By NHI Mgmt Group Editorial TeamPublished 2025-08-22Domain: Governance & RiskSource: Gurucul

TL;DR: A Cybersecurity Insiders survey of 739 security leaders finds 96% reporting critical visibility gaps, 77% seeing higher alert volume, and 67% lacking identity and access behavior visibility, while 87% are evaluating or deploying AI-powered SOC tools. The evidence shows SOC modernization is now an identity problem as much as a detection problem.


At a glance

What this is: This report argues that AI is becoming central to SOC operations because existing tooling cannot keep up with alert volume, fragmented telemetry, and weak identity visibility.

Why it matters: It matters because IAM, NHI, and SOC teams now share the same blind spots, and identity behavior is increasingly where investigations begin and where controls fail first.

By the numbers:

👉 Read Gurucul's analysis of the 2025 AI-powered SOC transformation report


Context

AI-powered SOC programmes are emerging because traditional detection stacks are being overwhelmed by alert volume, fragmented telemetry, and slow data onboarding. The report is not really about AI as a buzzword. It is about the operational gap between what security teams need to observe and what their current SOC architecture can actually see, especially across identity and access behavior.

For identity practitioners, the important shift is that the SOC is now running into the same structural problem that IAM and NHI programmes already know well: visibility without context does not produce governance. When identity, entitlement, and access signals stay siloed, neither human access reviews nor machine identity monitoring can reliably explain who or what is acting inside the environment.


Key questions

Q: How should security teams use AI in the SOC without creating new blind spots?

A: Use AI first on repetitive, high-volume SOC work such as triage, enrichment, and false-positive suppression. Keep humans involved in higher-discretion judgments until the model can explain its outputs and those outputs can be checked against identity, entitlement, and access context. If the input data is fragmented, AI will accelerate confusion rather than response quality.

Q: Why does identity visibility matter so much in modern SOC operations?

A: Identity visibility matters because many of the most important attacks are now identity-driven, including phishing, social engineering, and cloud account abuse. Without seeing entitlement and access behavior, SOC teams cannot reliably tell whether activity is normal, risky, or malicious. That makes identity context a prerequisite for both detection and investigation.

Q: What breaks when SOC tooling stays fragmented across too many platforms?

A: Fragmentation slows onboarding, multiplies telemetry gaps, and forces analysts to reconcile inconsistent data before they can investigate. When an organisation uses dozens of tools and still cannot ingest new data quickly, the SOC loses operational tempo. The result is more manual work, slower triage, and weaker correlation across identity and cloud activity.

Q: Who should own the identity data problem in a SOC transformation programme?

A: Ownership should be shared across SOC, IAM, and cloud security teams, but the operating model needs a clear data steward for identity signals. If no one owns access behavior, entitlement quality, and source onboarding, the SOC will keep treating symptoms instead of reducing the visibility gap. Accountability has to sit with the teams closest to the identity data.


Technical breakdown

Why identity telemetry is the SOC blind spot

Identity telemetry is the collection of signals that show which subject authenticated, what entitlements were used, and how access changed during activity. In this report, identity and access behavior is one of the least monitored areas even though it sits at the center of phishing, social engineering, and cloud-driven attacks. The technical failure is not just missing logs. It is the absence of joined-up identity context across cloud, endpoint, and SIEM layers, which leaves analysts with events but no actor model.

Practical implication: consolidate identity, entitlement, and access signals into the detection pipeline before adding more alert sources.

Why fragmented tooling slows detection and response

Fragmentation matters because each extra control plane creates another place where telemetry can be delayed, duplicated, or lost. The report shows that many SOCs rely on 20 or more tools and still take one week to three months to onboard new data feeds into the SIEM. That means the response system is always behind the environment it is trying to watch. AI can reduce some manual workload, but it cannot compensate for delayed visibility into the underlying identity and cloud data that triggers investigation.

Practical implication: measure onboarding latency as a SOC control metric, not just a data engineering problem.

How AI changes SOC workflow without replacing analysts

AI in the SOC is best understood as workflow compression, not analyst replacement. The report highlights use cases such as triage, enrichment, false-positive suppression, and pattern detection. These are repetitive decision steps where machines can reduce queue time and standardize first-pass analysis. The boundary matters: AI can rank, correlate, and summarize, but it still depends on trustworthy data and clear operating rules. If the input layer lacks identity fidelity, the output becomes faster noise rather than better judgment.

Practical implication: restrict AI to high-volume, low-discretion workflows until its explanations are validated against known identity scenarios.



NHI Mgmt Group analysis

Identity visibility is now the SOC’s governing constraint. The report’s core message is not that AI solves detection, but that detection quality is bounded by whether identity, entitlement, and access behavior are actually observable. When 67% of organisations still lack that visibility, the SOC cannot reliably distinguish an account, a service identity, and an access pattern. Practitioners should treat identity telemetry as a control plane, not an add-on.

Alert fatigue is a governance failure as much as an operations problem. A SOC that is buried in alerts but cannot separate meaningful identity change from noise has lost the ability to enforce priority. The report’s figures on rising alert volume and manual triage show that human review cycles are too slow for the scale of modern telemetry. That pushes security teams toward policy-driven automation, but only where the data model is already trustworthy.

