Condition 1
Category allowlist
Only portal_account and billing_scope tickets are auto-resolve eligible. Helpdesk, email, Microsoft 365, Google Workspace, and SaaS admin tickets require human handling regardless of AI confidence.
Engineering case study / Kocre IT Services
Remote IT support runs on speed and context. Ghost Admin delivers both in seconds — without letting AI confidence be sufficient reason to close a ticket.
Running IT support for multiple client organizations means carrying simultaneous context for each — which platforms they're on, what their last issue was, what's been resolved before, which SLA tier they're under. Without tooling, every new ticket starts with 10–15 minutes of history-reading before any actual support happens. The second problem is automation risk. Auto-closing tickets based on AI confidence alone would recover that time — but at the cost of reliability. A misclassified ticket that gets auto-resolved is a client problem the operator never sees. Too many false positives and the automation becomes a liability rather than a tool. Kocre IT needed an AI layer that was genuinely useful for context-gathering and drafting, and genuinely conservative about autonomous action — not because the AI was weak, but because the conditions for acting on its output needed to be unambiguous.
Ghost Admin is the orchestration layer. For any open ticket, it fetches a structured context bundle before calling the model: — The full ticket record with all AI triage fields populated — Up to 10 recent client-facing conversation messages — Similar previously resolved tickets, matched on title and category — KB/SOP drafts already linked to the ticket — Published knowledge articles ranked by relevance — The client organization's full lifecycle state: agreement status, payment status, onboarding progress, client_status, whether the account flags for human review Ghost sends this bundle to Claude and returns a 10-field JSON: what the ticket is actually about, the most likely blocker, recommended next action, a scope call (standard_support / watch_scope / likely_scoped_work), client reply guidance, lifecycle signals, and a short operator warning for edge cases. This context synthesis happens in under 3 seconds and gives the operator a starting position that would otherwise require reading the full ticket history, the client profile, and the knowledge base manually. Ghost also generates follow-up drafts in 6 modes: initial response, progress update, resolution, information gathering, escalation update, and needs assessment. Each draft pulls from the same context bundle — meaning drafts reflect the client's lifecycle stage, not just the issue description.
AI triage can flag a ticket ai_can_auto_resolve: true — but this is an input to the gate, not a decision. All six conditions must hold simultaneously before any ticket closes automatically:
Condition 1
Category allowlist
Only portal_account and billing_scope tickets are auto-resolve eligible. Helpdesk, email, Microsoft 365, Google Workspace, and SaaS admin tickets require human handling regardless of AI confidence.
Condition 2
AI eligibility flag
The triage engine must have set ai_can_auto_resolve: true. The default is false. Only instruction-based, FAQ-style, or portal/policy questions earn this flag.
Condition 3
Confidence threshold
AI confidence must exceed 0.7. Anything below that requires human review — the gate treats low-confidence triage as uncertain classification, not as a borderline auto-resolve candidate.
Condition 4
No escalation flag
ai_escalation_needed must be false. Security-sensitive, high-impact, or ambiguous tickets are never auto-resolved regardless of other conditions.
Condition 5
No project flag
ai_project_flag must be false. Migration work, major setup, broad remediation — anything larger than routine support — requires manual handling and scoping.
Condition 6
No access requirement
ai_access_needed must be false. If resolving the ticket requires admin access, account changes, or vendor escalation, the gate stays closed.
Every ticket that moves through Kocre IT makes the next one faster. The flywheel runs in four stages: Triage enrichment: On ticket creation, AI triage runs immediately — classifying category, scoring confidence, flagging escalation and project risk, estimating time. The ticket is enriched with 10 AI fields before an operator opens it. Context bundling: When Ghost Admin runs on a ticket, it pulls similar resolved tickets from the database. The more resolved tickets exist, the richer the context bundle. A new Microsoft 365 issue gets context from every previously resolved Microsoft 365 ticket for that client. Knowledge generation: When a ticket closes, Ghost can generate a KB/SOP draft from the resolution thread. This captures what the issue was, what was tried, and what fixed it — gated strictly to resolved/closed tickets. In-progress tickets never generate drafts. Knowledge retrieval: Published KB articles rank into future Ghost context bundles. Over time, the system builds institutional memory. By the 50th resolved ticket for a client, new tickets from that client arrive with matched precedents, relevant procedures, and similar past resolutions — automatically.
Sentinel is the monitoring layer and the clearest example of where AI was deliberately excluded. It runs as a Vercel Cron job every hour, making deterministic checks against all monitored client URLs and ticket data. No model is involved in any monitoring decision:
URL monitoring
HEAD request to each client's store_url and website_url, 10-second timeout. Response time > 5,000ms returns severity: warning. Non-2xx status or connection failure returns severity: critical. No inference — the result is the HTTP response.
SLA breach detection
Queries open tickets without a first_response_at timestamp that have exceeded their sla_response_hours. The check is arithmetic: hours_open > sla_response_hours. If true, it fires — the system doesn't judge whether the breach is justified.
Ticket volume spike
Compares tickets created in the last 24 hours against the 30-day daily average. Greater than 3× the average triggers severity: warning. The threshold is hardcoded — not model-inferred — so the alert is fully predictable.
Critical findings auto-create tickets assigned to an admin. Warning findings are logged in the activity log. No model decides what counts as an incident — Sentinel either fires or it doesn't, based on arithmetic. This is intentional. A monitoring system that asks a model whether an outage is significant introduces hallucination risk and latency into a context where determinism matters most. When an SLA breach happens, the operator needs to know — not a probability estimate.
AI drafts the reply, classifies the ticket, and synthesizes the context. Deterministic code decides whether to auto-close, whether to fire an alert, and whether a monitoring threshold was breached. Confidence is an input. It is never a sufficient condition.
This is the kind of system we build — AI that handles the cognitive load, deterministic gates for the decisions that matter, and a knowledge layer that compounds over time.