TL;DR: A Cybersecurity Insiders survey of 739 security leaders finds 96% reporting critical visibility gaps, 77% seeing higher alert volume, and 67% lacking identity and access behavior visibility, while 87% are evaluating or deploying AI-powered SOC tools. The evidence shows SOC modernization is now an identity problem as much as a detection problem.
NHIMG editorial — based on content published by Gurucul: 2025 Pulse of AI-Powered SOC Transformation Report
By the numbers:
- A global survey of 739 cybersecurity leaders reveals a decisive shift in how SOC teams are approaching AI.
- 77% of organizations have seen an increase in alert volume, with nearly half experiencing a spike of over 25% in the past year.
- 96% of respondents acknowledging critical blind spots, most notably in cloud infrastructure and identity and access behavior.
Questions worth separating out
Q: How should security teams use AI in the SOC without creating new blind spots?
A: Use AI first on repetitive, high-volume SOC work such as triage, enrichment, and false-positive suppression.
Q: Why does identity visibility matter so much in modern SOC operations?
A: Identity visibility matters because many of the most important attacks are now identity-driven, including phishing, social engineering, and cloud account abuse.
Q: What breaks when SOC tooling stays fragmented across too many platforms?
A: Fragmentation slows onboarding, multiplies telemetry gaps, and forces analysts to reconcile inconsistent data before they can investigate.
Practitioner guidance
- Build identity visibility into SOC design Map identity, entitlement, and access data into the detection architecture as first-class inputs.
- Reduce SIEM onboarding latency Track the time from source approval to usable correlation in the SIEM and treat delays of weeks or months as a control defect.
- Limit AI to verifiable workflows first Start AI use in triage, enrichment, and false-positive suppression where outcomes can be compared against known cases.
What's in the full report
Gurucul's full blog covers the operational detail this post intentionally leaves for the source:
- The report's full survey breakdown by alert volume, investigation speed, and AI adoption stage.
- The vendor's workflow examples for triage, enrichment, and false-positive suppression.
- The detailed discussion of trust in AI-generated alerts and how analysts validate output.
- The report's breakdown of what SOC teams are prioritising over the next 12 to 24 months.
👉 Read Gurucul's analysis of the 2025 AI-powered SOC transformation report →
AI-powered SOCs and identity visibility gaps: what teams need now?
Explore further
Identity visibility is now the SOC’s governing constraint. The report’s core message is not that AI solves detection, but that detection quality is bounded by whether identity, entitlement, and access behavior are actually observable. When 67% of organisations still lack that visibility, the SOC cannot reliably distinguish an account, a service identity, and an access pattern. Practitioners should treat identity telemetry as a control plane, not an add-on.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how rare mature identity observability still is.
A question worth separating out:
Q: Who should own the identity data problem in a SOC transformation programme?
A: Ownership should be shared across SOC, IAM, and cloud security teams, but the operating model needs a clear data steward for identity signals. If no one owns access behavior, entitlement quality, and source onboarding, the SOC will keep treating symptoms instead of reducing the visibility gap. Accountability has to sit with the teams closest to the identity data.
👉 Read our full editorial: AI-powered SOCs expose the identity visibility gap in modern defence