Autonomy Is a Range You Earn

“Should this agent be autonomous?” is the wrong question, and it is wrong in a specific, instructive way. It is scoped exactly like “should this twin be allowed over the ocean?” — a blanket prior set once, in advance, by the worst plausible case. The original sixty-minute rule was precisely that: a single conservative line set by the worst plausible twin and the failure assumptions of a previous engine generation, then applied uniformly to every twin-engine airframe. A blanket prior has two failure modes at once. It is too permissive, because it grants a flat range to a system that has demonstrated nothing about reliability on the actual task in front of it. And it is too conservative, because it caps a system that has earned trust at the same line as one that has not.

The insight that produced ETOPS — Extended-range Twin-engine Operational Performance Standards — was to throw out the blanket prior and replace it with an evidence-graded envelope. Range is no longer granted to “twins” as a class. It is granted to a specific airframe-and-engine combination, on the strength of that combination’s demonstrated record, and it widens only as the evidence widens. The unit of governance stopped being the category and became the proven configuration.

The map to AI is direct. The unit of governance is not the agent. It is the (agent, task class) pair. A coding agent that has run ten thousand dependency-bump pull requests with a measured, stable, low rate of undetected errors has earned a wider unsupervised range on that task class than the same agent has earned on, say, irreversible production database migrations — where it may have earned nothing at all. “Autonomous vs. supervised” is a blanket prior. The correct object is a per-task-class, evidence-graded unsupervised range.

The metaphor only carries weight if it is installed precisely, so it is worth the care. In ETOPS, the number that defines the envelope is diversion time: the maximum time the aircraft could fly to an adequate alternate airport with one engine inoperative, in still air, at the normal single-engine cruise speed. It is not a measure of how fast the plane goes. It is a measure of how far from a runway the plane may legally be at any moment — how long it could survive a failure and still reach a place to set down safely. An ETOPS-180 authorization says: this configuration may operate up to 180 minutes of single-engine flying time from the nearest adequate airport. The envelope is defined by the worst-case path back to safety.

The AI translation is the agent’s rollback horizon : how long the agent may run unsupervised before a human — or a deterministic gate standing in for one — must still be able to re-take control without harm. That horizon is bounded by two things. One is reversibility: how far back the system can still undo what the agent has done. The other is the reachability of a safe harbour — an approver or a hard gate that can actually intervene in time, not in principle but in fact. An agent operating “far from a runway” is one running a long way past the last point at which a human could still catch and reverse a mistake.

The geometry matters because the two pressures pull in opposite directions. A wider earned range means longer autonomous runs between human checkpoints — which is exactly where the throughput and the economic value sit. It is also exactly where the risk concentrates if the envelope was granted by assertion rather than earned by evidence. The same number that unlocks the value sets the distance you will be from help when something goes wrong. ETOPS treats that number as sacred. AI deployments rarely name it at all.

The history is the model, so it is worth telling plainly. The blanket sixty-minute rule held until 1985, when the first ETOPS-120 authorization let a qualifying twin fly up to two hours from a runway. A decade later, the Boeing 777 entered service already certified to ETOPS-180 — an envelope wide enough to open the great majority of the Earth’s surface to twin-engine operation. The A330 reached ETOPS-240 in 2009. The 777 family was approved for ETOPS-330 in 2011, and the A350 reached ETOPS-370 in 2014. The ladder is the whole point: sixty minutes was a wall, and the wall became a staircase.

Every rung was unlocked by demonstrated reliability, not granted by request. Before a tier was extended, the world fleet of that engine type had to demonstrate an in-flight-shutdown rate that was low and, critically, stable — not a lucky quarter, but a proven, sustained record across hundreds of thousands of engine-hours. And the authorization is revocable: if the failure rate regresses, the regulator can pull the tier back. The envelope is a ratchet driven by data, turning up on evidence and down on regression. It is not a permission slip signed once and filed away.

The AI mapping inherits the whole structure. An agent earns a wider unsupervised range by demonstrating a low, stable rate of undetected failures on a specific task class, measured over enough operating hours to rule out luck. The envelope widens one earned tier at a time. And it must be revocable: when the deployment distribution drifts, when a monitored failure rate climbs, the agent’s range contracts — automatically, before the next long unsupervised run, not after the incident review. Autonomy is a ratchet driven by data, not a permission slip signed once.

