TL;DR: A survey of 491 security leaders and analysts finds that 96% do not expect AI to cut SOC headcount, while 80% of analysts and 75% of leaders expect autonomous SOCs within three to five years, according to Abnormal AI and Omdia. The governance issue is not replacement, but whether teams can preserve human oversight as automation shifts from task support to operational decision-making.
At a glance
What this is: This research argues that AI is changing the SOC by reducing repetitive work, expanding threat hunting, and setting up autonomous operations as a near-term operating model.
Why it matters: It matters because SOC automation, analyst burnout, and autonomous operations all affect how IAM, NHI, and human identity governance teams design access, oversight, and accountability.
By the numbers:
- 96% of security leaders plan no headcount reductions from AI adoption, using it instead to shift analysts toward threat hunting and mentoring.
- 44% of SOC analysts waste too much time on repetitive tasks, and 35% report burnout, directly degrading security outcomes.
- 80% of analysts and 75% of security leaders expect autonomous SOCs to become the norm within three to five years.
- 85% of respondents rank solution effectiveness as the top AI evaluation criterion, prioritizing outcomes over vendor claims.
👉 Read Abnormal AI's full report on human-centred AI in the SOC
Context
Security operations teams are under pressure from alert volume, repetitive triage, and analyst burnout. In this research, AI is presented as a way to move the SOC away from manual queue handling and toward higher-value work such as threat hunting and incident response.
The identity governance angle is broader than SOC tooling. As AI begins to influence detection, prioritisation, and response, organisations have to decide how much operational authority to give machine systems, how to keep humans accountable, and how to align that model with IAM, PAM, and lifecycle controls across people and non-human identities.
Key questions
Q: How should security teams use AI in the SOC without losing human control?
A: Use AI to remove repetitive work, enrich alerts, and accelerate triage, but keep humans accountable for escalation, containment, and exception handling. The right model is human-centred automation, where AI expands analyst capacity without becoming the final decision-maker for high-risk actions. That requires explicit approval gates, audit trails, and ownership for every automated step.
Q: When does SOC automation create more risk than it reduces?
A: SOC automation becomes risky when the system can act faster than governance can explain its actions. If prioritisation, suppression, or response happens without clear accountability, the team may gain speed but lose control over false positives, missed context, and unintended containment. The threshold is reached when execution is no longer visibly tied to a human decision path.
Q: What should organisations measure to know whether AI is helping the SOC?
A: Track analyst time recovered, reduction in repetitive work, quality of escalations, and how much of the saved capacity is being redirected to threat hunting or incident response. If AI only increases throughput but does not improve decision quality or strategic work, it is not solving the underlying SOC problem.
Q: Who should be accountable for autonomous SOC actions?
A: Accountability should remain with the organisation that authorises the automation, not with the tool itself. If an autonomous action causes harm, the programme must be able to identify the approved scope, the owner of the workflow, and the escalation path that should have intervened. Without that, automation becomes operationally fast but governably weak.
Technical breakdown
How AI changes SOC workflow economics
AI in the SOC is best understood as workload redistribution rather than replacement. It takes on repetitive tasks such as alert grouping, enrichment, and first-pass analysis so analysts can spend more time on judgement-heavy work. That matters because SOC performance depends not only on detection quality but on the time available for escalation, investigation, and learning. When repetitive work dominates the queue, teams lose strategic capacity and response quality drops. The research frames this as a human-centred model, where AI improves throughput without removing the need for analysts to decide, verify, and intervene.
Practical implication: map which SOC tasks can be offloaded safely, then measure whether the freed time is actually being redirected to threat hunting and response.
Why autonomous SOCs raise governance questions
An autonomous SOC is not just faster automation. It implies that parts of detection and response move from human-paced review to machine-paced execution, which changes how oversight works. The control problem shifts from simple task completion to decision legitimacy, because the system may now prioritise, correlate, and act before an analyst reviews the case. That is materially different from rule-based orchestration. Even in a human-centred model, the more the SOC delegates timing and sequencing to machines, the more important it becomes to define decision boundaries, escalation gates, and accountability for exceptions.
Practical implication: define which SOC actions remain human-approved and which can execute automatically, then test those boundaries under realistic alert conditions.
Trust, transparency, and evaluation criteria for SOC AI
The article shows that decision-makers care less about AI branding and more about proof, transparency, and operational effect. In practice, SOC AI is only adoptable when teams can understand how the model is trained, what data it sees, and how confidently it handles uncertainty. That aligns with broader governance patterns in IAM and NHI security: if an identity-bearing system makes decisions at runtime, the programme needs evidence of intent, scope, and traceability. A tool that cannot explain its behaviour may still be useful, but it is harder to govern responsibly.
Practical implication: require demonstrable performance evidence, training transparency, and auditability before allowing AI deeper operational influence.
