If you are an SRE or MLOps engineer who has ever run a multi-tenant GPU cluster and considered handing incident remediation to an LLM agent to reduce on-call burden, you have probably already bumped into the question this paper asks. Should the agent decide and act on its own, or should it call a human? Instead of drawing that line from intuition or a team meeting’s gut sense, this research formalizes risk by incident type and actually computes the threshold that minimizes recovery time while staying under a safety ceiling. For organizations running GPU workloads with Kueue queuing and Kyverno admission policies, the methodology here is immediately worth a look.

Neither Full Autonomy nor Total Avoidance Is the Answer

When a scheduler setting drifts, a persistent volume stalls, or a node comes under memory pressure, the training or inference workload running on top of it grinds to a halt, and an on-call engineer ends up racing against the clock to diagnose and fix it. Two costs collide here. One is mean time to recovery (MTTR): every moment a GPU workload sits idle is wasted capacity and a broken service-level objective. The other is on-call burden: paging a human every time for a mechanically reversible, simple problem is not just slow, it burns out operators. This is why the idea of letting an LLM agent observe telemetry and control-plane APIs, then decide and act in a closed loop with no human in it, sounds so appealing.

The trouble is that the risk grows right alongside the appeal. An agent that autonomously remediates everything will eventually make an irreversible mistake, whether that means restoring a volume from a stale snapshot and wiping real data, or preempting another tenant’s live GPU job to free up capacity. An agent that escalates everything to a human, on the other hand, is safe but recovers nothing on its own, defeating the point of automating in the first place. The paper’s benchmark makes the cost of both extremes stark. An “always escalate” policy had a 0% catastrophic-neglect rate but also exactly 0% MTTR improvement, while an “always autonomous” policy cut MTTR by 96.7% but misfired autonomous remediation on 100% of the genuinely dangerous incidents. The question worth asking is not whether to automate, but where and how to draw a defensible boundary between autonomous action and escalation.

Calculating the Boundary with a Risk Formula and 176 Incidents

The researchers work through this boundary across four incident types: out-of-memory (OOM), persistent volume claim (PVC) failures, node pressure, and scheduler starvation. It is a framework that extends the “use the compiler as a reward signal” idea from loop-engineering in code generation into infrastructure operations. Where a compiler or test suite objectively judges success in code, the diagnostic signal you get from kubectl plays that role in infrastructure remediation. But just as with a code test suite, this signal is not a perfect yardstick, and the paper is explicit throughout that a green diagnostic signal does not guarantee the remediation was actually safe.

Because attaching agents to a real live cluster introduces too many uncontrollable variables, the researchers instead crossed 22 Kueue and Kyverno YAML manifests pulled from a real organization’s GitOps repository against 8 remediation action classes, producing 176 incident events. The ground-truth risk/safe label for each event came from an explicit rubric based on whether the action was reversible, whether it caused data loss, and whether it crossed tenant boundaries. Instead of a deployed agent’s actual confidence score, they built a transparent risk formula that combines three weighted factors: a base risk level derived from how reversible the action class is, a structural blast-radius metric normalized by YAML line count, and whether the action is a cluster-wide Kyverno admission policy. The paper repeatedly emphasizes that this formula is a human-designed proxy metric, not a learned model.

With this risk score, the decision rule is simple: autonomous remediation below the threshold, human escalation above it. The researchers swept the threshold while enforcing a safety ceiling that caps catastrophic neglect at 2% or below. The resulting global optimal threshold (tau = 0.325) reduced MTTR by 41.7% with zero catastrophic neglect, a point that dominates both the always-escalate and always-autonomous extremes.

MTTR-vs-Safety Pareto Frontier Once the threshold tau crosses 0.35, the catastrophic-neglect rate (solid line) climbs sharply, while the unnecessary-escalation rate (dotted line) keeps falling. At the global optimum marked by the triangle (tau = 0.325), MTTR falls 41.7% with zero catastrophic neglect. Measured on a local benchmark (176 synthetic incident events) on the AI Platform Demo cluster, assuming a 40-second autonomous remediation delay and a 1200-second escalation delay.