On 1 December 2015, Air New Zealand became the first airline ever to operate a scheduled ETOPS-330 service — Auckland to Buenos Aires, a Boeing 777-200ER powered by Rolls-Royce Trent 800 engines — having received 330-minute approval the month before and having first operated under ETOPS-240 from 2014. The Southern Ocean has almost no land beneath it; a narrow diversion envelope would have forced the aircraft to dogleg north toward distant alternates, adding distance, fuel, and time to stay within reach of a runway it would almost certainly never need. The wider earned envelope let the twin fly the direct great-circle track instead. In Boeing’s and Air New Zealand’s own framing, the wider envelope “allows more direct flights, burns less fuel, emits less carbon dioxide.”

This is the thread that is easy to miss. Twins already burn far less fuel than the four-engine aircraft they replaced; the economics of fewer engines compound across fuel and maintenance alike. But the route the earned range unlocked was the route that paid. The reason to do the reliability work — the years of monitoring, the demonstrated shutdown rate, the staged escalation — was not safety theater. It was that the wider envelope is where the money is. The straight line over the ocean only becomes legal once the range is earned.

The AI lesson is the same, and it reframes why governance is worth the cost. The point of earning a wider unsupervised range is economic. Every mandatory human checkpoint is a dogleg: it interrupts the autonomous run, adds latency and coordination cost, and throttles throughput exactly the way a diversion-constrained route adds miles. A narrow, ungraded autonomy envelope keeps every agent flying the long way around a human reviewer it has long since earned the right to fly past. The wider envelope — longer unsupervised runs between checkpoints — is where the throughput lives. Earning it, rather than asserting it, is the discipline that makes the straight line legal.

A wider envelope is an asset; operating at its edge on a prediction that turns out wrong is the danger. On 7 October 2013, a Royal New Zealand Air Force No. 40 Squadron Boeing 757 — military callsign NZ7571, not a civilian Air New Zealand service — departed Christchurch for Pegasus Field on the Ross Ice Shelf, Antarctica, with 130 people aboard. The aircraft lacked the fuel to return to Christchurch without refuelling at Pegasus, so a point of safe return was pre-computed: a line in the sky past which turning back was no longer an option. Forecasters assured the crew the weather would improve, and the flight was cleared past that line. Roughly twenty minutes later, observations showed a fog bank had enveloped the destination runway in near-whiteout.

The designed fallback — return to Christchurch — was already foreclosed by the fuel and range envelope, and the set of 757-suitable Antarctic alternates was thin. The crew flew three approaches; on the third, at about 110 feet, they acquired the approach lighting and landed below the published minima in near-whiteout. There was no damage and no injuries. The Transport Accident Investigation Commission inquiry, AO-2013-009, found the crew’s decisions in the moment appropriate — but that the original risk assessment had gaps: no 757-suitable alternate approach procedures and thin consideration of which Antarctic aerodromes could actually take the aircraft. This was a successful recovery, not a tragedy. (It should not be confused with the 1979 Mount Erebus disaster, a different aircraft, a different operator, and a navigation error that killed all 257 aboard — an entirely separate event.)

The mapping is exact, and it is where this brief lands. An autonomous agent that commits past its rollback horizon on predicted rather than observed conditions — a retrieval it assumes will succeed, a downstream state it assumes will hold, an environment it assumes will stay as the plan modeled it — with the designed fallback already foreclosed by its own resource envelope and an under-specified set of alternates, is flying at the edge of its envelope on a forecast that can fail. The fix is not “never extend range.” A narrow envelope forfeits the value in §04 and is its own failure. The fix is to earn the range and keep the diversion option reachable — to never let the rollback horizon close on a forecast, and to gate the point of safe return on observed conditions, not predicted ones.

That is the discipline ETOPS encodes and the discipline agent autonomy still lacks: a graduated, evidence-earned, revocable envelope, with the safe harbour always reachable and the irreversible step never taken on a forecast. The in-depth companion develops the full argument — diversion time as rollback horizon, the in-flight-shutdown rate as a task-class reliability gate, the economics of the wider envelope, and the precise machinery that keeps the diversion option open. Read it at Earned Range: ETOPS and the Graduated Autonomy Envelope .