• +44(0)7855748256
  • bolaogun9@gmail.com
  • London
13 March 2026

From Cockpit to Cloud: Aviation’s Autopilot Lessons for AI in Platform Engineering

Aviation took a century and hundreds of lives to get autopilot right. Cloud platform engineering is attempting to compress that same journey into five years. The playbook for getting it right already exists — if we’re willing to read it.

The Paradox Nobody Wants to Talk About

Here is a number that should give every platform engineer pause: 84% of developers now use AI tools in their daily workflow. It sounds like a revolution. It sounds like progress.

Now here is the number that sits beneath it: only 3% of those developers highly trust the output.

We have built a profession-wide habit around a tool we don’t trust. We are, in aviation terms, engaged to an autopilot we haven’t certified — and flying through weather we haven’t trained for.

THE AI TRUST PARADOX IN CLOUD ENGINEERING STACK OVERFLOW DEVELOPER SURVEY 2025 · VERACODE GENAI SECURITY REPORT 2025 84% OF DEVS USE AI TOOLS daily or regularly 33% OF DEVS TRUST AI OUTPUT for accuracy 3% OF DEVS “HIGHLY TRUST” AI output 45% of AI-generated code contains OWASP Top 10 security flaws 19% SLOWER on complex tasks with AI (METR RCT, 2025) 92% say AI tools increase blast radius of bad deployments blog.ogunlana.net · FROM COCKPIT TO CLOUD

The numbers get worse when you dig into infrastructure-specific data. Veracode’s 2025 GenAI Code Security Report tested over 100 AI models and found that 45% of AI-generated code contains OWASP Top 10 security flaws — with Java hitting a 72% failure rate. CodeRabbit’s analysis of real-world pull requests shows that AI-generated PRs contain 1.7 times more issues than human PRs, including 1.4 times more critical ones. And METR’s 2025 randomised controlled trial found that experienced engineers working on complex, familiar codebases were actually 19% slower with AI assistance — while believing they were 20% faster.

We are at the most dangerous intersection possible: high adoption, low trust, measurably worse security outcomes — and a collective delusion about productivity gains.

The good news? We have seen this exact inflection point before. Not in software. In aviation.

A 100-Year Experiment in Staged Autonomy

In 1914, Lawrence Sperry flew a biplane over Paris with both hands raised above his head while his mechanic walked out onto the lower wing. The 40-pound gyroscopic autopilot held the aircraft steady. The crowd assumed it was a stunt. It was actually the birth of one of the most consequential human-machine partnerships in history.

Over the next century, aviation would evolve through five distinct eras of automation — each advancing the autonomy of the system, each requiring new frameworks of governance, training, and trust before proceeding. The result: fatal accident rates dropped from 3.0 to 0.1 per million flights across four aircraft generations. Air travel became the safest form of long-distance transport in human history.

That did not happen by accident. It happened because aviation built a rigorous, evidence-based system for deciding when machines could be trusted, how much authority they should have, and what humans need to do when they disagree.

100 YEARS OF AUTOPILOT · THE CLOUD ENGINEERING PARALLEL AVIATION’S FIVE ERAS OF STAGED AUTONOMY ✈ AVIATION ERA ☁ CLOUD AI EQUIVALENT ERA 1 · 1912–1950s Primitive Autopilot Wing-leveler; Sperry gyroscopic; WWII bombers LEVEL 0 · ADVISORY AI as Copilot / Suggester GitHub Copilot, ChatGPT for IaC drafts ERA 2 · 1950s–1970s Autoland & ICAO Categories CAT I–III; higher authority = higher rigor LEVEL 1 · ASSISTIVE AI Drafts, Human Approves Pulumi Neo, terraform plan review gates ERA 3 · 1980s Glass Cockpits & Crew Complement Wars 2-crew flight deck; ALPA resistance; evidence settled it LEVEL 2 · SUPERVISED AUTONOMOUS AI Executes, Humans Monitor Auto-scaling, canary analysis, cert rotation ERA 4 · 1988–2000s Fly-by-Wire & Envelope Protection A320 FBW; aircraft refuses to stall LEVEL 3 · CONDITIONAL AUTONOMY OPA/Policy Guardrails + AI Remediation Known patterns auto-resolved; novel escalated ERA 5 · 2009–PRESENT The Reckoning (AF447, MAX, TA1951) 346 deaths; exposed automation paradox LEVEL 4 · HIGH AUTONOMY (WITH CAUTION) AI-Managed Operations + Human Oversight Requires ISO 42001 · Autonomy ≠ exceed Controls blog.ogunlana.net · FROM COCKPIT TO CLOUD

The most instructive era is not the one where everything went right. It is the one where it went catastrophically wrong.

