The Metric AI Security is Missing

As autonomous and semi-autonomous AI systems take on more responsibility within the enterprise, they shift from being “features” of software to becoming true internal actors. They make decisions, take actions, call tools, orchestrate workflows, and influence other AI agents. With this evolution, we must confront an uncomfortable truth: the metrics and response patterns we built for deterministic software no longer work.

Mean time to respond (MTTR), long treated as a foundational indicator of operational readiness, now provides a dangerously incomplete picture. When applied to AI systems, MTTR often measures how quickly we return to a previous state that may still be structurally unsound. It produces an illusion of recovery that obscures persistent risk.

Recovery in the AI era cannot mean a return to the state that allowed the incident. To be honest, it never should have, but this new world forces our collective hand to improve.

Recovery must mean a return to a safer state than the one that preceded it, however, the rules of recovery have changed.

This shift requires a new concept — Mean Time to Durable Improvement (MTDI) — and a fundamental rethinking of how we define, measure, and achieve true resilience.

AI as an Operational Actor, not a Software Component

Today’s AI does not sit quietly behind an API. It behaves, decides, and acts. It accumulates entitlements, takes autonomous action, and interacts with systems far beyond its immediate scope. It can chain decisions, invoke tools, and even orchestrate the actions of other AI systems.

From a security operations perspective, agentic AI should be treated less like an application and more like a privileged internal identity. Like a human insider, an AI agent has intent (defined by prompts and objectives), capability (tools and entitlements), and opportunity (access to systems and data) but with velocity and scale far beyond any individual user. This framing matters because it allows organizations to apply decades of insider-risk, identity security, and privileged access management lessons, rather than inventing entirely new control models.

This dynamic nature creates a new set of demands on security operations. Before any organization can discuss recovery, it must be able to answer three foundational questions:

1. Can we see what the AI is doing?
   • Without model logs, tool-call traces, or behavioral telemetry, the organization is operating blind.
2. Does that visibility integrate into SOC workflows?
   • AI telemetry must be accretive, not separate or isolated.
3. Do we have the ability and authority to act on what we see?
   • Policy, detection, and response must coexist. Without all three, security becomes decorative rather than functional, and leaves doors open for serious harm to the business.

These questions represent the minimum viable foundation for any AI governance program. Yet they are where most organizations struggle today.

How AI Fails: Malfunction, Misalignment, and Subversion

Similar to human insiders, AI incidents can emerge from several distinct failure modes, each with its own threat profile and remediation requirements. Current insider threat programs commonly place human insider threats into three categories: compromised, negligent, and malicious. The new risk of AI agents as insiders emerges three new categories security teams need to be aware of:

• Malfunction: When the AI simply gets it wrong, hallucinating, producing errors, or acting on bad data that leads to unintended harm.
• Misalignment: When the AI does exactly what it was told but in the wrong context, making logical decisions that don’t match real-world intent.
• Subversion: When an attacker manipulates the AI by using prompts, data poisoning, or access abuse to make it act against you.

Unlike traditional software failures, these incidents cannot be fixed with a simple reset, patch, or reimage. They emerge from multi-layered causal chains involving training data, policies, entitlements, orchestration tools, vendor integrations, and business logic.

This is why traditional MTTR, focused on restoring functionality, fails to address the real problem.

Why Traditional MTTR Fails Security Leaders When It Comes to AI

For decades, MTTR has measured the speed at which a security team could stop an incident and restore operations. Resetting a password, revoking a token, killing a process, or reimaging a device were typically enough to stop the immediate harm.

But with AI-driven systems, these actions only remove the visible symptom. They do not remove the structural conditions that allowed the AI to behave harmfully in the first place.

When we return an AI agent to the state it was in before the incident, we often return it to:

• The same flawed guardrails
• The same inadequate validation
• The same overextended entitlements
• The same vendor dependencies
• The same missing policies
• The same weak instrumentation
• The same misaligned objectives

The fact that the AI cannot immediately reproduce the harmful behavior does not mean the environment is safe, it means the conditions for recurrence remain untouched.

This is where AI recidivism becomes a real operational risk.

AI Recidivism: When AI Repeats Undesirable Behavior

Borrowing from behavioral science, recidivism describes patterns of repeated harm when underlying conditions remain unchanged. AI recidivism arises when organizations treat incidents as isolated events rather than symptoms of structural deficiencies.

The cost of this failure is not purely technical. Repeated AI-driven incidents create analyst fatigue, erode trust in detections and controls, and ultimately lead to alert apathy. When teams see the same AI behaviors resurface, unchanged and uncorrected, confidence in both the system and the governance model degrades. Over time, responders stop expecting improvement and begin treating AI-related alerts as noise rather than signals.

Securing the use of AI agents requires more than brittle guardrails; it requires understanding what normal behavior looks like for agents and having the ability to detect risky deviations, These capabilities give security teams the behavioral insight needed to identify risk early, investigate AI agent activity quickly, and continuously strengthen resilience as AI usage and agents become integral to enterprise workflows.

