If you’re assessing an AIOps, observability, or AI-for-infrastructure tool — or deciding whether to let one act on its own — this is the test that matters. Not how much it ingests, or how cleanly it correlates, but whether it can judge legitimacy before an action executes. Most can’t. Here’s how to find out, and what to do about it.
You connected every source — logs, metrics, traces, flows, a dozen tools’ alerts — the correlation works, the dashboards compress thousands of alerts into dozens, and yet the program never delivered what was promised.
It isn’t a tuning problem, and the next model won’t fix it. AIOps reasons over telemetry — a record of what happened. It has no record of what was intended, because no tool in the estate holds that. So it can tell you a behavior is statistically unusual; it cannot tell you whether that behavior is wrong. Those are different questions, and the gap between them is where the noise, the false positives, and the hesitation to automate all come from.
Correlation reduces the volume of alerts. It does not reduce the uncertainty about which ones are legitimate.
Each targets the line between observation and authority. A tool can be excellent and still answer “no” to all five — that’s not a defect, it’s the category boundary. The point is to know which side of it your tool is on before you rely on it.
A spike in east-west traffic may be a legitimate new dependency or a policy violation. If the tool can only flag it as anomalous — not as conforming or non-conforming to declared intent — it is measuring deviation from a baseline, not from what was authorized.
Trace it back. If “correct” is a statistical baseline learned from observed behavior, the tool can only tell you what is typical. Authority requires a declared reference — intent a human ratified — that the tool checks against, not one it inferred from the data.
If the dependency graph is reconstructed from observed traffic, causal reasoning inherits the guess — you get a ranked list of suspects, not a determination. Root cause becomes provable only when the dependency and ownership model is declared, not inferred.
This is the decisive one for autonomy. An agent that can remediate is only safe if something can determine, before execution, that the remediation is legitimate — and block it if not. If the tool’s authority to act is the same system as its ability to act, nothing independent is gating it.
Connecting more systems compresses volume — ten thousand alerts become fifty. But if all fifty are still “things that happened” and none is established as “a thing that should not have,” aggregation changed the count, not the question. Intent does not emerge from connecting enough sources.
If your tool answers “no” to most of these, it isn’t failing — it’s doing exactly what its category was built to do: observe, correlate, and surface. The work it can’t do is supply authority: a declared, ratified account of what infrastructure is intended to do, reconciled against what it’s actually doing, that can judge an action legitimate before it runs. That is a different layer, and it is the one AIOps has always been missing.
The encouraging part: AIOps doesn’t need to be replaced. Grounded on an authority layer it consumes, the same platform changes character — correlation becomes intent-relative, noise collapses to genuine deviation, and root cause becomes deterministic. The intelligence was never the problem. The ground truth was.
Aggregation is not intent. Description is not authority.
The full argument — why telemetry can’t carry intent, how networking already solved this with intent-based networking, and what AIOps becomes once it consumes an authority layer — is in the whitepaper.
Vendor-neutral. The authority layer is defined by an open standard — not a product.