At Red Hat Tech Day Netherlands 2026, the biggest reveal came at the end — the classic “One more thing…” moment. Automation Orchestrator is Red Hat’s unified experience for AI-driven IT operations, coming Q3 2026.
I was in the room when they showed this, and the implications for enterprise automation are massive.
What Is Automation Orchestrator?
Automation Orchestrator connects event detection, AI reasoning, and deterministic execution in a single auditable pipeline. It is seamless orchestration of disparate tools and processes — one governed workflow, end-to-end.
Built on the upstream Temporal project (the durable execution engine used at Stripe, Netflix, and Uber scale), the Orchestrator brings industrial-grade workflow durability to Ansible: state survives crashes and restarts, long-running workflows can pause for human approval (hours or days), and every step has built-in retries and compensation logic.
Critically, it combines task-based and event-based automation in one workflow. You no longer choose between scheduled playbooks and reactive Event-Driven Ansible — both wire together on a single governed canvas.
The core principle:
“AI isn’t improvising against production infrastructure, it’s acting through AAP.”
This is the critical distinction. The AI recommends, humans approve, and automation executes deterministically through Ansible Automation Platform. No autonomous YOLO-patching of production systems.
The 5-Step Pipeline
- Alerts from multiple sources — agents, events, and playbooks all orchestrated on a single canvas
- Events trigger deterministic automation rulebook — EDA picks up the alert
- AI analyzes and recommends — LLM + MCP tools investigate and propose remediation
- Humans approve — governance gate before anything touches production
- Automated remediation at scale — deterministic, auditable execution via AAP
Built for Every Automation Persona
- Platform engineers and IT operators: intuitive GUI-based experience
- Automation developers: headless API and MCP integrations
Live Demo: CVE-2024-6387 End-to-End Remediation
The demo showcased a Vulnerability Remediation workflow — an 8-step pipeline handling a critical OpenSSH CVE from alert to closure.
AI Agent Configuration
- LLM: Red Hat AI/Nomotron 120b
- Prompt: “You are a vulnerability analysis agent. When a CVE alert arrives, query AAP inventory via MCP to find affected hosts, correlate to the correct host group, match an existing remediation job template, and submit a remediation plan for human approval. Include rollback strategy and execution approach.”
- MCP Tools: Splunk Query, Splunk Alert Search, Splunk Saved Search, ServiceNow CMDB Lookup
Multi-Source Triggers
The workflow accepts vulnerability alerts from multiple sources simultaneously:
- IBM Instana — webhook trigger for vulnerability alerts (Step 2/8)
- ServiceNOW — webhook trigger for vulnerability alerts (Step 3/8)
- Both use POST to the EDA webhook endpoint with auto-generated API keys
Human Review Gate
Step 5 is the critical governance gate:
- Usernames to notify: configurable list
- Message: “Please approve this deployment to production”
- Timeout: 1 day (configurable)
- On timeout: “Fail the workflow” — no silent auto-approvals
This is what separates enterprise automation from consumer AI. The workflow fails safe.
Workflow Complete
CVE Details:
- Vulnerability: CVE-2024-6387 (regresshion) — OpenSSH race condition in sshd
- Severity: CRITICAL
- Attack Vector: Network — Remote code execution via sshd
- Affected Package: OpenSSH 8.5p1-9.7p1
- Fix Applied: Upgraded to OpenSSH 9.8p1
Remediation Results:
- 12 hosts patched across prod, staging, and dev environments
- Strategy: Rolling update — 3 batches of 4 hosts, zero downtime
- Health checks: All passed
- ITSM Ticket: INC0038291 — Resolved and closed
Execution Timeline
| Step | Duration |
|---|---|
| NIST Vulnerability Alert (NVD feed ingestion) | 0s |
| Create ITSM Ticket (priority: critical) | 1.2s |
| Vulnerability Analysis (12 hosts identified, matched template) | 4.8s |
| Human Review (SRE lead and team approved) | 38.4s (Manual) |
| Execute Remediation (3 rolling batches, zero downtime) | 0.9s |
| Update and Close ITSM Ticket | 2.1s |
| Summarize Results (compliance report generated) | - |
Total automated time (excluding human review): under 10 seconds.
What This Means for Enterprise Automation
The Automation Orchestrator represents a fundamental shift in how organizations handle IT operations:
- From reactive to proactive — alerts trigger automated investigation, not pager fatigue
- From manual to governed — humans stay in the loop without being in the critical path for everything
- From siloed to unified — Splunk, ServiceNow, IBM Instana, and AAP all orchestrated on one canvas
- From slow to instant — CVE to patched fleet in seconds (plus human approval time)
The Scaling Story
Traditional event-driven automation is deterministic but linear — 1000 events need 1000 hand-written rules. With AI in the loop, a single intelligent workflow handles novel situations dynamically while still executing through deterministic AAP playbooks.
When Can You Use It?
The slide footer says “Coming Q3 2026.” This means it should be available alongside or shortly after AAP 2.7 GA.
Key Takeaway
The Automation Orchestrator is not AI replacing operators. It is AI augmenting operators — surfacing recommendations, gathering context from multiple tools via MCP, and waiting for human approval before touching production. The execution remains deterministic Ansible playbooks with full audit trails.
That is the enterprise promise: speed of AI investigation + safety of governed execution.
