Cisco NSO is brilliant. It is the gold standard for multi-vendor network configuration management and state convergence. If you need to push consistent configurations across thousands of devices from different vendors, NSO does that better than anything else on the market.
But NSO was designed for machine orchestration. It assumes that once you define the desired state, automation handles the rest. In practice, network operations are messier than that.
What NSO Does Exceptionally Well
Before discussing the gaps, it is worth acknowledging why NSO is the foundation that HumanRail chose to build on:
- YANG-modeled service abstraction: Define a service once, deploy it across any vendor. NSO compiles your intent into device-specific CLI, NETCONF, or REST calls.
- Transactional config management: Every change is atomic. If any device in a transaction fails, everything rolls back. No half-deployed configs.
- CDB (Configuration Database): NSO maintains a single source of truth for your entire network state. You always know what the network should look like.
- 100+ Network Element Drivers (NEDs): Multi-vendor support is not an afterthought. Cisco, Juniper, Arista, Palo Alto, Nokia, and more.
- Dry-run and commit queues: Preview what will change before you push. Queue commits for off-hours deployment.
NSO is not the problem. The gap is everything that happens before and after NSO pushes a config.
The Human Workflow Gap
Consider a real-world scenario: a service provider needs to provision 50 new customer circuits across three cities. NSO can generate and push the configurations flawlessly. But the process has questions NSO cannot answer:
- Who approves each circuit change? Different customers may have different approval requirements. Some need CAB review, others just a manager sign-off.
- Who verifies the physical connections? Someone has to plug in the fiber, verify light levels, and confirm cross-connects. That is a human task.
- Which contractor completed which task? If you are using field engineers across three cities, you need to track who did what.
- How do you pay them? Each completed task needs invoicing, approval, and payment processing.
- What is the audit trail? Six months from now, when a customer disputes a change, you need to show exactly who approved it, who executed it, and when.
What NSO Has vs. What Is Missing
Config diff and dry-run preview
Human approval gates before commit
Commit queues for scheduled deployment
Task assignment to specific engineers
Rollback on failure
Worker identity and credential verification
RESTCONF and NETCONF APIs
Payment and billing for completed tasks
The Usual Workarounds (and Why They Fall Short)
Most organizations cobble together a solution from existing tools:
ServiceNow + NSO
Use ServiceNow for change requests and approval workflows, then trigger NSO via API when approved. This works for approvals but gives you zero support for task routing, worker verification, or payment. You also end up maintaining two complex systems with a fragile integration between them.
Jira + Custom Scripts + NSO
Track tasks in Jira, write custom scripts to bridge Jira tickets to NSO actions. Every organization that goes this route ends up with a bespoke integration that is brittle, hard to maintain, and understood by exactly one engineer who wrote it.
Excel + Email + NSO
The uncomfortable reality at many service providers. Task tracking lives in spreadsheets. Approvals happen over email. Payment is handled by accounts payable weeks later. NSO pushes configs, but everything around it is manual.
The common thread: Every workaround treats human workflow as an afterthought bolted onto automation. None of them treat human tasks as first-class objects in the orchestration pipeline.
What a Human Workflow Layer Looks Like
HumanRail sits on top of NSO (not replacing it) and adds the orchestration layer for everything that involves people. Here is what that means in practice:
- Approval gates: Insert human approval checkpoints at any point in a service deployment. Define who can approve, how many approvals are needed, and what happens if approval is denied or times out.
- Task queuing and routing: When a service deployment requires physical work (site surveys, fiber patching, equipment installation), tasks are created, prioritized, and routed to qualified workers automatically.
- Worker verification: Before a contractor touches a device, verify their certifications, background check status, and authorization level. This is not optional for compliance-heavy industries.
- Integrated payment: When a task is completed and verified, payment is processed automatically. No separate invoicing system, no 30-day payment cycles.
- Complete audit trail: Every action, approval, task assignment, completion, and payment is logged with timestamps and identity verification. This is the audit trail that compliance teams need.
- MCP for AI agents: AI agents can request approvals, check task status, and route work through the same API that human operators use.
This Is Not a Criticism of NSO
NSO was built to solve machine orchestration, and it solves it exceptionally well. Expecting NSO to also handle human workflow management would be like expecting a database to also be a project management tool. They are different problems.
The network automation industry has spent a decade building better machine orchestration. The human orchestration layer has been neglected. That is the gap HumanRail fills.
NSO handles the machines. HumanRail handles the people. Together, they cover the full lifecycle of network service delivery from approval to deployment to payment.
See HumanRail in Action
The human workflow layer for Cisco NSO. Approvals, task routing, worker verification, and payment in one platform.
Get Started