TL;DR: 60% of AI adopters have cut investigation time by at least 25%, while 87% are deploying, piloting, or evaluating AI SOC tools and only 31% use them across core workflows, according to Gurucul’s 2025 Pulse of the AI SOC report based on 739 cybersecurity leaders. The bigger issue is execution control, not adoption, because identity visibility and workflow integration are still lagging.
NHIMG editorial — based on content published by Gurucul: 2025 Pulse of the AI SOC research report
By the numbers:
- 87% of respondents are deploying, piloting or evaluating AI-powered SOC tools, but only 31% use them across core detection and response workflows.
- 67% still lack visibility into access behavior and lateral movement.
Questions worth separating out
Q: How should security teams govern AI use in SOC workflows?
A: Security teams should govern AI in SOC workflows as part of the detection and response control plane, not as a standalone productivity layer.
Q: Why does AI adoption in the SOC not automatically improve security?
A: AI adoption does not automatically improve security because speed alone does not fix weak identity visibility, fragmented workflows, or poor escalation design.
Q: What breaks when SOC teams automate without identity visibility?
A: When SOC teams automate without identity visibility, they lose context about which identities moved, what privileges changed, and whether an access path was legitimate.
Practitioner guidance
- Map AI SOC decision points to identity controls Document where AI systems influence triage, prioritisation, escalation, and response so each step has a human owner, an approval boundary, and an audit trail.
- Bind SOC automation to identity telemetry Correlate alert enrichment with access logs, privilege changes, and lateral movement indicators before the workflow can recommend containment.
- Reduce workflow fragmentation before expanding AI use Unify case management, identity data, and response orchestration so AI actions are reviewed in one operational record rather than across disconnected tools.
What's in the full report
Gurucul's full report covers the operational detail this post intentionally leaves for the source:
- Survey breakdown across 739 cybersecurity leaders and how AI adoption varies by SOC maturity.
- Detailed ROI claims on investigation time reduction and analyst fatigue across adopter cohorts.
- The report's discussion of where AI is being piloted versus used across core detection and response workflows.
- Context from Cybersecurity Insiders on how identity and behavioural analytics are being combined in SOC operations.
👉 Read Gurucul’s 2025 Pulse of the AI SOC report on investigation time and workflow adoption →
AI in the SOC: are investigation gains outpacing operational control?
Explore further
AI SOC adoption is outrunning identity governance. The report shows rapid deployment, but deployment is not the same as control. When AI is used to accelerate detection and investigation, the identity problem shifts from alert handling to governed decision authority over security workflows. Practitioners should read this as an operations maturity gap, not a technology success story.
A few things that frame the scale:
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to the 2026 Infrastructure Identity Survey.
- In the same survey, 53% of security leaders expect AI to run major portions of their infrastructure autonomously within the next three years, which makes governance redesign a near-term priority rather than a future-state discussion.
A question worth separating out:
Q: How can organisations tell if AI SOC tools are actually working?
A: Organisations should look for measurable improvements in investigation time, reviewability, escalation accuracy, and analyst workload, not just tool adoption. If AI reduces noise but operators still have to rebuild the identity story manually, the system is not operating across the full workflow. Real value appears when AI is embedded into controlled response processes.
👉 Read our full editorial: AI in the SOC is cutting investigation time but widening the execution gap