Alert fatigue is one of the most documented problems in SRE, and one of the least solved. The standard advice — tune your thresholds, reduce noise, do alert review sprints — is correct and consistently insufficient. The reason: alert volume is a symptom, not the disease. The disease is that every alert, regardless of urgency, requires human attention to triage, diagnose, and remediate. When your human capacity is fixed and your alert volume grows with system complexity, fatigue is the inevitable outcome.
The architectural fix isn't better alert tuning. It's removing humans from the triage and diagnosis loop for the class of alerts they shouldn't be handling in the first place.
Here's the complete architecture for what I'd call the Modern AI SRE Stack — where teams are today and where this is heading.
The Alert Lifecycle (Before and After)
Before:
Alert fires
↓
PagerDuty pages on-call engineer
↓
Engineer wakes up, opens blog post
↓
Engineer manually gathers context (logs, metrics, recent deploys)
↓
Engineer diagnoses the problem (20-40 minutes)
↓
Engineer remediates or escalates
↓
Engineer writes incident summary
↓
Engineer goes back to sleep (or not)After (target state):
Alert fires
↓
AI triage agent evaluates severity and category
↓
├── Known, automatable → AI remediates, notifies human, done
├── Known, needs approval → AI diagnoses, proposes fix, human approves, done
└── Novel, needs human → AI pre-investigates, human wakes up with full contextThe goal isn't to eliminate humans. It's to make the human in the loop a decision-maker, not a data gatherer.
Layer 1: Intelligent Triage
Before any remediation, you need classification. Not all alerts are equal. An alert firing because a cron job didn't complete (known issue, auto-restart) is different from an alert firing because an unknown process is consuming memory on a production database (investigate immediately).
The triage agent sits between your alerting system and your on-call engineer:
# triage_agent.py
TRIAGE_PROMPT = """
You are an SRE triage agent. Your job is to classify incoming alerts and
determine the correct response path.
Given an alert, classify it as:
1. AUTO_REMEDIATE: Known issue type with a safe, tested automated fix
2. DIAGNOSE_FIRST: Needs investigation before action; human should see the
diagnosis before waking up
3. PAGE_NOW: Novel, high-severity, or ambiguous; wake the human immediately
with whatever context you can gather quickly
For AUTO_REMEDIATE, specify the exact remediation action.
For DIAGNOSE_FIRST, specify what investigation to run.
For PAGE_NOW, summarize what you know in 3 sentences.
Always include your confidence level (high/medium/low) and reasoning.
"""
async def triage_alert(alert: dict) -> TriageDecision:
# Enrich with context before classification
recent_alerts = get_similar_recent_alerts(alert, lookback_hours=24)
service_health = get_service_health_snapshot(alert['service'])
recent_deployments = get_recent_deployments(alert['service'], hours=4)
context = {
"alert": alert,
"similar_recent_alerts": recent_alerts,
"service_health": service_health,
"recent_deployments": recent_deployments
}
response = await claude.messages.create(
model="claude-haiku-4-5-20251001", # Fast/cheap for triage
max_tokens=1024,
system=TRIAGE_PROMPT,
messages=[{
"role": "user",
"content": f"Triage this alert: {json.dumps(context)}"
}]
)
return parse_triage_decision(response)Note: triage uses a fast, inexpensive model. Speed matters here — every second between alert firing and triage decision is latency in the response path.
Layer 2: Automated Remediation Playbooks
For alerts classified as AUTO_REMEDIATE, you need a library of safe, tested remediation actions. The critical design principle: every automated action must be reversible or have a documented rollback path.
REMEDIATION_REGISTRY = {
"pod_crashloop": {
"action": restart_pod,
"safety_check": lambda ctx: ctx['pod_restart_count_1h'] < 3,
"rollback": None, # Restart is inherently reversible
"cooldown_minutes": 5,
"notify_channel": "#sre-alerts"
},
"high_memory_service": {
"action": trigger_rolling_restart,
"safety_check": lambda ctx: ctx['traffic_level'] < 0.8, # Don't restart at peak
"rollback": None,
"cooldown_minutes": 30,
"notify_channel": "#sre-alerts"
},
"stuck_batch_job": {
"action": terminate_and_resubmit_job,
"safety_check": lambda ctx: ctx['job_idempotent'] == True,
"rollback": cancel_resubmitted_job,
"cooldown_minutes": 60,
"notify_channel": "#data-engineering"
},
"kinesis_throttling": {
"action": scale_kinesis_shards,
"safety_check": lambda ctx: ctx['current_shard_count'] < ctx['max_shard_limit'],
"rollback": scale_kinesis_shards, # Same function, fewer shards
"cooldown_minutes": 15,
"notify_channel": "#sre-alerts"
}
}
async def execute_remediation(alert: dict, action: str, triage_reasoning: str):
playbook = REMEDIATION_REGISTRY.get(action)
if not playbook:
raise ValueError(f"Unknown remediation action: {action}")
context = gather_action_context(alert)
# Safety check before executing
if not playbook['safety_check'](context):
# Safety check failed — escalate instead
await page_engineer(alert, reason="Safety check failed for auto-remediation")
return
# Execute with full audit trail
execution_id = generate_execution_id()
log_remediation_start(execution_id, alert, action, triage_reasoning)
try:
result = await playbook['action'](alert, context)
log_remediation_success(execution_id, result)
await notify_slack(playbook['notify_channel'],
f"Auto-remediated: {alert['description']}\n"
f"Action: {action}\n"
f"Reasoning: {triage_reasoning}\n"
f"Execution ID: {execution_id}")
except Exception as e:
log_remediation_failure(execution_id, e)
await page_engineer(alert, reason=f"Auto-remediation failed: {e}")Every automated action produces an execution ID and a Slack notification. The on-call engineer wakes up in the morning and can review what the system handled overnight. Transparency is essential for trust-building.
