TL;DR: AI in the SOC only improves outcomes when telemetry, detection logic, and identity context are already disciplined, according to Gurucul’s summary of Dr. Chase Cunningham’s field guide. Without that foundation, AI scales noise, bias, and blind spots faster than human teams can correct them.
NHIMG editorial — based on content published by Gurucul: AI in Your SIEM is an Accelerant, Not an Autopilot
By the numbers:
- 30% of breaches originate through third-party access, according to the DBIR 2025.
Questions worth separating out
Q: How should security teams use AI in SIEM without losing identity context?
A: Security teams should use AI to accelerate correlation, summarisation, and triage, but only after identity telemetry is fully part of the detection pipeline.
Q: Why do non-human identities matter so much in AI-driven SOC operations?
A: Non-human identities matter because they often hold elevated access, act across multiple systems, and generate activity that looks normal unless identity context is visible.
Q: What do teams get wrong about autonomous SOC claims?
A: Teams often confuse assistance with autonomy.
Practitioner guidance
- Add identity telemetry before expanding AI use cases Ingest IdP decisions, MFA events, token usage, and service principal activity into the SIEM so AI can correlate actions to the identity that performed them.
- Classify SOC AI as privileged infrastructure Place models, prompts, and output workflows under the same access, change, and audit controls used for other high-value administrative systems.
- Keep human review in the response loop Use AI to summarise, prioritise, and correlate, but require analyst approval before containment or response actions are executed.
What's in the full article
Gurucul's full blog covers the operational detail this post intentionally leaves for the source:
- Dr. Chase Cunningham's full field-guide framing for AI in analytics and SIEM
- The practical breakdown of alert triage, natural-language search, and UEBA use cases
- The article's discussion of identity-aware telemetry sources and how they change correlation quality
- Gurucul's examples of governance questions for model access, output review, and change control
👉 Read Gurucul's analysis of AI in the SIEM and identity blind spots →
AI in the SIEM: are your identity controls keeping up?
Explore further
AI in the SOC is an identity governance problem before it is an analytics problem: the article is right that model quality cannot outrun weak telemetry. When identity context is missing, AI only compresses uncertainty into faster decisions, which is a governance failure as much as a technical one. Practitioners should read this as a reminder that detection quality starts with identity visibility, not with model choice.
A few things that frame the scale:
- NHIs outnumber human identities by 25x to 50x in modern enterprises, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which explains why identity-aware telemetry remains so hard to operationalise in SOC tooling.
A question worth separating out:
Q: Who should be accountable for SOC AI governance?
A: Accountability should sit with the security and identity owners who control access to the model, approve changes, and define how outputs are used. That includes SOC leadership, IAM, and risk governance. If the model can influence investigation or response, it belongs inside formal privileged-access and change-management oversight.
👉 Read our full editorial: AI in the SIEM magnifies identity gaps, not just detection