By NHI Mgmt Group Editorial TeamPublished 2025-08-21Domain: Governance & RiskSource: Gurucul

TL;DR: 60% of AI adopters have cut investigation time by at least 25%, while 87% are deploying, piloting, or evaluating AI SOC tools and only 31% use them across core workflows, according to Gurucul’s 2025 Pulse of the AI SOC report based on 739 cybersecurity leaders. The bigger issue is execution control, not adoption, because identity visibility and workflow integration are still lagging.


At a glance

What this is: The report says AI is already reducing SOC investigation time, but most teams have not operationalised it across core detection and response workflows.

Why it matters: That matters because IAM, NHI, and SOC leaders now have to govern AI-assisted security work without losing visibility into access behaviour, escalation paths, and tool fragmentation.

By the numbers:

👉 Read Gurucul’s 2025 Pulse of the AI SOC report on investigation time and workflow adoption


Context

AI in the SOC is no longer just an experimentation story. The operational problem is that security teams are trying to absorb AI into investigation, triage, and response while still dealing with alert overload, fragmented tools, and weak visibility into how identities move through the environment.

For identity practitioners, the issue is not whether AI can speed up SOC work, but whether the surrounding IAM, NHI, and workflow controls can keep pace. When access behaviour and lateral movement are still poorly visible, AI may accelerate decisions without improving governance over the identities that drive those decisions.


Key questions

Q: How should security teams govern AI use in SOC workflows?

A: Security teams should govern AI in SOC workflows as part of the detection and response control plane, not as a standalone productivity layer. That means defining approval boundaries, reviewability, logging, and escalation ownership for every AI-assisted step. If the workflow cannot be explained, audited, and rolled back, it is not ready for operational use.

Q: Why does AI adoption in the SOC not automatically improve security?

A: AI adoption does not automatically improve security because speed alone does not fix weak identity visibility, fragmented workflows, or poor escalation design. A SOC can cut investigation time and still miss the root cause if access behaviour and lateral movement are not visible. Governance quality determines whether AI creates better decisions or just faster ones.

Q: What breaks when SOC teams automate without identity visibility?

A: When SOC teams automate without identity visibility, they lose context about which identities moved, what privileges changed, and whether an access path was legitimate. AI may still prioritise alerts, but it cannot reliably distinguish benign activity from attacker movement. The result is faster triage built on incomplete evidence.

Q: How can organisations tell if AI SOC tools are actually working?

A: Organisations should look for measurable improvements in investigation time, reviewability, escalation accuracy, and analyst workload, not just tool adoption. If AI reduces noise but operators still have to rebuild the identity story manually, the system is not operating across the full workflow. Real value appears when AI is embedded into controlled response processes.


Technical breakdown

Why AI-powered SOC workflows create an identity governance problem

AI in the SOC is not just another analytics layer. Once models are used to prioritise alerts, assist investigation, or recommend response actions, they become part of the decision path that touches identities, entitlements, and case handling. That creates governance questions around who or what can trigger actions, which data the system can see, and how much trust operators place in machine-assisted recommendations. The article’s own data points to a gap between adoption and operational use, which usually means controls are not embedded deeply enough into the workflow. Practical implication: security leaders need to treat AI-assisted SOC workflows as governed identity processes, not just tooling upgrades.

Practical implication: treat AI-assisted SOC workflows as governed identity processes, not just tooling upgrades.

Identity visibility and lateral movement remain the weak link

The report says 67% of leaders still lack visibility into access behaviour and lateral movement. That matters because SOC automation is only as strong as the identity telemetry behind it. If a team cannot see how accounts, service identities, or delegated access move laterally, AI may help sort alerts faster but still miss the behavioural pattern that explains the incident. In practice, this is a visibility and enrichment problem, not a model problem. Practical implication: SOC teams should correlate AI outputs with identity logs, access history, and privilege changes before they rely on AI to drive response decisions.

Practical implication: correlate AI outputs with identity logs, access history, and privilege changes before relying on AI for response.

Tool fragmentation limits AI’s value in response operations

The report ties burnout and manual triage to fragmented workflows, which is a common SOC failure mode. AI can reduce investigation time, but it cannot compensate for disconnected case management, inconsistent identity data, or handoffs that break attribution. This is where governance and operations meet: if the environment cannot present a coherent identity picture, AI will optimise partial evidence. That usually improves speed in isolated steps without fixing end-to-end response quality. Practical implication: consolidate identity, alert, and case data so AI decisions can be reviewed against a single operational record.

Practical implication: consolidate identity, alert, and case data so AI decisions can be reviewed against a single operational record.



NHI Mgmt Group analysis

AI SOC adoption is outrunning identity governance. The report shows rapid deployment, but deployment is not the same as control. When AI is used to accelerate detection and investigation, the identity problem shifts from alert handling to governed decision authority over security workflows. Practitioners should read this as an operations maturity gap, not a technology success story.

Access visibility is now a SOC control surface, not a background telemetry issue. Gurucul’s finding that 67% of leaders still lack visibility into access behavior and lateral movement is a direct warning sign. Identity data is no longer just for audits or recertification, because SOC speed depends on knowing which identities moved, why they moved, and what they could reach. The practitioner implication is to elevate access telemetry into incident response design.

