Delegating judgment: leadership in the AI-enabled SOC

Within the security operations centre (SOC), agentic AI is steadily moving from a concept to a capability, in no small part because the benefits are clear: faster investigations, adaptive systems and the ability to respond to threats that rarely arrive in neat, predictable patterns. 

 

What is less clear, however, is how comfortable security leaders are with handing over elements of judgment to AI. In short, the question of AI use in the SOC runs deeper than improved efficiency.

 

As systems begin interpreting context and adjusting to threats in real time, the operating model of the SOC evolves with them, changing how work gets done, how responsibility is shared and how much control leaders are willing to hand over. Over time, these changes influence governance discussions and shape how risk is understood across the organisation.

 

The industry has navigated similarly defining moments before. Only a few years ago, the use of automation was met with hesitation, largely due to the feeling of losing control, visibility and ownership. So, even when productivity gains were evident, teams moved carefully.

 

Large language models later demonstrated how adaptable AI could be, but they also introduced uncertainty by making contextual choices rather than following fixed instructions. The rise of agentic AI in the SOC only extends this idea.

 

Agentic AI can sustain investigations over longer periods and determine next steps without constant direction. Of course, this capability creates opportunity, but it also requires leaders to adjust how they think about responsibility and control when decisions are no longer made entirely by people.

 

Evolving decision-making in the SOC

Traditional SOC processes were built around defined paths. Automation succeeded by staying within clear boundaries, handling specific tasks and behaving in ways teams could predict. This meant that when issues arose, teams could usually trace them back to logic or missing data.

 

But systems that operate with greater contextual awareness, like agentic AI-powered systems, behave differently. They don’t need complete information to work, nor do they need a set contextual framework; they can adapt to shifting information and redefine investigative focus as new signals appear. That adaptability strengthens outcomes, but it also changes the confidence and trust leaders put into the technology.

 

Confidence depends on understanding how conclusions are reached rather than simply reviewing final outputs, but with agentic AI, the path to decisions is not always clear. Approving agentic AI outputs then becomes a governance decision, as much as a technical one, with leaders having to choose how much they trust the judgment that is exercised by agentic AI systems within the SOC.

 

Responsibility remains with people

Of course, responsibility does not shift completely — security incidents still require accountability regardless of whether AI systems are introduced. AI cannot explain its reasoning to a board or provide reassurance to a regulator, so when there is scrutiny, explanations must follow – usually from the organisation’s leadership.

 

This dynamic shapes how AI autonomy is introduced in practice, with initial excitement giving way to cautious questioning of the systems used in the SOC. The question becomes: what’s our compliance exposure when something goes wrong? Rather than: what can the technology do?

 

As such, discussions quickly turn toward ownership, and the need for clarity: how much authority the systems are given, who owns them, and when human judgment is expected to intervene.

 

The expectations concerning these areas shape how AI autonomy is introduced in practice because responsibility cannot be abstract. It has to be traceable, and confidence only grows when leaders understand how decisions are made and where they retain the authority to step in.

 

Visibility builds confidence

When systems are trusted to operate beyond immediate human involvement, transparency becomes essential. Of course, outcomes matter, but so does the SOC’s understanding of the path taken to reach them. When reasoning is visible and progress can be followed, autonomy feels grounded and trustworthy.

 

Observability tools are crucial in this process as they give analysts and leaders something to rely on by surfacing interim findings, providing audit trails and allowing teams to track how an investigation unfolds over time.

 

The ability to pause or redirect a system mid-activity also changes what autonomy means in practice, and reinforces that systems remain accountable to human oversight. Systems are also reflecting this shift, with AI giving context to its reasoning during investigations rather than delivering a single answer at the end.

 

Where human judgment has the greatest effect

Human expertise has the greatest impact at the point at which decisions are made. As repetitive analysis and initial triage are increasingly managed by AI, analysts have more time to review decisions, define processes and strengthen detection quality.

 

For teams who built experience and knowledge through repetition, this transition can feel unfamiliar, but there’s no denying that it opens new avenues for development. For example, it gives junior analysts the chance to encounter strategic thinking earlier in their careers, while the more senior analysts in the SOC can spend more time and focus on improving investigative depth and long-term resilience over firefighting.

 

The outcome of this shift is that human judgment is redistributed rather than reduced. The need for people is constant, but the type of work and the impact humans can have is elevated. Context-setting direction and oversight become defining contributions as systems assume more execution.

 

Designing collaboration deliberately

Agentic AI is already influencing security operations. The question facing leaders now centres on confidence: do these systems operate in alignment with organisational expectations around risk and accountability, or not?

 

Repeated exposure to consistent system behaviour, combined with clear governance and visible reasoning, will strengthen assurance over time and lead to more trust in agentic AI systems in the SOC.

 

Ultimately, the SOC will always need people, and that won’t change, but the next evolution relies on how the partnership between people and systems works in practice. In an ideal world, AI will contribute speed and scale, while humans retain authority and responsibility. Being deliberate in establishing that balance will determine how effectively agentic capability is integrated and how much value it ultimately delivers. 

 

---

  

Kirsty Paine is Field CTO and Strategic Advisor at Splunk

 

Main image courtesy of iStockPhoto.com and bymuratdeniz