NHI Mgmt Group analysis
Human-centred AI is a governance model, not an operating principle for automatic trust. The article’s strongest signal is that security teams want AI to absorb repetitive SOC work while preserving human judgement. That is sensible, but it also means AI is being admitted into workflows that already depend on precise escalation and accountability. The practitioner conclusion is that AI can accelerate SOC operations only if the programme still knows where human review must remain non-negotiable.
Autonomous SOCs turn workflow design into identity governance. Once machines are expected to prioritise, correlate, and act at runtime, the question is no longer only operational efficiency. It becomes who or what is authorised to decide, under which conditions, and with what audit evidence. For identity teams, that pushes SOC automation into the same governance conversation as non-human identities and privileged workflows, because execution authority is now part of the control surface.
Decision quality is becoming the new evaluation standard for security operations AI. The research says 85% of respondents prioritise solution effectiveness over claims, which reflects a wider market shift away from feature narratives and toward measurable operational outcomes. That is a healthy correction, but it also raises the bar for governance because effectiveness without explainability can still conceal fragile control paths. The practitioner conclusion is to evaluate AI on response quality, not just speed.
Analyst fatigue is a control problem, not just a staffing problem. When 44% of analysts spend too much time on repetitive tasks and 35% report burnout, the SOC loses capacity for the very work that reduces risk: hunting, validation, and remediation follow-through. The implication is that organisations should treat repetitive workload as a security exposure because it degrades the quality of every downstream decision. The practitioner conclusion is to reduce toil as part of control design, not as an afterthought.
From our research:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to the 2026 Infrastructure Identity Survey.
- For the next step, see OWASP NHI Top 10 for the control patterns that matter when AI systems start acting at runtime.
What this signals
Human-centred SOC AI will still force identity teams to answer the same question: who is allowed to act when the analyst is no longer in the loop? The practical issue is not whether AI can reduce toil, but whether its runtime permissions are constrained tightly enough to preserve accountability. With 59% of daily AI users already spending more time on advanced threat hunting, the operating model is shifting from triage to supervision, which makes workflow ownership a governance issue as much as an operations issue.
Autonomous SOC expectations will pressure IAM and PAM teams to think in terms of decision boundaries rather than static entitlements. Once a machine system can choose timing and sequencing inside response workflows, access reviews alone do not tell you whether the control model still fits. Teams should prepare for more granular approval gates, better separation between assistive and executable actions, and clearer evidence of who authorised each automated pathway.
For practitioners
- Separate automation from authority Document which SOC functions AI may assist with and which actions still require analyst approval, especially for containment, suppression, and escalation decisions. Treat approval boundaries as governance controls, not workflow preferences.
- Measure whether AI time savings become security capacity Track where saved analyst time goes after AI adoption. The key question is whether teams increase threat hunting, incident response, and mentoring, or simply absorb more alert volume.
- Set evidence requirements before expanding AI scope Require transparency into model training, validation results, and false-positive behaviour before AI is allowed deeper influence over response prioritisation or automated action.
- Revisit privileged access for SOC automation Review the access granted to detection, enrichment, and response systems as non-human identities. Apply least privilege, short-lived credentials, and clear ownership for every automated workflow.
Key takeaways
- The research shows that AI is being used to augment SOC analysts, not replace them, but that only works when human judgement remains in the loop.
- Burnout and repetitive work are operational security problems because they reduce the time available for threat hunting, response, and validation.
- As autonomous SOCs become more plausible, identity and access governance must extend to machine decision boundaries, not just analyst productivity.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | AI-driven SOC workflows need access limits and accountability boundaries. |
| OWASP Agentic AI Top 10 | A10 | Runtime action boundaries matter when AI can influence or execute SOC responses. |
| NIST AI RMF | Trust, transparency, and accountability are central to AI governance in the SOC. |
Assess AI-assisted SOC workflows for agentic misuse paths before allowing automation to act.
Key terms
- Autonomous Soc: A security operations model where software can prioritise, correlate, or trigger response actions with limited human intervention. In governance terms, the key issue is not automation itself but whether decision authority, escalation, and auditability still remain clear when execution moves faster than analysts can review.
- Human-Centred Ai: An operational approach that uses AI to increase analyst effectiveness without removing human accountability for security decisions. In practice, it means AI handles repetitive or high-volume work while humans retain oversight for judgement calls, exceptions, and actions that carry significant risk.
- Analyst Burnout: A state in which repetitive work, alert overload, and lack of strategic time reduce a SOC analyst’s effectiveness. It is not just an HR issue. Burnout directly affects security outcomes because it lowers attention, slows investigations, and reduces the capacity for threat hunting and remediation.
- Decision Boundary: The point at which a system may assist but not decide, or decide but not act, without additional approval. For SOC AI and other non-human identities, decision boundaries define where governance must intervene so that speed does not outrun accountability or cause uncontrolled automation.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme governance, it is worth exploring.
This post draws on content published by Abnormal AI: Human-Centered AI: Redefining the Modern SOC. Read the original.
Published by the NHIMG editorial team on 2025-07-23.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