AI recidivism occurs when:

• Guardrails are not updated
• Entitlements remain excessive
• Prompts and policies remain ambiguous
• Unsafe behavior is not corrected or conditioned
• Vendor models continue to behave unpredictably
• Governance lacks clarity or ownership
• Toolchains remain overly permissive

Containment ends the moment; durable improvement ends the cycle.

Introducing Mean Time to Durable Improvement (MTDI)

A new standard for AI recovery

Mean Time to Durable Improvement (MTDI) reframes recovery not as the moment an incident symptom stops, but as the moment the entire socio-technical system becomes less likely to produce that harm again.

MTDI is not a replacement for Mean Time to Respond (MTTR). The two metrics serve different but complementary purposes. MTTR continues to measure operational containment: how quickly teams can detect, respond to, and stabilize an incident. MTDI measures structural risk reduction: how long it takes to eliminate the conditions that allowed the incident to occur in the first place.

Organizations that collapse these metrics into a single number lose clarity rather than gain it.

Historically, “respond” often meant returning systems to the state they were in earlier that same day. For AI, that definition is insufficient. Restoring a system without correcting excessive entitlements, ambiguous prompts, or unsafe autonomy simply resets the conditions for repetition. Agentic AI forces a shift from restoration-focused recovery to condition-focused recovery, often before security teams have the tools or governance maturity to support it.

MTDI measures the time between:

1. Detection of an unsafe or misaligned AI behavior
2. Containment, such as a source quench or entitlement throttle
3. Causal chain analysis across technical, behavioral, business, and vendor layers
4. Reinforcement of guardrails, policies, validation, and safety systems
5. Entitlement and toolchain review, removing privilege creep
6. Retraining, reconditioning, or revalidating AI behavior
7. Governance updates, clarifying roles, escalation paths, and vendor responsibilities
8. Verification that the behavior cannot be trivially repeated

Only when the system is safer than before does the clock stop on MTDI.

This is the central difference between MTTR and MTDI:

• MTTR restores operational stability.
• MTDI reduces the likelihood of recurrence.

Agent Behavior Analytics: The Trigger for MTDI

Before organizations can achieve durable improvement, they have to detect the conditions that make it necessary. Agent Behavior Analytics (ABA) provides that signal.

Traditional monitoring focuses on outages, access misuse, or system anomalies. Agentic AI introduces a different risk surface: behavioral drift, entitlement creep, prompt manipulation, unsafe autonomy, and unintended cross-system actions. These risks often emerge before visible operational failure.

ABA shifts detection upstream and identifies when an AI system is behaving in ways that increase the probability of harm, even if nothing has “broken” yet.

This behavioral visibility is what triggers action toward MTDI. It marks the moment when containment is not enough, and the underlying permissions, prompts, guardrails, or governance structures must be reinforced.

Without Agent Behavior Analytics, organizations can restore stability. With it, they can reduce recurrence.

And that is where Mean Time to Durable Improvement begins.

What “Durable Improvement” Actually Looks Like

Durable improvement is not a patch.

It is not a ticket closure.

It is not the absence of a repeated error.

Durable improvement means:

• The AI cannot reproduce the harmful action along the same path
• Guardrails are stronger, clearer, and context-appropriate
• The agent’s identity and entitlements align with current business needs
• Logging, tooling, and observability have improved
• Policy gaps are closed and documented
• Vendors have been engaged where needed
• Testing validates that the system behaves safely under stress

It transforms recovery from a short-term event into a long-term investment in resilience.

Why Metrics Will Appear Worse and Why That’s a Good Sign

As organizations adopt AI-aware detection, response metrics will initially degrade:

• MTTR will increase
• Incident timelines will lengthen
• Closure rates may slow
• Remediation will become more complex

This is not a loss of capability, it is an increase in visibility.

AI introduces failure modes we previously could not detect. Seeing them for the first time naturally leads to longer investigation cycles and more cross-functional remediation. Leaders must prepare executives and boards for this temporary but meaningful shift.

Governance: The Foundation for MTDI

MTDI is only achievable when governance is defined and aligned.

AI incidents span security, legal, engineering, risk, and business stakeholders. Recovery requires clarity around:

• AI identity ownership
• Business ownership
• Technical ownership
• Legal and compliance requirements
• Vendor accountability and collaboration

Just as insider-risk programs rely on multi-disciplinary governance, AI recovery requires coordinated oversight, shared responsibility, and well-documented escalation paths.

Closing Thoughts: Recovery Must Mean Safer Than Before

Agentic AI changes the nature of incidents and the expectations for recovery. Returning a system to the state that existed before the incident is not recovery, it’s repetition. Traditional MTTR cannot capture the improvement required to operate safely in environments where AI acts with autonomy and speed.

Mean Time to Durable Improvement (MTDI) is the metric that aligns security operations, governance, and business outcomes in the AI era. It reframes recovery as a commitment to resilience and continuous improvement, not a restoration checkbox.

True recovery is no longer defined by how fast we get back to the past.

True recovery is measured by how effectively we ensure the past cannot be repeated.