TL;DR: 87% of organisations are moving toward AI in SOC workflows, 79% see automation as mission-critical, and at least 60% of adopters have cut investigation time by 25% or more, according to Gurucul. The real governance test is not adoption speed, but whether AI-assisted operations remain explainable, reviewable, and accountable.
NHIMG editorial — based on content published by Gurucul: SOC 2025 Pulse of the AI SOC, Chapter 3, AI Enters the Equation
By the numbers:
- 87% of organizations are actively progressing toward integrating AI into their SOCs.
- 79% of respondents believe automation will be mission-critical or a key part of their SOC strategy within the next 24 months.
- Only 9% of analysts are very confident in AI-generated alerts.
Questions worth separating out
Q: How should security teams use AI in SOC workflows without losing control?
A: Start by limiting AI to the parts of the workflow that compress analysis, such as alert enrichment, correlation, and case routing.
Q: Why does AI adoption in the SOC create governance risk for identity teams?
A: Because AI systems increasingly interpret identity signals, recommend actions, and influence response decisions before a human fully reviews the case.
Q: How do organisations know whether AI-assisted detection is actually working?
A: Look beyond adoption numbers and measure whether investigation time drops, false positives fall, and analysts can still reconstruct why a decision was made.
Practitioner guidance
- Define decision boundaries for AI-assisted SOC actions Classify which actions AI may only recommend, which it may execute under supervision, and which always require human approval.
- Require evidence trails for every AI prioritisation decision Capture the alert inputs, correlation logic, and enrichment sources behind each recommendation so analysts can verify why a case was elevated.
- Map AI SOC workflows to identity governance controls Review where AI touches identity context, privileged access, and machine-generated recommendations, then align those touchpoints to existing review, approval, and escalation processes.
What's in the full article
Gurucul's full blog covers the operational detail this post intentionally leaves for the source:
- Survey breakdowns on where AI is already embedded across SOC workflows and where it remains in pilot mode
- Specific use cases for alert enrichment, prioritisation, and automation that underpin the report's adoption claims
- The report's own ROI framing, including time saved on investigations and response acceleration examples
- Additional commentary on how AI is positioned as the SOC's operating system across the chapter
👉 Read Gurucul's analysis of AI adoption and automation in the SOC →
AI in the SOC: what it changes for analysts and IAM teams?
Explore further
AI is becoming a control surface, not just an efficiency layer. Once AI starts triaging alerts, correlating identity signals, and triggering response steps, it is influencing security outcomes directly. That means the governance boundary shifts from analyst productivity to decision authority, evidence quality, and accountability for machine-assisted actions. For identity teams, the lesson is simple: any AI system that helps decide who or what can proceed is already part of the identity control plane.
A few things that frame the scale:
- 59% of infrastructure leaders cite "confidently wrong" AI configuration as their top fear, according to The 2026 Infrastructure Identity Survey.
- Only 13% of organisations feel extremely prepared for the reality of agentic AI, even as adoption accelerates.
A question worth separating out:
Q: Who should own accountability for AI-driven SOC decisions?
A: A named human owner should remain accountable for any AI-assisted action that affects risk, access, or response state. Shared tooling does not remove responsibility. The operating model should specify who approves exceptions, who reviews escalations, and who is answerable when machine recommendations are wrong.
👉 Read our full editorial: AI is becoming the SOC operating system, but trust lags