In 2009, three crashes killed 287 people and ripped the lid off the automation paradox. Air France 447’s crew never successfully diagnosed an aerodynamic stall while falling 38,000 feet over the Atlantic in three and a half minutes — because the autopilot had disconnected and they had never been trained for full manual recovery at altitude. Turkish Airlines 1951 crashed on approach to Amsterdam when a faulty radio altimeter told the autothrottle the aircraft was at minus-eight feet, causing engines to idle. The plane had registered 148 erroneous readings over the previous ten months. Nobody acted on them. Colgan Air 3407 went down near Buffalo when the captain pulled back on the controls during a stall warning — exactly the wrong response — because he had never practiced the manoeuvre under real conditions.

Then, between 2018 and 2019, 346 people died when the Boeing 737 MAX’s MCAS system — relying on a single angle-of-attack sensor with no redundancy — repeatedly pushed the nose down in response to bad data. A disagree alert that would have warned pilots of conflicting sensor readings had been made optional at $10,000 per aircraft. Most airlines didn’t pay for it.

Each of these disasters had a name in the human factors literature long before the crash: the automation paradox, automation complacency, mode confusion, skill atrophy. Lisanne Bainbridge described the core dynamic in a landmark 1983 paper: “By taking away the easy parts of the task, automation can make the difficult parts of the human operator’s task more difficult.” The better your automation, the worse your operators perform when the automation fails — unless you deliberately design against that outcome.

The software industry is reading this and thinking: yes, but that is aviation. Physical systems. Life-safety. Different stakes entirely.

That is the wrong conclusion. The stakes in cloud platform engineering are not lives — but they are organisations, revenue, and the data of millions of people. And the dynamic is identical.

The Lesson They Almost Didn’t Learn: Crew Resource Management

By the mid-1970s, NASA researchers had established something uncomfortable: between 70 and 80 percent of aviation accidents involved human error — specifically, failures of leadership, communication, and decision-making, not technical skill. Highly trained pilots were dying not because they couldn’t fly, but because they couldn’t work together under pressure.

The response was Crew Resource Management — and it took six generations over 25 years to get right.

The first-generation programs in the early 1980s tried to fix authoritarian captains by making them play non-aviation team-building games. Predictably, this did not work. Captains were excellent pilots who saw no reason to take direction from a game about being lost on the moon. It took until the 5th and 6th generations — built around the concept of Threat and Error Management, developed by Robert Helmreich at the University of Texas — to shift the framing from “don’t make mistakes” to “build systems that catch mistakes before they cascade.”

That reframe is the most important thing the software industry could take from aviation right now.

The goal is not error elimination. The goal is error-tolerant systems with layered defences. Aviation codified this. DevOps calls it “failing fast.” SRE calls it “error budgets.” The principle is the same: accept that humans and systems will fail, and architect for recovery rather than perfection.

The FAA mandated CRM across commercial aviation in 1998 — seventeen years after the first program launched at United Airlines. That gap between voluntary adoption and regulatory mandate is instructive. The software industry is at year three of its own CRM equivalent: structured AI interaction training does not exist at most organisations, let alone as a regulatory or professional requirement.

The Framework: Five Levels of AI Autonomy for Platform Engineering

Aviation solved the staged autonomy problem through ICAO approach categories — CAT I requires minimal automation, CAT IIIB requires fail-operational triple-redundant systems. Higher automation authority demands higher certification rigour. The equivalent framework for AI in cloud platform engineering maps naturally to five levels.

The critical rule — borrowed directly from aviation — is this: your autonomy level must never exceed your controls level. An organisation operating AI at Level 3 with governance at Level 1 is in the same position as a pilot attempting a CAT III approach in an uncertified aircraft. The outcome is not guaranteed to be fatal, but the conditions for catastrophe are set.

