For years, artificial intelligence has been capable of augmenting analysis, accelerating workflows, and improving threat detection. However, that assistant framing is now outdated.
AI is no longer just assisting the Security Operations Center (SOC). It is now an autonomous operator within it. In many modern environments, AI systems are already triaging alerts, correlating signals across multiple domains, and initiating response actions in real time. In fact, according to N-able’s recent State of the SOC Report, up to 90% of investigation activity is now automated by AI.
This marks a fundamental shift in both cybersecurity processes and in how we think about AI’s risk profile. When systems begin making operational decisions at scale, they stop being tools and start becoming infrastructure.
With that said, infrastructure needs to be secured differently.
The rise of agentic AI in security operations
What’s emerging inside the SOC goes beyond automation. The agentic AI evolution is driven by necessity. The scale and complexity of modern cybersecurity operations have long outpaced human capacity, while adversaries increasingly use AI-driven techniques to expand the breadth and depth of their attacks. In many cases, they are even targeting AI agents embedded in enterprise security stacks as attack surfaces. Alert velocity from this uptick in targeted attacks alone makes manual investigation models unsustainable.
The difference is that today’s agents are capable of executing multi-step workflows, adapting to context, and making decisions without constant human intervention. They ingest telemetry across identity, endpoint, network, and cloud layers; correlate weak signals into high-confidence detections; and trigger containment actions. This is done continuously at a speed no human team can match. Agentic AI and autonomous agents are things the SOC can’t live without.
AI is now part of the attack surface
But threat actors are exploring novel ways to exploit AI-driven systems. This includes probing orchestration layers, experimenting with data poisoning, and attempting to blend malicious activity into patterns that resemble legitimate system behavior.
AI systems rely on inputs, models, and orchestration frameworks. Each of these components introduces potential vulnerabilities:
- Data manipulation: If attackers can influence the data an AI system ingests, they can distort its understanding of what is “normal.” All the AI needs is a 20% sample against the norm to start influencing outcomes.
- Model exploitation: Subtle manipulation of model behavior can lead to misclassification or missed detections.
- Orchestrator compromise: If an attacker gains control of an AI orchestration layer, they may be able to issue legitimate-looking commands at machine speed, or even hold that layer ransom, possibly disrupting a company’s business output.
In highly automated environments, this last scenario is particularly concerning. A compromised orchestrator can turn defensive systems into force multipliers and active ransoming tools for attackers. At that point, the system designed to defend the environment is actively contributing to its compromise and potentially incurring great costs – monetary and reputational – for the business. Still, the speed and scale of AI remediation is the only way to stop exploitation of AI as an attack surface. This is the modern conundrum SOC teams are contending with, and an additional proof point reinforcing the need for autonomous AI defenses.
The problem with applying traditional security models to AI
One of the biggest risks organizations face today is assuming that existing security frameworks are sufficient for AI-driven systems. In reality, traditional security models focus on protecting infrastructure, users, and data. Even though AI is commonly seen as another identity, it really introduces a new layer altogether – one that operates across all those levels and makes decisions based on their interaction.
For example, conventional monitoring might detect anomalous user behavior or suspicious network activity. But what about anomalous AI behavior? What does it look like, in practice, when an AI system deviates from its intended function? Often, without clear oversight from both business and technical leads to proactively address these questions, the answers are unclear.
Similarly, access control models are designed around human users and service accounts. But AI agents often operate with broad, cross-domain permissions to enable their efficiency. That same access also expands the attack surface.
In short, AI systems don’t fit neatly into existing security categories. They require their own.
How to design for trust in autonomous systems
Trust in AI is a critical requirement. With this in mind, there are several foundational principles organizations should prioritize:
- Observability over opacity
AI systems must be observable in real time. Organizations need visibility into what decisions are being made, why they are being made, and what actions are being taken as a result.This includes a dedicated organizational governance layer, currently best supported by NIST AI 100-1: each AI system should have its own business owner and technical owner, and organizations should establish a lightweight governance group to review higher-risk use cases. At the highest level, organizations must be able to explain where AI is used, what data it touches, and what actions it takes. - Decision traceability
Every automated action should be auditable. This meansmaintaining a clear record of how a system arrived at a given decision, including the signals and logic involved. This logging and documentation should also allow teams to reconstruct decisions and actions. - Behavioral baselining
Just as security teams baseline user behavior, they must now baseline AI behavior. What constitutes “normal” operationsfor an AI agent? When does it deviate, and how is that deviation detected? - Controlled autonomy
Not all decisions should be fully automated.Organizations need to define thresholds for when human oversight is required, particularly for high-impact actions. The level of autonomy needs to be readily disclosable to all stakeholders. Even with vendor AI, the organization wielding it is ultimately responsible for how it interacts with customer data and systems. - Segmentation of AI capabilities
AI systems should not have unrestricted access across environments. Limiting scope and enforcing boundaries reduces the potential blast radius of a compromise.If AI is connected to production systems, modifying configurations, or triggering workflows, that power should not come without a thorough review process and clear oversight.
Securing the systems that secure everything else
The industry has spent recent years focused on using AI to improve security outcomes. Now, equal attention must be given to securing the AI systems themselves.
When AI is making decisions, initiating actions, and operating at machine speed, it becomes part of the environment it is protecting, meaning it inherits the same responsibility and the same risk. Organizations that recognize this shift early will be better positioned to build resilient, trustworthy systems. Those that don’t may introduce a new class of vulnerabilities to the very tools they rely on to stay secure.
AI is becoming the operator, and we need to make sure it’s one we can trust.
