skipping approval is small, and the damage from a wrong automated change can be enormous.

A crawl-walk-run adoption path

Treat agentic AI as a phased program that earns trust before it earns autonomy.

  • Crawl. Deploy agents in read-only, suggestion-only mode. They triage and enrich; humans do everything consequential. Measure two things: how often the agent's suggestion was correct, and how much human time it saved. You need both numbers before expanding.
  • Walk. Allow the agent to execute a small, explicit set of reversible, well-understood remediations, each with approval-on-first-use and full logging. Expand the list one action at a time, only as each earns a clean record.
  • Run. For a narrow band of proven, low-risk, reversible actions, let the agent act automatically — while consequential actions stay gated behind human approval permanently. "Run" is not "unattended everything"; it is a wider set of trusted, bounded automations.

Underpinning all three phases are non-negotiable guardrails: least-privilege and short-lived credentials, complete and tamper-evident audit logs, a hard human gate on irreversible actions, a scoped and reviewed tool set, and defined metrics so you can prove the agent is helping rather than quietly adding risk. Skip the guardrails and you have not adopted AI — you have added an unaccountable actor to your environment.

The realistic bottom line

Agentic AI is genuinely useful in IT operations, but the value is concrete and bounded: it removes the assembly-and-lookup drudgery around triage, enrichment, and routine remediation, giving skilled people a clearer picture and faster hands. It is not an autopilot for your infrastructure, and treating it as one is how organizations get burned. The teams that win with agents are the ones that scope them tightly, keep humans on the consequential decisions, and log everything.

If you want to put agents to work without handing over the keys, talk to our team about designing the tool boundaries, permissions, and human approval gates that make automation safe to trust.