AI AUTONOMY MATURITY MODEL FOR PLATFORM ENGINEERING INSPIRED BY ICAO APPROACH CATEGORIES · CONTROLS MUST MATCH OR EXCEED AUTONOMY LEVEL LEVEL NAME AI AUTHORITY EXAMPLE TOOLS / PATTERNS AVIATION EQUIV. LEVEL 0 Advisory Flight Director mode Suggests only. Zero execution Human decides AND executes everything GitHub Copilot · ChatGPT brainstorming AIOps anomaly surfacing · Cost recommendations Manual approach using flight director LEVEL 1 Assistive Basic autopilot, human hands-on Drafts artifacts · Human reviews & applies Narrow boundaries; explicit approval per action Pulumi Neo · terraform plan review PR-based IaC workflows · SAST gates in CI Basic autopilot CAT I approach LEVEL 2 Supervised Autonomous FMS-managed autopilot on route Low-risk autonomous · Medium/high = human gate Change classification by blast radius required ArgoCD GitOps · Canary analysis + rollback Cert rotation · Auto-scaling within approved bounds FMS managed standard routing LEVEL 3 Conditional Autonomy CAT I autoland (good weather) Routine ops autonomous · Novel escalates to human Circuit breakers + behavioral baselines required Datadog Bits AI · Rootly auto-triage OPA + Kyverno policy enforcement · Known patterns CAT I autoland pilot ready at DA LEVEL 4 High Autonomy CAT IIIB autoland (near-zero visibility) AI manages most ops · Human via exception handling ISO 42001 certification required before operating here Dual AI cross-check · Automated rollback on disagree Full observability · NIST AI RMF governance stack CAT IIIB autoland triple redundancy ⚠ CRITICAL RULE FROM AVIATION: AUTONOMY LEVEL MUST NEVER EXCEED YOUR CONTROLS LEVEL An organisation at Autonomy Level 3 with Controls at Level 1 is in the danger zone · Certify your controls before advancing blog.ogunlana.net · FROM COCKPIT TO CLOUD

Level 0 (Advisory) is where every organisation should start, and where most are today whether they know it or not. AI suggests. Humans decide everything. GitHub Copilot completing a Terraform block, an AIOps platform surfacing an anomaly, ChatGPT sketching a module architecture — all Level 0. Blast radius is near zero. Trust can be built incrementally.

Level 1 (Assistive) is the sweet spot for most platform teams in 2025. AI drafts Terraform plans, Kubernetes manifests, incident runbooks. Humans review every output before anything is applied. The gate is mandatory: terraform plan review, PR approval workflow, SAST scanning. This is where tools like Pulumi Neo operate safely. The key controls are the review gates — remove them and you have jumped from Level 1 to a dangerous hybrid with no safety net.

Level 2 (Supervised Autonomous) introduces genuine AI execution authority for low-risk, well-defined operations. Auto-scaling within pre-approved bounds. Canary analysis with automatic rollback on degraded metrics. Certificate rotation. The prerequisite is a change classification framework — a tiered system that defines blast radius for every category of infrastructure change and maps required oversight to risk level. GitOps with ArgoCD provides the audit trail. Without the classification framework, Level 2 is operationally dangerous.

Level 3 (Conditional Autonomy) allows AI to manage routine operations with humans handling exceptions. This requires circuit breakers, behavioural baselines for AI agents, and anomaly detection that triggers automated containment. Datadog’s Bits AI SRE and Rootly’s AI triage operate at this level when properly configured. The target: 20–30% of routine incidents auto-resolved without human intervention, every auto-resolution logged and periodically audited.

Level 4 (High Autonomy) is CAT IIIB autoland for infrastructure — AI manages most operations via exception handling dashboards. No organisation should operate here without achieving ISO 42001 certification or equivalent governance maturity. The technical requirement is fail-operational redundancy: dual AI systems cross-checking each other, automated rollback on disagreement, comprehensive observability across every AI decision.

What the FAA Looks Like for Infrastructure AI

Aviation’s safety record rests on a regulatory ecosystem: DO-178C for software certification, the FAA’s Safety Management System requirements, ICAO standards for international consistency. These did not arrive fully formed — they were built reactively, in response to disasters, over decades.

The infrastructure AI governance stack is being assembled right now, and the window for engineering organisations to adopt proactively — before incidents force regulatory responses — is open but narrowing.

The certification analogue is policy-as-code with graduated rigour. DO-178C requires the most exhaustive testing for the highest-criticality aviation software. The infrastructure equivalent is tiered validation: AI-generated changes to dev environments require linting and schema validation; staging changes require integration testing; production changes require human review, SAST scanning, and blast radius analysis. Open Policy Agent, HashiCorp Sentinel, and Kyverno admission controllers are the type-certification layer — encoding approved patterns and rejecting violations before they reach production.

