TL;DR: Rising alert volumes, critical visibility gaps, and dissatisfaction with current SIEM deployments are exposing structural limits in fragmented detection operations, according to Gurucul’s 2025 Pulse of the AI SOC. The core issue is not just more noise, but a security model that cannot reliably see identity and cloud behaviour fast enough to act.
NHIMG editorial — based on content published by Gurucul: 2025 Pulse of the AI SOC, Chapter 2 on why the SOC is breaking
By the numbers:
- 77% of organizations report increased alert volumes.
- 96% of respondents report critical blind spots, most commonly in cloud infrastructure (74%) and identity and access behavior (67%).
- 78% of organizations are either dissatisfied, stuck with limitations, or forced to augment their current SIEM solutions.
Questions worth separating out
Q: How should SOC teams reduce alert fatigue without losing identity visibility?
A: SOC teams should reduce alert fatigue by correlating identity, cloud, and endpoint events before they reach analysts.
Q: Why do identity and cloud blind spots matter so much in modern SOC operations?
A: Identity and cloud blind spots matter because many high-impact attacks begin with legitimate access or compromised credentials.
Q: What breaks when a SIEM depends on too many adjacent tools for context?
A: What breaks is the continuity of the investigation.
Practitioner guidance
- Prioritise identity and cloud telemetry onboarding first Make identity providers, cloud control planes, and privileged access logs the first feeds to reach operational status.
- Correlate alerts before analyst review Require detection logic that joins identity anomalies, endpoint events, and cloud activity into a single case.
- Measure onboarding latency as a security metric Track how long it takes to make a new data source usable for detection, not just connected to the SIEM.
What's in the full article
Gurucul's full blog covers the operational detail this post intentionally leaves for the source:
- Breakdown of the survey findings behind alert fatigue, staffing strain, and SIEM dissatisfaction
- Specific data on cloud, identity, and endpoint visibility gaps that support the SOC conclusions
- The report's discussion of AI-assisted detection as a response to modern SOC pressure
- Additional chapter context on why fragmented tooling is slowing incident response
👉 Read Gurucul’s analysis of why the 2025 AI SOC is breaking under pressure →
SOC visibility gaps and alert fatigue: what IAM teams should do?
Explore further
Identity visibility is now a SOC design requirement, not an IAM side concern. The report shows that cloud infrastructure and identity behaviour are the two largest blind spots, which means access misuse is arriving in the SOC without enough context to be triaged correctly. That is a governance failure as much as a tooling failure, because identity events are where privilege abuse, account takeover, and machine credential misuse become visible. Practitioners should treat identity telemetry as core detection infrastructure, not optional enrichment.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: Who is accountable when identity telemetry is missing from the SOC?
A: Accountability sits with both SOC engineering and identity governance leadership. If identity logs are not onboarded quickly, prioritised correctly, or linked to detection workflows, the organisation has a design problem, not just an operations problem. Security leaders should treat missing identity telemetry as a governance gap that weakens incident response and access oversight.
👉 Read our full editorial: SOC identity visibility gaps are breaking modern detection programs