The Taxonomy of Operational Knowledge
In enterprise IT operations, the most dangerous failures are not the ones you are prepared for. They are the ones you do not know exist.
The concept is borrowed from risk management and applies precisely to IT operations. There are known knowns — the failure modes you have documented, the incidents you have experienced, the thresholds you have set. Your monitoring is designed to detect these. There are known unknowns — the potential failure modes you are aware of but have not yet experienced. Your observability tools are designed to help you investigate these. And then there are unknown unknowns — the failure modes you have not imagined, the correlations you have not considered, the system behaviours you have not observed. No monitoring threshold can detect them because you do not know what metric to watch. No runbook can address them because you have not conceived of the scenario.
For Indian enterprises operating mission-critical infrastructure — banks processing billions in daily transactions, healthcare platforms managing patient data under strict regulatory frameworks, government digital services serving hundreds of millions of citizens — unknown unknowns represent the most significant category of operational risk. These are the incidents that cause the most damage, take the longest to resolve, and produce the most costly post-mortems. They are the ones where the initial response is not “let us fix this” but “what is even happening?”
Understanding unknown unknowns — and building operational systems capable of detecting them — is the frontier of enterprise IT operations. It is also the core challenge that iStreet Network’s Resilient Operations solutions are designed to address.
Why Unknown Unknowns Are Structurally Undetectable by Conventional Monitoring
Traditional monitoring operates on a fundamental assumption: you know what to monitor. You define thresholds for CPU, memory, disk, and network. You configure alerts for error rates, response times, and throughput. You set up health checks for specific services and endpoints. Each monitoring rule represents a hypothesis about what failure looks like — a codified expectation that a specific metric crossing a specific boundary indicates a specific problem.
This approach works well for known failure modes. If a database server runs out of disk space, the disk utilisation alert fires. If an application server crashes, the health check fails. These are known knowns — well-understood failure patterns with well-established detection mechanisms.
But unknown unknowns do not conform to pre-defined patterns. They emerge from the interaction of multiple systems behaving normally within their individual parameters while producing abnormal behaviour in combination. A slight increase in API response time that falls within acceptable bounds. A marginal uptick in database connection churn that does not breach any threshold. A subtle shift in user session duration patterns. Each signal is individually unremarkable. But together, they indicate that a newly deployed service is gradually consuming a shared resource pool in a way that will eventually cause a cascading failure across multiple business-critical services.
No static threshold will catch this. No pre-defined alert will fire. The failure is not in any single metric exceeding a boundary. It is in the compound pattern — the interaction between signals that individually look fine but collectively indicate a developing crisis. This is the domain of unknown unknowns, and it requires a fundamentally different detection approach.
The Machine Learning Approach to Unknown Unknowns
Detecting unknown unknowns requires moving beyond hypothesis-driven monitoring — where humans define what to look for — to discovery-driven intelligence, where machine learning identifies anomalies that humans have not anticipated.
iStreet Network’s Resilient Operations solutions, powered by HEAL Software’s AIOps engine, employ unsupervised learning models that do not require pre-defined rules or historical failure examples. Instead, they learn what “normal” looks like across the entire operational environment — not just individual metrics in isolation, but the relationships and patterns between them.
Behavioural baseline learning. The AI builds comprehensive models of normal system behaviour — capturing not just individual metric ranges but the correlations between metrics, the temporal patterns of system activity, and the workload-dependent variations in performance. It learns that API latency and database query time are correlated during business hours but not during batch processing windows. It understands that memory consumption follows a sawtooth pattern that resets with garbage collection cycles. It recognises that deployment events introduce temporary performance variations that stabilise within a predictable window.
Anomaly detection through deviation from learned behaviour. When actual behaviour deviates from the learned model — even in ways that no human operator anticipated — the AI flags the deviation. A correlation between two metrics that has been stable for months suddenly changes. A temporal pattern that has been consistent shifts. A new relationship between services emerges that was not present in the learned model. These deviations may not match any known failure pattern. They may not trigger any static threshold. But they are anomalies — signals that something in the system’s behaviour has changed in an unexpected way.
