The average enterprise SOC receives 10,000 alerts per day. Each requires 20 to 40 minutes to investigate properly, but even fully staffed teams can handle only 22% of them. More than 60% of security teams have admitted to ignoring alerts that later turned out to be critical.
Running an efficient SOC has never been more difficult, and now the task itself is changing. Tier-1 analyst tasks – like triage, enrichment, and escalation – are becoming software functions, and more SOC teams are turning to supervised AI agents to handle volume. Human analysts are changing their priorities for investigation, review, and edge-case decision making. Response time is being reduced.
However, there is a high cost for not integrating human insight and intuition. Gartner estimates that more than 40% of agentic AI projects will be canceled by the end of 2027, mainly due to unclear business value and inadequate governance. Getting change management right and ensuring that generic AI does not become an agent of chaos in the SOC is even more important.
Why does the legacy SOC model need to change?
Burnout is so severe in many SOCs today that senior analysts are considering a career change. Legacy SOCs that have multiple systems that deliver conflicting alerts, and multiple systems that can’t talk to each other at all, are making work a recipe for burnout, and the talent pipeline can’t be refilled faster than it is emptied by burnout.
CrowdStrike’s 2025 Global Threat Report reported breakout times as fast as 51 seconds and found that 79% of intrusions are now malware-free. Instead, attackers rely on identity abuse, credential theft, and stealth techniques. Manual triage built for hourly response cycles can’t compete.
As Matthew Sharp, CISO, Exactly, told CSO Online: "Adversaries are already using AI to attack at machine speed. Organizations cannot defend against AI-powered attacks with human-speed responses."
How limited autonomy compresses reaction time
SOC deployments that compress response times share a common pattern: limited autonomy. AI agents automatically handle triage and enrichment, but humans approve containment actions when the severity is high. This division of labor alerts volume to machine speed while taking into account human judgment on operational risk decisions.
Graph-based detection changes the way defenders view networks. Traditional SIEM shows isolated events. Graph databases show relationships between events, allowing AI agents to trace attack paths rather than triaging alerts one at a time. A suspicious login stands out when the system understands that the account is two hops away from a domain controller.
The speed gains are measurable. AI compresses threat investigation timelines while increasing accuracy of senior analyst decisions. Different deployments show that AI-powered triage has achieved more than 98% agreement with human expert decisions, cutting manual workload by more than 40 hours per week. Speed means nothing if accuracy drops.
ServiceNow and Ivanti signal sweeping changes in agentic IT operations
Gartner estimates that multi-agent AI in threat detection will grow from 5% to 70% of implementations by 2028. ServiceNow plans to spend approximately $12 billion on security acquisitions in 2025 alone. Ivanti, which compressed a three-year kernel-hardening roadmap into 18 months when nation-state attackers validated the urgency, announced agentic AI capabilities for IT service management, bringing the constrained-autonomy model that reshaped the SOC to the service desk. Customer preview will launch in Q1, with general availability later in 2026.
The workloads that break the SOC are also breaking the service desk. Robert Hanson, CIO of Grand Bank, faced the same hurdles that security leaders know well. "We can provide 24/7 support, freeing up our service desk to focus on complex challenges," Hanson said. Continuous coverage without proportional headcount. The results are driving adoption in financial services, healthcare, and government.
Three governance boundaries for limited autonomy
Bounded autonomy requires clear governance boundaries. Teams must specify three things: which alert categories agents can act on autonomously, which require human review regardless of confidence score, and which escalation paths to apply when certainty falls below a threshold. High-severity incidents require human approval before they can be stopped.
Establishing governance before deploying AI in the SOC is critical if an organization is to reap the time and control benefits that come from this latest generation of tools. When adversaries weaponize AI and activate CVE vulnerabilities faster than defenders can react, autonomous identity becomes the new table to remain resilient in a zero-trust world.
The way forward for security leaders
Teams should start with a workflow where recovery from failure is possible. Three workflows consume 60% of the analyst’s time while contributing minimal investigation value: phishing triage (missed escalations can be caught in secondary review), password reset automation (low blast radius), and known-bad indicator matching (deterministic reasoning).
Automate these first, then validate accuracy against human decisions for 30 days.
<a href