AI-powered SOC adoption is exposing a runtime trust problem. Only a small minority of respondents are very confident in AI-generated alerts, which means adoption is outrunning assurance. That does not invalidate AI use in the SOC. It means AI must be deployed where the team can verify inputs, understand decision logic, and tie outputs back to identity context. The practitioner conclusion is simple: speed without explainability creates new operational blind spots.

Cross-domain visibility is the new identity security boundary. The same attack paths that challenge SOC teams also undermine IAM and NHI programmes when access data is fragmented across tools. If identity, cloud, and security operations do not share a common view of behaviour, recertification and detection become disconnected exercises. Practitioners should align SOC telemetry with identity governance rather than treating them as separate programmes.

Identity entropy is the named concept this report surfaces. It describes the condition where identity, entitlement, and access data are present in the estate but not assembled into a usable governance picture. The report shows this entropy in the gap between tool volume, onboarding delay, and weak identity visibility. The implication is that more telemetry alone will not improve security until the identity layer is operationally coherent.

From our research:

  • 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which shows how rare mature identity observability still is.
  • The next step is to compare detection maturity with lifecycle governance in NHI Lifecycle Management Guide, especially where access review and revocation are still manual.

What this signals

The direction of travel is clear: SOC transformation is converging with identity governance, because the most damaging attack paths now depend on access behavior that many environments still cannot see. With 79% of organisations having experienced secrets leaks, and 77% of those causing tangible damage, the business case for identity-aware detection is no longer theoretical.

Identity entropy: this is the operational state where identity, entitlement, and telemetry exist in the environment but do not combine into a usable security picture. Teams should expect AI investments to disappoint if they are layered over fragmented access data and delayed onboarding. The more practical priority is to align AI workflows with identity control data and to validate that correlation against real incident patterns.

Programmes that separate SOC automation from IAM governance will continue to miss the same problems from different angles. The more resilient model is a shared operating view across human access, NHI behaviour, and cloud activity, supported by source-of-truth identity data and a clear ownership model.


For practitioners

  • Build identity visibility into SOC design Map identity, entitlement, and access data into the detection architecture as first-class inputs. Prioritise sources that show who acted, what privilege changed, and which access path was used across cloud and endpoint environments.
  • Reduce SIEM onboarding latency Track the time from source approval to usable correlation in the SIEM and treat delays of weeks or months as a control defect. Use the delay to identify where normalization, parsing, or ownership is breaking down.
  • Limit AI to verifiable workflows first Start AI use in triage, enrichment, and false-positive suppression where outcomes can be compared against known cases. Keep human review on high-discretion decisions until the model can explain its identity-related judgments consistently.
  • Align SOC metrics with identity outcomes Measure whether the SOC is improving identity-driven detection, reducing manual work, and shortening investigation cycles. If the programme cannot show those outcomes, the AI layer is only adding complexity.

Key takeaways

  • The report shows that SOC performance is increasingly limited by identity visibility, not just alert volume.
  • AI can reduce manual workload, but only when it is built on trustworthy identity, entitlement, and access data.
  • Security teams should treat identity telemetry, SIEM onboarding speed, and explainability as core SOC controls rather than supporting functions.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0DE.CM-1The report centers on continuous monitoring of identity and cloud behavior.
NIST SP 800-53 Rev 5AU-6Alert triage and correlation map directly to audit analysis and response.
NIST Zero Trust (SP 800-207)The report repeatedly stresses identity-aware visibility across environments.

Strengthen monitoring of identity and cloud telemetry so SOC teams can detect abnormal access patterns faster.


Key terms

  • Identity Telemetry: Identity telemetry is the stream of signals that shows who authenticated, what privileges were used, and how access changed over time. In SOC operations, it becomes useful only when it is correlated with cloud, endpoint, and application activity so analysts can interpret behaviour, not just events.
  • Alert Fatigue: Alert fatigue is the loss of analyst attention caused by too many low-value or repetitive notifications. It turns detection into a queue management problem and increases the chance that real identity-driven threats are missed or triaged too late.
  • Identity Entropy: Identity entropy is the state where identity, entitlement, and access information exists across many tools but does not form a coherent operational picture. It is a governance problem because the organisation has data without control, and a detection problem because analysts cannot reliably attribute behaviour.
  • AI-Powered SOC: An AI-powered SOC uses machine learning or generative AI to automate parts of detection, triage, enrichment, and response. The value depends on data quality, explainability, and the ability to tie model output back to identity and access context.

What's in the full report

Gurucul's full blog covers the operational detail this post intentionally leaves for the source:

  • The report's full survey breakdown by alert volume, investigation speed, and AI adoption stage.
  • The vendor's workflow examples for triage, enrichment, and false-positive suppression.
  • The detailed discussion of trust in AI-generated alerts and how analysts validate output.
  • The report's breakdown of what SOC teams are prioritising over the next 12 to 24 months.

👉 Gurucul's full post covers the survey findings, AI workflow data, and SOC priorities in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-08-22.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org