Compound pattern detection. The most dangerous unknown unknowns emerge from the interaction of multiple subtle changes. The AI detects compound patterns — combinations of individually unremarkable deviations that, together, indicate a developing problem. A 2 percent increase in API latency combined with a 5 percent increase in connection pool utilisation combined with a shift in garbage collection frequency. Each is individually within tolerance. Together, they match a pattern that the AI has learned precedes a specific type of cascading failure.
Topology-aware contextualisation. When an unknown anomaly is detected, the platform uses its service dependency model to assess potential impact — tracing through the topology to identify which downstream services, business transactions, and customer experiences could be affected. This contextualisation transforms an abstract anomaly detection into a business-relevant early warning.
From Unknown Unknowns to Known Patterns
The power of this approach compounds over time. Every unknown unknown that the AI detects and the operations team investigates becomes a known pattern. The anomaly that was unprecedented the first time it appeared becomes a recognised precursor the second time. The failure mode that was invisible to conventional monitoring becomes a proactively detected and preventively managed risk.
This continuous learning cycle — detect, investigate, resolve, encode — transforms the organisation’s operational intelligence over time. The category of unknown unknowns shrinks as the AI learns from each incident. The category of known patterns grows. And the organisation’s resilience improves — not through static monitoring rules that require manual configuration, but through adaptive intelligence that evolves with the environment.
The Implications for Indian Enterprises
For Indian enterprises operating in regulated sectors, the ability to detect unknown unknowns carries particular strategic importance.
Compliance frameworks demand demonstrable resilience. RBI operational resilience guidelines, DPDP requirements, and CERT-In directives require enterprises to demonstrate not just that they can respond to known failure modes, but that they have systems in place to detect and manage emerging risks. The ability to identify unknown unknowns — through AI-driven behavioural analysis rather than manual threshold configuration — provides a demonstrably more comprehensive risk detection capability.
Digital transaction volumes amplify the impact of undetected failures. India processes some of the highest digital transaction volumes in the world. A failure mode that goes undetected for even a short period can affect millions of transactions and trigger regulatory reporting obligations. The speed at which unknown unknowns are detected directly determines the blast radius of novel failure modes.
System complexity continues to increase. As Indian enterprises adopt cloud-native architectures, microservices, AI workloads, and edge computing, the space of possible failure modes expands faster than any human team can anticipate. The number of potential interactions between system components grows exponentially with system complexity. Manual hypothesis-driven monitoring cannot keep pace with this combinatorial expansion. Adaptive, learning-based anomaly detection is the only approach that scales.
Building the Detection Architecture
Detecting unknown unknowns is not a feature that can be toggled on. It requires an operational architecture that provides the data foundation, the analytical depth, and the contextual intelligence to make detection meaningful.
Full-Stack Observability provides the comprehensive data foundation — ensuring that telemetry from every layer of the environment is captured and available for analysis. AIOps and GenAIOps provide the analytical intelligence — unsupervised learning, behavioural baseline modelling, compound pattern detection, and topology-aware contextualisation. Digital Experience Monitoring connects technical anomalies to user experience impact — ensuring that detected deviations are assessed in terms of business consequence. And the Resiliency Operations Centre provides the governance framework — ensuring that detections are investigated, resolved, and encoded as institutional learning.
Together, these capabilities create an operational architecture where unknown unknowns are not a permanent blind spot but a diminishing category — continuously reduced as the AI learns, adapts, and extends the boundaries of what your organisation can detect and prevent.
The enterprises that thrive in complexity are not the ones that have anticipated every failure mode. They are the ones that have built systems capable of detecting what they did not anticipate. That is the operational advantage iStreet Network delivers.
Talk to our advisors to explore how iStreet helps enterprises detect what conventional monitoring misses.
Originally inspired by insights from HEAL Software, an iStreet Network AIOps product.
