Automation Fails When It Only Replaces Typing
Automation does not fail because engineers forgot to script enough commands; it fails because the script inherits the same ambiguous ownership, weak feedback, and hidden state that made the manual process fragile.
Situation
Most engineering organizations automate after pain becomes visible. A release takes too long, a migration requires too many shell commands, incident response depends on the person who remembers the sequence, or infrastructure changes sit behind a queue of tickets. The first response is usually reasonable: encode the steps.
That produces useful local wins. A deploy script removes copy-paste errors. A CI job runs tests consistently. A chat command restarts a service faster than logging into a host. A Terraform module gives teams a reusable path for provisioning.
But this is the shallow layer of automation. It replaces typing without changing the operating model. The same person still knows when it is safe. The same Slack thread still decides whether the failed step can be retried. The same dashboard still needs to be checked manually. The same production permissions still leak through the process.
At platform scale, automation is no longer about speed alone. It becomes a control system for change.
The Problem
The manual workflow usually contains more than commands. It contains judgment, sequencing, state inspection, exception handling, rollback criteria, and social approval. When automation captures only the commands, it makes the easy part faster and the risky part less visible.
This is why many internal platforms accumulate brittle automation. They have buttons for deployment, templates for services, and pipelines for infrastructure, but each one still depends on undocumented context. The button works when the caller already understands the environment. The template works when the service looks like last quarter’s service. The pipeline works when no dependency is drifting.
Typing replacement has three common failure modes.
First, it hides state. A script can run apply, but the platform needs to know desired state, observed state, ownership, drift, and whether the change is converging. Without that model, automation cannot distinguish progress from damage.
Second, it hides policy. A human operator once remembered that database changes need a staged rollout, that public endpoints require review, or that certain regions have capacity constraints. If the automation does not encode those constraints, the organization has only moved the risk behind a nicer interface.
Third, it hides verification. A successful command exit code is not the same as a successful production change. The platform needs postconditions: service health, error budget impact, rollback availability, and traceable evidence that the intended state was reached.
The core question is not “how do we automate this command?” It is “what system of state, policy, execution, and feedback should own this change?”
Core Concept
Durable automation should be designed as a control plane, not a bag of scripts. The control plane accepts intent, validates it against policy, reconciles desired state with observed state, executes bounded actions, and records evidence.
flowchart TD
A[request — human intent] --> B[policy — constraints and ownership]
B --> C[state model — desired and observed]
C --> D[workflow engine — plan and apply]
D --> E[verification — tests and telemetry]
E -->|passes| F[audit trail — decisions and rollback]
E -->|fails| B
The important shift is that the unit of automation becomes the change, not the command.
A deployment request should not be “run this deploy job.” It should be “move service payments-api to version 4.8.2 in production with these safety checks.” An infrastructure request should not be “run Terraform for this folder.” It should be “make this environment match this reviewed desired state while preserving these invariants.” An incident action should not be “restart the workers.” It should be “restore queue consumption while staying inside these blast-radius limits.”
That framing gives platform teams a better architecture.
Intent should be declarative where possible. The user describes the target state, not every imperative step. Policy should run before execution, not after damage. Execution should be idempotent and resumable, because distributed systems fail between steps. Verification should be part of the workflow, not a wiki page beside it. Audit should capture the request, decision, executor, observed result, and rollback path.
This is slower than writing the first script. It is also the difference between automation that reduces toil and automation that manufactures outages faster.
In Practice
Context: Google’s SRE material defines toil as work that is manual, repetitive, automatable, tactical, and not enduringly valuable. The documented Google SRE pattern is not “script everything”; it is to reduce toil so engineering effort can move toward systems that scale and improve reliability. See Google’s public SRE chapter on Eliminating Toil.
Action: The useful action is to turn repeated operations into engineered systems with design, documentation, and ownership. A runbook script can be a starting point, but the higher-value artifact is the service or platform capability that removes repeated human arbitration.
Result: The result is not merely fewer keystrokes. The result is less operational load, more consistent execution, and clearer ownership of recurring production work.
Learning: The documented pattern is that toil reduction requires engineering investment. If automation still requires a senior operator to interpret every failure, the toil has not disappeared; it has moved to the exception path.
Context: Kubernetes controllers demonstrate the control-plane pattern in a widely used open source system. Kubernetes documents controllers as loops that watch cluster state and make changes to move current state toward desired state. See the Kubernetes documentation on controllers.
Action: The controller does not ask an operator to remember every reconciliation step. It watches objects, compares desired and observed state, and acts repeatedly until the system converges or exposes failure.
Result: This model makes automation resilient to partial failure. If a pod disappears, the system can create another. If the current state drifts from the specification, the controller loop has a defined responsibility.
Learning: The documented pattern is that durable automation needs a state model. Without desired state and observed state, the system can execute commands but cannot reason about convergence.
Context: GitOps tools such as Argo CD apply the same pattern to delivery. Argo CD documents automated sync as comparing desired manifests in Git with live cluster state, then syncing when differences are detected. See Argo CD’s documentation on automated sync policy.
Action: Instead of treating deployment as a one-time CI command, GitOps treats Git as the source of desired application state and uses reconciliation to detect drift.
Result: The release mechanism becomes inspectable. A commit explains the intended state, the controller reports whether the live system matches it, and drift becomes a first-class condition.
Learning: The documented pattern is that delivery automation becomes safer when it separates intent, reconciliation, and execution. A pipeline that only pushes artifacts cannot provide the same operational clarity.
Where It Breaks
| Failure mode | What it looks like | Better design |
|---|---|---|
| Command wrapper automation | A button runs the same risky shell sequence | Model the requested change and validate it before execution |
| Hidden state | Success means the job exited zero | Compare desired state, observed state, and postconditions |
| Manual exception handling | Failures require the one expert who knows the system | Encode retry, pause, rollback, and escalation behavior |
| Policy in human memory | Reviews happen in Slack after the job starts | Run policy checks before the workflow can mutate production |
| No ownership boundary | Platform owns the button but not the outcome | Define who owns templates, workflows, policies, and runtime support |
| Audit without evidence | Logs show commands but not decisions | Record intent, approvals, checks, state transitions, and results |
The tradeoff is that control-plane automation costs more to build. It needs schemas, APIs, policy engines, state stores, workflow orchestration, and observability. For a rare task, that investment may be waste. For a frequent or dangerous task, it is the only version of automation that actually reduces operational risk.
The decision threshold should be explicit. If a task is frequent, high-blast-radius, compliance-sensitive, or repeatedly escalated to senior engineers, it deserves more than a script. If a task is rare, low-risk, and locally owned, a script with clear documentation may be enough.
What to Do Next
-
Problem: Inventory the workflows where automation still depends on hidden human judgment. Look for deploys, migrations, provisioning, incident actions, and access changes where a successful command does not prove a safe outcome.
-
Solution: Redesign the highest-risk workflow around intent, policy, desired state, observed state, execution, verification, and audit. Treat the workflow as a platform capability with an owner, not a convenience script.
-
Proof: Define postconditions before implementation. A good automated workflow should prove what changed, who requested it, which policies passed, what the system observed afterward, and how rollback would work.
-
Action: Start with one workflow that is both frequent and painful. Replace the command wrapper with a small control plane: a typed request, preflight policy, idempotent execution, health checks, and an audit record. Then use that pattern as the standard for the next automation investment.