This work addresses the critical trade-off between safety and operational efficiency in autonomous driving systems under long-tail rare scenarios or cyber-physical attacks. The authors propose RAIL, a novel framework that integrates three signals—curvature-based actuation integrity, time-to-collision proximity, and observation deviation consistency—into a weighted Noisy-OR model to generate an intrusion risk score. A contextual bandit arbitrator dynamically switches control policies: activating protective measures and enabling human takeover under high risk, while executing standard policies under low risk. RAIL combines Soft Actor-Critic with risk-prioritized experience replay and a dual-reward mechanism for online adaptive response and optimization. Experiments show that RAIL achieves a reward of 360.65 in MetaDrive (success rate 0.85, safety violations only 0.75), improves success rates to 0.68 and 0.80 under CAN injection and LiDAR spoofing attacks (reducing attack success to 0.34 and 0.11, respectively), and attains a reward of 1609.70 in CARLA within merely 8,000 training steps.

Autonomous vehicles must remain safe and effective when encountering rare long-tailed scenarios or cyber-physical intrusions during driving. We present RAIL, a risk-aware human-in-the-loop framework that turns heterogeneous runtime signals into calibrated control adaptations and focused learning. RAIL fuses three cues (curvature actuation integrity, time-to-collision proximity, and observation-shift consistency) into an Intrusion Risk Score (IRS) via a weighted Noisy-OR. When IRS exceeds a threshold, actions are blended with a cue-specific shield using a learned authority, while human override remains available; when risk is low, the nominal policy executes. A contextual bandit arbitrates among shields based on the cue vector, improving mitigation choices online. RAIL couples Soft Actor-Critic (SAC) with risk-prioritized replay and dual rewards so that takeovers and near misses steer learning while nominal behavior remains covered. On MetaDrive, RAIL achieves a Test Return (TR) of 360.65, a Test Success Rate (TSR) of 0.85, a Test Safety Violation (TSV) of 0.75, and a Disturbance Rate (DR) of 0.0027, while logging only 29.07 training safety violations, outperforming RL, safe RL, offline/imitation learning, and prior HITL baselines. Under Controller Area Network (CAN) injection and LiDAR spoofing attacks, it improves Success Rate (SR) to 0.68 and 0.80, lowers the Disengagement Rate under Attack (DRA) to 0.37 and 0.03, and reduces the Attack Success Rate (ASR) to 0.34 and 0.11. In CARLA, RAIL attains a TR of 1609.70 and TSR of 0.41 with only 8000 steps.