Each generation exposes a different KPI surface (TS 28.552 for NR is not the same as TS 32.425 for LTE) and a different remediation vocabulary, and one-sizing a model across them loses signal on both ends. O-RAN deployments additionally expose E2 and O1 interfaces that non-O-RAN vendors do not, which changes what telemetry is actually available at sub-second granularity. The most common scoping error is training a single anomaly head on mixed 4G/5G data and discovering too late that NR-specific anomalies (beam failure, numerology mismatch) were never representable in the feature set.

The O-RAN architecture formally distinguishes Near-RT RIC (10ms–1s control loop, xApps) from Non-RT RIC (>1s, rApps) and anomaly workloads must pick a side — a model built for one cannot be retrofitted for the other without a full feature and inference redesign. Sub-100ms detection is what actually prevents subscriber-visible degradation; above that, you are optimizing post-mortem analytics rather than real-time protection. Every millisecond budgeted for network egress is a millisecond unavailable for feature assembly, inference, and action dispatch.

Anomaly models that fire constantly train the NOC to ignore them — the alarm-fatigue ceiling is typically <2% FPR before Tier-1 ticket throughput collapses under noise. Nokia has publicly reported ~60% reductions in Tier-1 alarm volumes vs. threshold-based monitoring using ML anomaly detection, which is only achievable when FPR is held below that ceiling. Once auto-remediation is introduced, the FPR tolerance drops another order of magnitude because each false positive now executes a physical change (power, tilt, handover threshold) on the network.

Framing anomaly detection as a revenue / penalty protection function changes how the program trades off accuracy against latency — without a dollar-denominated ceiling, ML teams tend to optimize recall in ways the business cannot fund. FCC Part 4 outage reporting (NORS) and DIRS disaster reporting make some incidents regulatorily expensive independent of direct revenue loss, and an AML-style "cost of a missed detection" model should capture both. A miss that avoids NORS reporting is an order of magnitude cheaper than one that triggers a public filing.

FCC Part 4 (47 CFR Part 4) requires carriers to report outages meeting duration and user-count thresholds through NORS, and DIRS captures disaster-driven reporting during activated events — the anomaly detection model is often the first line of evidence on whether and when a reportable condition started. A model that misses the onset of a reportable outage does not only cost revenue; it creates a regulatory timing gap that is visible in the filing itself. Scoping which sectors and paths are in the reporting envelope is a first-order decision, not an operations afterthought.

RAN telemetry carries coverage, utilization, and subscriber-location inferences that most national regulators treat as sovereign or strategically sensitive, independent of personal-data residency rules. Streaming this data to a shared cloud for ML training or inference creates both a residency exposure and a commercial-intelligence leak. The residency constraint is effectively a deployment-topology constraint — it is usually cheaper to decide once, at scoping time, than to re-platform later.

Closed-loop automation is where anomaly detection converts from analytics into operations, but it is also where a mis-scoped model can physically degrade the network. Actions like tilt changes and cell resets are high-blast-radius and should sit behind tight policy guardrails even when auto-applied. ETSI GS ZSM and O-RAN formalize the concept of scoped, reversible intents — the guardrail design is as important as the model quality.

Deployment topology directly determines the achievable latency floor — cell-site edge gives you the full TTI budget, far-edge aggregation takes a few milliseconds off, and cloud deployment is usually incompatible with sub-100ms detection before a single feature is computed. O-RAN formalizes the choice with Near-RT RIC (xApp) and Non-RT RIC (rApp) tiers, and the decision also locks in which vendors and which SMO you are coupled to. Hybrid topologies (on-site inference + central training) are usually the most flexible but require careful feature-parity discipline.