Key Points

• Most organizations are already using AI in the SOC, with an EY survey finding that 95% have deployed it for detection, alert triage, and incident response.
• Security teams are expanding AI beyond automation, using it to correlate data across tools, prioritize high-risk alerts, and accelerate investigations, while beginning to test limited autonomous actions.
• Adoption is being driven by operational strain, as SOC teams use AI to manage alert overload, expanding attack surfaces, and talent shortages.

AI Moves Deeper Into the SOC as Teams Automate Detection and Response

Organizations are rapidly embedding AI into security operations centers (SOCs), with most security leaders now treating AI as a core part of day-to-day defense.

A recent EY survey found that 95% of organizations are already deploying AI in cybersecurity workflows, primarily for threat detection, alert triage, and incident response. 96% of respondents said AI is now a “core defensive solution.”

Use cases are expanding beyond basic automation. Security teams are applying AI to correlate telemetry across tools, prioritize high-risk alerts, and accelerate investigations. Many are also experimenting with agentic AI systems that can take autonomous actions inside workflows.

Adoption is being driven by mounting operational pressures in the SOC. Just as attackers use AI to scale their operations, SOC teams are deploying it to triage overwhelming alert volumes, growing attack surfaces, and persistent talent shortages.

Ron Dilley, IANS Faculty

Big Picture

AI is becoming central to SOC operations. It's not only improving team efficiency, but transforming security operations altogether.

Detection is moving from rule-based systems to behavior-driven models that continuously learn from environment-specific patterns. At the same time, investigation workflows are becoming more automated, with AI stitching together fragmented signals into cohesive incident narratives. As organizations experiment with agentic AI, initial incident response steps are beginning to run with limited human intervention.

For CISOs, the question is no longer whether to use AI for security operations, but how much to trust it.

Organizations getting this right are starting small with contained use cases (like alert triage) and keeping humans in the loop. This isn't just a tech implementation, it's an operational transformation. Start with specific, well-defined scenarios and build trust gradually.”

Ron Dilley, IANS Faculty

IANS Faculty Recommendations

• Start with a narrow, high-value use case: Privileged account monitoring or risk scoring for Tier 1 OT systems (e.g., fueling or fleet management) delivers early wins without overextending.
• Prove value quickly: Run detections in shadow mode and report metrics like reduced false positives or faster triage within 30–60 days. Visible success builds trust and secures leadership buy-in.
• Embed cross-functional ownership: Keep a small tiger team (SOC analyst + data scientist) accountable for validating detections, tuning models and evangelizing wins to the wider SOC.
• Enforce explainability: If analysts can’t understand why an AI model made a decision, they won’t trust or adopt it. Favor transparency over black-box accuracy.
• Build governance early: Create a SOC+ analytics steering group to prioritize use cases, approve model changes and track outcomes tied to business impact.
• Avoid overreach: Don’t try to “AI-enable the SOC" all at once. Expand gradually, validating one use case at a time, and resist the temptation to automate everything prematurely.
• Keep business context central: Always align detections and risk scoring with what matters most to you: uptime, safety and reliability of critical transportation and mobility systems.

Jessica Hebenstreit, IANS Faculty

Authors & Contributors

Hayley Starshak - Author

Jessica Hebenstreit, IANS Faculty

Ron Dilley, IANS Faculty

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our News and blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.