The Real Finding: Thresholds Must Be Set Per Incident Type

The paper’s central finding goes a step further. Because blast radius and tenant exposure differ sharply by incident type, a single global threshold cannot capture that variation. Holding the same 2% safety ceiling but computing an optimal threshold separately for each of the four types produced markedly different results: node pressure needed a conservative tau = 0.30 (28.6% improvement), PVC failures tau = 0.35 (43.9% improvement), scheduler starvation tau = 0.45 (39.5% improvement), and OOM a far more permissive tau = 0.475 (96.7% improvement). Averaging the improvement across the four types gives 52.2%, about 10.4 percentage points higher than the 41.7% achieved by applying a single global threshold uniformly. Splitting thresholds by incident type, while keeping the same safety ceiling, buys that much extra autonomy for free.

Per-Incident-Type MTTR Reduction Under 2% Safety Ceiling Calibrating thresholds separately per incident type yields an average MTTR improvement of 52.2%, beating the 41.7% from a single global threshold, because blast radius and tenant exposure differ by type. Measured on the same local benchmark; OOM had no risky-labeled actions in this rubric, which let it use an unusually permissive threshold (tau = 0.475).

The reason for this gap is clear. A global threshold has to be conservative enough to keep even the riskiest types (node pressure, or scheduler and PVC actions that cross tenant boundaries) within the safety ceiling, and the milder types that could safely have run far more autonomously end up paying that price too. Per-type calibration decouples them. Practically speaking, this suggests that instead of exposing a single global “risk tolerance” dial, an autonomous operations platform should set separate escalation thresholds tuned to each incident class’s reversibility and tenant-boundary profile.

What This Leaves for the Company and the Community

This result gives ThakiCloud an immediately usable, empirically grounded framework for autonomy boundaries as we work to automate Kueue and Kubernetes based GPU incident response. It lets us build MTTR and on-call-burden reduction plans on evidence rather than gut feel. More broadly, it offers a safety-boundary design and escalation-policy methodology that other organizations pursuing unattended infrastructure operations can reuse. The same structure applies to any multi-tenant control plane that mixes reversible and irreversible actions, whether that is a database moving between schema migrations and simple row edits, a network switching between routing changes and device resets, or storage handling snapshot restores, not just GPU clusters. Academically, the contribution is a clear extension of the “compiler as reward signal” loop-engineering idea from code generation into infrastructure remediation, along with a new measurement methodology for quantifying the autonomy-safety trade-off per incident type.

The Limitations Must Be Stated Clearly

There is a premise you need to keep in mind when reading these results. The researchers did not deploy an LLM agent on a real live cluster. The 22 YAML manifests are genuine resources pulled from a real GitOps repository, but the 176 incident events and their outcomes are constructed, not observed from actual production logs. The risk formula, too, is a transparent human-designed proxy rather than a learned model, and there is no guarantee it reproduces a real deployed agent’s actual confidence. The latency assumptions (40 seconds for autonomous remediation, 1200 seconds for escalation) are not values measured from real incident logs either; they are estimates drawn from typical controller reconciliation times and on-call service-level objectives. Even the 2% safety ceiling is not a value derived from data but a policy choice reflecting a conservative stance toward irreversible actions.

It is also worth noting that the OOM type is largely what pulls the 52.2% average improvement up. That result stems from both OOM actions in this rubric being classified as safe, and the paper itself notes that this number could change if actions such as force-killing another tenant’s pod were folded into OOM response. So this research should be read as validating the threshold-calibration methodology itself, not as measuring the performance of any specific deployed agent. What remains for future work is replacing the risk formula with a real agent’s verification-loop signal and validating against actual incident logs, plus layering on conformal risk control to lift the empirical safety guarantee into a distribution-free guarantee.

Details on the paper are available here: https://huggingface.co/datasets/thaki-AI/daily-paper-2026-07-16-safe-autonomy-k8s-remediation