AI in the SOC reduces analyst fatigue, but it also narrows the tolerance for weak workflow governance. Faster triage only helps when the underlying process is deterministic enough to support review, escalation, and accountability. If AI is bolted onto fragmented tooling, the organisation gets quicker partial decisions rather than better security outcomes. Practitioners should measure AI SOC value by governance quality as much as by time saved.

Identity and behavioural analytics are converging into a single operational control plane. The article points to a market direction where SOC effectiveness depends on joining identity state, behaviour, and response orchestration. That convergence makes IAM and security operations inseparable in practice. The implication for practitioners is that identity teams can no longer treat SOC automation as someone else’s problem.

Execution gap is the right name for this phase of AI SOC adoption. The report shows broad evaluation, but only partial workflow use. That means the core issue is not enthusiasm or proof of concept, but the failure to operationalise AI inside controlled detection and response paths. Security leaders should treat that gap as a governance debt they will have to pay down before scaling further.

From our research:

  • 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to the 2026 Infrastructure Identity Survey.
  • In the same survey, 53% of security leaders expect AI to run major portions of their infrastructure autonomously within the next three years, which makes governance redesign a near-term priority rather than a future-state discussion.
  • That shift is examined further in OWASP NHI Top 10, which is useful when evaluating how autonomous behaviour changes identity controls.

What this signals

With 87% of respondents deploying, piloting or evaluating AI-powered SOC tools, the programme risk is no longer adoption. The real challenge is whether identity data, case handling, and response orchestration are tight enough to support machine-assisted decisions without creating new blind spots.

Execution gap: AI is being inserted into SOC operations faster than identity governance is being redesigned around it. For teams responsible for IAM and security operations, that means speed metrics will keep improving even when accountability, reviewability, and lateral-movement visibility remain weak.

The governance signal is clear: if access behaviour is still invisible in 67% of environments, then the SOC cannot fully trust AI recommendations that depend on identity context. Teams should use this as a trigger to align incident response, identity telemetry, and workflow controls with the guidance in Top 10 NHI Issues.


For practitioners

  • Map AI SOC decision points to identity controls Document where AI systems influence triage, prioritisation, escalation, and response so each step has a human owner, an approval boundary, and an audit trail. This is especially important where the system touches privileged accounts or delegated access paths.
  • Bind SOC automation to identity telemetry Correlate alert enrichment with access logs, privilege changes, and lateral movement indicators before the workflow can recommend containment. This closes the gap between machine speed and identity evidence.
  • Reduce workflow fragmentation before expanding AI use Unify case management, identity data, and response orchestration so AI actions are reviewed in one operational record rather than across disconnected tools. That makes accountability and tuning possible.
  • Measure AI value by governance quality Track not only time saved, but also false positive reduction, reviewability, escalation accuracy, and whether operators can explain why the AI reached a conclusion. Speed without explainable control is brittle.

Key takeaways

  • AI is already reducing SOC investigation time, but adoption alone does not equal operational control.
  • Identity visibility gaps remain central, especially where lateral movement and access behavior are still poorly understood.
  • The next stage of AI SOC maturity is governance integration, not simply broader deployment.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0DE.CM-1The report’s identity visibility gap affects continuous monitoring and detection.
NIST SP 800-53 Rev 5AU-6AI-assisted triage and response require accountable analysis and review of security events.
NIST Zero Trust (SP 800-207)SOC automation depends on verifying identity context before response actions.

Treat AI-assisted SOC actions as zero-trust decisions that require identity verification at each step.


Key terms

  • AI-assisted SOC: A security operations model where AI helps prioritise alerts, investigate incidents, or recommend response actions. The key governance issue is not the model itself, but whether the surrounding workflow preserves accountability, reviewability, and identity context when machine speed is introduced into operational decisions.
  • Access behavior visibility: The ability to see how identities use access over time, including privilege changes, movement between systems, and unusual patterns of reach. In SOC work, this is essential because AI can only reason well when the identity evidence behind an alert is visible and reliable.
  • Execution gap: The gap between deploying a capability and using it consistently inside core operational workflows. In AI SOC programmes, this usually means tools are piloted or evaluated, but they are not yet embedded into the decisions, escalations, and response paths that determine real security outcomes.
  • Identity telemetry: Operational data that shows how identities authenticate, receive privilege, move laterally, and interact with systems. For SOC teams, this is the evidence layer that turns AI outputs into accountable decisions rather than fast but context-poor guesses.

What's in the full report

Gurucul's full report covers the operational detail this post intentionally leaves for the source:

  • Survey breakdown across 739 cybersecurity leaders and how AI adoption varies by SOC maturity.
  • Detailed ROI claims on investigation time reduction and analyst fatigue across adopter cohorts.
  • The report's discussion of where AI is being piloted versus used across core detection and response workflows.
  • Context from Cybersecurity Insiders on how identity and behavioural analytics are being combined in SOC operations.

👉 Gurucul’s full report adds the survey detail behind AI adoption, identity visibility gaps, and SOC workflow use.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM, SOC, or identity security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-08-21.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org