The CRM training analogue is structured AI interaction training. This needs to cover: how models fail (the equivalent of understanding autopilot modes), how to review AI-generated infrastructure code critically, how to detect and override automation bias, and — critically — regular manual operations practice. The FAA now requires airlines to give pilots “opportunities to manually fly at least periodically.” Engineering teams need the equivalent: regular exercises where engineers must diagnose and remediate infrastructure issues without AI assistance.

The NTSB analogue is comprehensive AI decision auditing. Every AI action in a production environment should generate an immutable record: what input triggered it, what the reasoning chain was, what the human decided, what happened afterward. OpenTelemetry’s GenAI Semantic Conventions are the emerging standard. This is not optional instrumentation — it is the foundation for organisational learning. When the incident happens, the AI audit log is your flight data recorder.

The Failures That Are Coming

Aviation’s worst accidents were predictable in retrospect. The engineers who built the 737 MAX’s MCAS knew single-sensor systems without redundancy were dangerous. The operators who flew Turkish Airlines 1951 knew the radio altimeter had been throwing errors for months. The knowledge existed. The systems to act on it did not.

FOUR FAILURE MODES THAT WILL DEFINE THE NEXT DECADE AI IN CLOUD INFRASTRUCTURE · LEARN FROM AVIATION BEFORE REPEATING ITS MISTAKES 🧠 01 Automation Bias AVIATION CASE Patriots shot down friendly aircraft (2003) Radiologists missed tumours when AI was confidently wrong CLOUD RISK Junior engineers approve AI-generated Terraform with open security groups without critical review ↑ Most immediate risk 📉 02 Skill Atrophy AVIATION CASE 77% of commercial pilots reported degraded manual flying skills FAA issued SAFO 17007 urging manual flying CLOUD RISK Engineers who cannot write Terraform without AI when the AI is wrong or unavailable ↑ Practice “Copilot-free Fridays” 👻 03 Hallucinations at Scale AVIATION CASE TA1951: faulty altimeter gave 148 false readings over 10 months before fatal crash. Plausible but wrong. CLOUD RISK 38% of AI-hallucinated package names are confusions of real ones “Slopsquatting” attacks ↑ Lock IaC to golden paths 🌊 04 Cascading Failures AVIATION CASE 737 MAX MCAS kept re-activating. Single sensor, no redundancy, no pilot notification. 346 deaths. CLOUD RISK AI agent with cluster- admin, tricked by a poisoned commit, burns budget overnight ↑ Rate-limit AI-initiated changes ⚠ Each failure was predictable and preventable. Aviation learned through 346 deaths. The infrastructure community doesn’t have to. blog.ogunlana.net · FROM COCKPIT TO CLOUD

The infrastructure AI failures of the next decade are equally visible from here.

Automation bias — over-trusting AI recommendations without critical evaluation — is the most immediate and already-occurring risk. Georgetown’s CSET research documents how automation bias caused military operators to shoot down friendly aircraft. Mammography studies show radiologists miss tumours when AI is confidently wrong. In cloud platform engineering, this manifests as junior engineers approving AI-generated Terraform with misconfigured security groups because the configuration looks correct. The mitigation is cultural and training-based: make questioning AI recommendations a professional norm, not an act of defiance.

Skill atrophy is the slow-burning risk that will not become visible until a major incident. A survey by researcher Ebbatson found 77% of commercial pilots reported their manual flying skills had deteriorated due to highly automated aircraft. PMC research confirms AI-induced skill decay is accelerated for cognitive skills compared to traditional automation. Platform engineering teams that rely entirely on AI for Terraform generation, incident diagnosis, and architecture decisions are building a capability gap that will surface catastrophically when the AI fails or behaves unexpectedly in a novel scenario. The prescription is deliberate: “Copilot-free” sprints, mandatory manual operations exercises, and treating foundational skills as a non-negotiable professional standard.

Hallucinations at infrastructure scale represent an emergent class of attack. USENIX Security 2025 found that 38% of AI-hallucinated package names are confusions of real packages — creating supply chain attack vectors. A hallucinated npm package name appeared in AI-generated code on GitHub in January 2026 and spread through real infrastructure without deliberate planting — pure AI confabulation, propagated by automated systems. At infrastructure scale, hallucinated resource names, fabricated API endpoints, or invented IAM policy ARNs can create attack surfaces that are extraordinarily difficult to diagnose because the configuration looks correct. The mitigation is constraining AI-generated infrastructure to pre-approved modules, validated schemas, and golden paths.

