Where Should Humans Sit in AI-Driven Cybersecurity?

There is a huge amount of excitement right now about AI and security operations.

Across the industry, we are seeing rapid innovation in areas such as behavioural analytics, AI-assisted investigation, and increasingly agent-based capabilities designed to help security teams process large volumes of activity more effectively. Security teams need that help. The scale of alerts, identities, and telemetry they must manage today has grown far beyond what humans alone can realistically handle.

But as AI becomes more embedded in security operations, one question still doesn’t get nearly enough attention: where should humans sit in relation to automated decisions? As AI takes on a larger role, the people supervising those systems will increasingly determine whether automation strengthens security teams or introduces new operational risks.

Models of Human Oversight

When people talk about AI oversight, they often refer to three models, ranging from direct human control to fully autonomous operation:

Human in the Loop (HITL) – Systems analyse activity and recommend actions, but a person must approve the outcome before anything happens. Humans remain directly involved in every operational decision. HITL models prioritise control, but they do not scale well in high-volume environments. Requiring human approval for every decision introduces latency at the exact point where speed is often critical.

Human on the Loop (HOTL) – Systems operate within defined parameters while people supervise what is happening and intervene where necessary. Automation can act in real time, but analysts retain the ability to monitor behaviour and step in if something looks wrong.

In practice, many mature security operations align more closely to a HOTL model. It allows automation to operate at speed, while retaining human oversight at key decision points.

The effectiveness of this model depends on visibility; analysts must be able to understand, monitor and intervene in automated decisions without slowing the system down.

Autonomous SOC – A fully self-operating security environment where AI handles detection, investigation, and response without human involvement. The concept has gained significant traction as a vision for the future of security operations, driven by the promise of speed and scale that no human team could match.

While the idea of an autonomous SOC is compelling and often positioned as the end-state for security operations, in practice it represents a boundary. Beyond a certain point, removing human judgement introduces operational risk, particularly when decisions are made on incomplete or evolving signals. 

Fully autonomous decision-making assumes a level of certainly that simply doesn’t exist in most operational environments. The question is not whether autonomy is possible, but where it is appropriate, how far it should go, and where is human judgement essential.

The distinction between these models may seem subtle, but it has significant implications for how security operations scale, and, as we will explore, why the most compelling-sounding option isn’t always the most practical one.

Why This Matters for Security Operations

Security environments generate enormous volumes of activity every day: authentication events, behavioural signals, endpoint telemetry, network activity, and alerts. Requiring analysts to manually approve every operational action quickly becomes impractical. At the same time, giving full autonomy to automated systems introduces its own risks, particularly in environments where threats, behaviour, and context can change rapidly.

The real risk is not automation itself but unobserved decision-making. When systems act without transparency, or when analysts can’t reconstruct why a decision was made, organisations lose the ability to validate, challenge and learn from outcomes. This is where operational risk begins to emerge.

In practice, effective human oversight in AI-driven security operations requires a few things that need to be done well:

• Being able to see and understand why a decision has been made
• Having clear intervention points where analysts can step in, pause or override actions
• Continuously understanding what “normal” looks like across users, systems and activity
• Feeding analyst judgement back (feedback loops) into the system so it improves overtime

The challenge for security teams is therefore not whether automation should be used, but how it should be supervised.

HITL models prioritise control but can slow response times. HOTL models allow automation to operate continuously while ensuring analysts remain able to observe and intervene when necessary.

This also explains why the idea of a fully autonomous SOC has always been somewhat unrealistic. Security operations are dynamic and unpredictable: signals are incomplete, attackers adapt quickly, and incidents rarely follow clean patterns. As Steve Wilson, Chief AI and Product Officer at Exabeam recently argued in a piece for the Forbes Technology Council, the industry is not truly moving toward autonomous SOCs. Instead, AI is supporting analysts by helping them process the growing volume of alerts and activity across their environments. Automation may assist with alert triage, behavioural analysis, and identifying unusual activity, but the responsibility for interpreting what is happening and deciding how to respond still sits with people.

Lessons from Other Industries

Cybersecurity is not the first field to encounter this challenge. Industries that rely heavily on complex automated systems have long recognised the importance of designing how humans supervise automation. The IT Revolution paper Leading the Human-AI Revolution highlights this in safety-critical environments, arguing that organisations introducing AI must deliberately design systems so that humans can still understand what the technology is doing and step in if its behaviour produces unexpected outcomes.

As AI becomes more embedded in detection and investigation workflows, cybersecurity teams are beginning to face the same question.

Resilience Is the Real Goal

At its core, this discussion is about resilience. Security teams need systems that perform reliably day to day, but they also need systems they can understand and control when something unusual happens.

Automation can analyse vast amounts of activity and surface patterns that humans might miss. But if analysts cannot see how those systems are behaving, or intervene when necessary, automation can quickly become a source of operational risk rather than a benefit. HOTL approaches offer a practical balance: they allow automation to operate continuously while ensuring analysts retain oversight and the ability to step in when required.

Looking Ahead

There is a huge amount of excitement around AI in security operations, and for good reason. Security teams are now dealing with volumes of alerts, identities and telemetry that far exceed what humans alone can realistically process. But this isn’t just a scale problem. As AI becomes embedded in detection and response, the real question is no longer can it be automated, but should it be.

Understanding where humans sit in relation to automated decisions will play a critical role in ensuring security teams remain able to oversee, guide, and intervene in the systems they depend on. Introducing AI into security operations isn’t just about speed. It’s about ensuring that when automation behaves in ways we didn’t anticipate, humans can still step in and take control.

As AI evolves, we are also seeing the emergence of agentic systems; AI entities capable of taking action and interacting across environments. This introduces a new layer of behavioural complexity, where not only humans, but also non-human identities must be understood, baselines and monitored.

Agent Behavior Analytics becomes critical here. It allows organisations to establish a baseline of ‘normal’ activity, across users, systems, and AI agents, and detect subtle deviations that rule-based approaches alone would miss.

The real risk isn’t that AI makes decisions, it’s when those decisions happen without the right guardrails, visibility and ability to intervene.