Layer 3: AI-Assisted Investigation
For alerts that need diagnosis before action, the investigation agent does the work the human would have done — and has it ready when the human engages.
The complete investigation architecture is covered in detail in my earlier post on building incident response agents, but the key output is a structured investigation report delivered to Slack before the engineer is paged:
🔍 INCIDENT INVESTIGATION — order-service latency spike (P95 >2s)
DIAGNOSIS (High Confidence):
The latency increase started at 14:23 UTC and correlates with a deployment
of order-service v2.4.1 at 14:20 UTC. The deployment changed the
database query for order retrieval — the new query is performing a full
table scan on large orders (>50 line items) due to a missing index.
EVIDENCE:
• P95 latency: 240ms → 2,100ms starting 14:23
• order-service v2.4.1 deployed at 14:20 (git: abc123)
• DB slow query log: SELECT * FROM order_items WHERE order_id=?
showing full scans for orders with >50 items (affecting ~3% of orders)
• Error rate: unchanged (latency issue, not error issue)
RECOMMENDED ACTIONS:
1. [FAST] Roll back to v2.4.0 to restore service — estimated 5 min
2. [PROPER FIX] Add index: CREATE INDEX idx_order_items_order_id
ON order_items(order_id) — coordinate with DB team for maintenance window
RISK FLAGS:
• Rollback is safe — no schema changes in v2.4.1
• 3% of active orders are affected (heavy orders with >50 items)
Investigated by: SRE-Agent | Investigation time: 2m 14s |
Tokens used: 8,240 | Confidence: HighThe engineer wakes up with a complete diagnosis. Their job is to evaluate the recommendation and approve the rollback — not to gather the data that produced it.
Layer 4: The Feedback Loop
The stack only gets better over time if you close the feedback loop. Every investigation needs a resolution recorded:
# After incident resolves, capture outcome
async def record_incident_outcome(
investigation_id: str,
actual_root_cause: str,
agent_diagnosis_correct: bool,
time_to_resolution_minutes: int,
human_notes: str
):
outcome = {
"investigation_id": investigation_id,
"agent_diagnosis": get_investigation_diagnosis(investigation_id),
"actual_root_cause": actual_root_cause,
"correct": agent_diagnosis_correct,
"ttd_minutes": time_to_resolution_minutes,
"notes": human_notes,
"timestamp": datetime.utcnow().isoformat()
}
# Store for analysis
store_outcome_to_s3(outcome)
# Update metrics
increment_metric("agent.diagnosis_total")
if agent_diagnosis_correct:
increment_metric("agent.diagnosis_correct")
# Feed back into agent training data
if not agent_diagnosis_correct:
flag_for_prompt_review(investigation_id, actual_root_cause)Monthly prompt review sessions where you go through the flagged incorrect diagnoses and update the system prompt are how the agent gets better. This is not optional work — it's the difference between an agent that improves and one that stagnates.
Current State of the Art
Where are most teams today?
Mature teams (top 10%): Full triage automation, partial remediation automation for well-understood failure modes, AI investigation for novel incidents. MTTR measured in minutes for auto-remediable incidents.
Most teams: AI investigation deployed (either DIY or via AWS DevOps Agent), human-in-the-loop for all remediation. MTTR improved for investigation phase, still human-dependent for execution.
Early teams: Traditional alerting + blog posts. AI tooling on the roadmap but not yet deployed.
The gap between these tiers is closing fast. The tooling matured significantly in 2024-2025, and the patterns are well-understood. The main barrier now is organizational trust — convincing the business that an autonomous agent taking action in production is acceptable — not technical capability.
Build that trust incrementally. Alert → AI diagnoses → human acts. Then AI diagnoses + proposes → human approves → AI acts. Then AI handles the well-understood cases autonomously while human handles the novel ones. Each stage extends trust by proving the previous stage worked.
The era of waking up at 3am to restart a pod is over for teams that want it to be.
*Zak Hassan is a Staff SRE specializing in AI-powered infrastructure automation and autonomous operations. Find him at zakhassan.com or on LinkedIn.*
Topic Paths