Cascading failures from AI-driven automation will be the industry’s 737 MAX moment. A single AI agent with cluster-admin privileges, manipulated via a poisoned Git commit, can create privileged pods, exhaust resource quotas, and burn cloud budgets overnight while valid credentials mask the attack in logs. The 737 MAX’s MCAS kept re-activating — the engineering equivalent of an AI remediation loop that keeps “fixing” an issue by making it worse. Circuit breakers, rate limiters on AI-initiated changes, and mandatory cool-down periods are the controls that prevent this class of failure.

The Seven-Step Culture Change Playbook

Aviation’s trust-building arc offers a concrete playbook. The sequence matters — skip steps and you accumulate hidden risk that surfaces later.

  1. Start on low-stakes terrain. AI for documentation, cost optimisation recommendations, and non-production configuration. Build evidence of competence before extending authority. Garmin’s Autoland was certified for light GA aircraft before anyone considered commercial aviation applications.
  2. Appoint champions, not mandates. Microsoft’s “Responsible AI Champs” model — trained peer liaisons — outperforms top-down directives. Find senior engineers who are constructively engaged with AI tools and empower them to guide their teams with honest, evidence-based assessments.
  3. Invest in failure-mode training. Aviation’s Line Oriented Flight Training uses full-mission simulation with unannounced abnormalities. The platform engineering equivalent: regular exercises where engineers must diagnose AI-caused misconfigurations without AI assistance. Deliberately include scenarios where AI recommendations are wrong.
  4. Mandate manual operations practice. The FAA’s AC 120-123 recommends pilots hand-fly at least periodically. Engineering teams should hand-write Terraform for critical modules, conduct manual incident investigations before consulting AI, and run regular “AI-off” drills. This is not nostalgia — it is resilience engineering.
  5. Build transparent feedback loops. Track and publish AI recommendation accuracy by domain. When AI is wrong, analyse why — publicly and blamelessy. Deloitte’s pilot programs showed a 49% rise in perceived output quality and 52% increase in trust through structured feedback. The causal mechanism: people trust systems they understand, including their failure modes.
  6. Gate autonomy on demonstrated reliability. Each advancement in AI authority should require specific thresholds: months of stable operation at the current level, accuracy rates on recommendations, successful autonomous actions without rollback. No shortcuts. Aviation’s approach category progression requires separate certification of aircraft, crew, airport, and airline. The principle scales directly.
  7. Maintain the “tool, not teammate” framing. The FAA’s September 2025 Safety Framework for Aircraft Automation states: “Automation is a tool, not a person. Personification of the system can lead to incorrect mental models of the system’s capabilities.” When engineering organisations speak of “AI SREs” and “AI teammates,” they risk exactly the kind of over-trust that kills. The AI is a powerful tool. Name it accurately.

The Aviation Industry Took 100 Years. We Have Maybe Five.

Aviation’s autopilot journey proves that human-machine teaming in complex, safety-critical systems is a solvable problem. But the solution is organisational and cultural, not purely technical. The technology was never the hardest part.

The hardest part was building the regulatory frameworks, training protocols, cultural norms, and feedback systems that made automation trustworthy at scale. That took a century. Every shortcut along the way was paid for in lives.

Three insights from that journey deserve to anchor every conversation about AI in platform engineering.

First: the irony of automation is not a bug to be fixed — it is a law to be managed. Remove humans from routine work and you make the hard parts harder. The most automated systems require the most investment in human capability, not the least. This is counterintuitive, commercially inconvenient, and entirely true.

Second: staged autonomy with controls that match the automation level is the only proven safe path. Organisations that race to Level 4 autonomy with Level 1 governance will have their 737 MAX moment. The question is not whether, but when, and how much it will cost.

Third: trust is built through demonstrated reliability, transparent failure analysis, and genuine investment in human skill maintenance. Not through vendor productivity claims, executive mandates, or optimistic adoption metrics.

The economic pressure to move fast is real. The engineering discipline required to move safely is uncomfortable. Aviation’s answer — move deliberately, certify rigorously, train continuously, and never let autonomy outrun controls — is the answer that works.

We have the extraordinary advantage of being able to learn from a century of aviation’s hard-won experience. The question is whether we choose to.

This post is part of an ongoing series on AI integration in cloud platform engineering and DevSecOps. If you found it useful, share it with your platform engineering team — particularly the maturity model and failure modes sections, which are designed to be used as discussion frameworks.

What level is your organisation operating at — and do your controls match? Drop your thoughts in the comments below.

bolao
0
Tags :

Leave a Reply

Your email address will not be published. Required fields are marked *

Archives

Categories

Recent Posts

Recent Comments