How are you deciding which SOC or security operations work should be augmented or even fully automated with AI? Which tasks should remain entirely under human control and which should only require human oversight?

There is a distinction between what machine learning and AI tools can do and how much agency we grant them. The user’s role remains critical. Even if an AI can isolate a device or perform a SOAR action, governance over those actions must be clear. We are currently discussing which actions a tier one SOC agent or AI can take versus those that require oversight. There is no definitive answer yet, as there are many possible actions based on different scenarios. Recently, our steering committee discussed creating a top ten list of tasks to help decide, from a business perspective, which are acceptable to automate. As a manufacturer, automating certain actions could have significant consequences, such as revenue loss if a production line is taken down. We are carefully evaluating which actions are appropriate for automation and seeking business approval for each.

One area where we allow automation is the removal of malicious emails. When a phishing alert is triggered by a user, our EDR reviews it, and if the email is confirmed as malicious, we permit automated removal of similar emails from other inboxes. This is a clear-cut decision: once we know it is a bad email, we want it out of inboxes immediately, without waiting for an analyst to manually intervene.