Just after the turn of the century, IBM introduced the term, ‘autonomic IT.” At the time, IBM’s perspective was that IT applications, networks, and systems had become too complex for humans to manage, monitor, or secure. IBM presented its autonomic IT concept, with a vision of IT systems that could manage themselves with advanced capabilities for self-configuration, self-optimization, self-healing, and self-protection – a future of autonomy, efficiency, and IT harmony on the horizon.
Wow, this (and similar) futuristic IT perceptions were mind blowing! Machines managing machines. Software managing software. While I genuinely appreciated the vision, I had to temper my enthusiasm with a small dose of reality. I wondered, “Will this really happen? When? And what could go wrong here?” Knowing what I knew about technology capabilities and limitations at the time, I postulated that autonomic computing would indeed happen
though I had no idea when.
As for what could go wrong, I could only think of the HAL 9000 AI controller from the Stanley Kubrick movie, 2001: A Space Odyssey. In the initial stages of the movie, HAL exhibits flawless and helpful behavior. Suddenly however, HAL starts to perceive the human crew as an impediment to the mission it was programmed to execute. In response, HAL starts to work against the crew, spying on and eventually eliminating them. Hmm, could IBM’s autonomic computing casts humans aside, rule unchecked over IT, and perhaps destroy the world?
The movie came out in 1968 while IBM declared its IT autonomy vision in 2001. And then, nothing happened for a quarter century. Finally, twenty-five years later AI is making IT autonomy dreams a reality – well, sort of.
Take the security domain for example. The terms autonomous SOC and agentic SOC have evolved from marketing hype to the cusp of reality. In 2025, SOC co-pilots gained traction, providing generative AI responses to analyst prompts. In 2026, innovation proceeded with the introduction of AI agents, emulating analyst behavior by performing some data analysis and workflow chores. This is only the beginning. In the near future, agentic SOC functions promise to climb the skills ladder, performing tasks like performing threat hunting, orchestrating workflows, and patching vulnerable systems.
Based on current progress and future innovation, it’s clear that AI agents will get smarter and more capable over time, leading to smarter and more autonomous SOCs. With the future much more certain than past speculation and science fiction, will humans continue to have a security operations role, or will IBM and Kubrick’s vision of full autonomy come to fruition?
Allow me to set the record straight. AI will greatly improve security operations intelligence, scale, and velocity, but humans will always be essential to SOC decision-making. In fact, we should stop talking about the autonomous SOC and change the terminology to the human- augmented autonomous SOC. This better captures the true relationship – AI is becoming an increasingly powerful tool, enabling human SOC personnel to greatly improve security operations efficacy and efficiency.
Over time, the relationship between humans and AI will evolve as security agent functionality and capability improve. As this happens, human input will transform as follows:
- 1. Present: Humans enable AI with the appropriate data infrastructure: Here’s a dirty little secret: Agentic AI can’t be accurate or valuable when encountering fragmented data schemas, broken correlations, or missing telemetry. Therefore, human efforts (today and into the near future) start with activities like pipeline orchestration, schema normalization, entity and asset graphs, and semantic indexing and vector databases. Additionally, organizations must strive for data hygiene and noise reduction. This data engineering/management groundwork is critical for creating accurate and up-to-date models, enabling security agents to do their jobs.
- 2. 2026-2027: Tier 1 analyst automation continues. This is already happening and will continue into next year. During this phase, agentic SOC tools automate Tier 1 triage tasks by enriching alerts with threat intelligence, and including additional context (i.e., asset location, identity, telemetry from other tools, etc.). The goal is to accelerate and scale alert triage at machine speed. Agents will create tickets, provide summary investigation reports, and calculate risk scores. All this work greatly enhances more senior SOC analysts who then use human judgement to add context (and experience) to AI output and then make and execute remediation decisions.
- 3. 2027-2028: Automated remediation takes off. After a training and engineering phase, agents are gradually allowed to take remediation actions autonomously (i.e., quarantining a system, blocking an IP address, etc.). However, these actions are considered basic remediation tasks and only automated where there is a combination of high confidence attacks linked to low value assets. All remediation actions must also be based on a well-defined governance model, supported by policy enforcement, monitoring, and system tuning – all guided by seasoned security engineers and analysts. Working cooperatively with AI agents, security teams will gain confidence in automated remediation and slowly adjust guardrails to mechanize more actions. There will still be a requirement for human-in-the-loop (HITL) checkpoints for any questionable behaviors that demand human intuition and experience.
- 4. 2028 and beyond. The percentage of automated actions will continue to increase further driving human efficiency, but HITL persists for any and all questionable cases. Symbiosis between AI agents and humans greatly accelerates during this period as agents learn more about collaborating with humans and humans learn more about collaborating with agents. It should be noted that as adversaries fully embrace AI, the number of questionable behavior incidents will increase, adding to human oversight, the need for advanced skills, and improvements in human/agent cooperation. Organizations relying on agentic SOC tools may learn difficult lessons through “automation complacency” where they allow agents to take actions with a negative outcome (i.e., disable critical systems, block legitimate traffic, etc.). Meanwhile, the IT environment and attack surface will continue to grow more complex with AI proliferation. This means that agents must be continually tuned with reinforcement learning -- once again, driven by experienced humans. In aggregate, humans and agents form a mutually beneficial team where humans strive for continuous agent improvement through tasks like agent orchestration, AI model training, threat hunting, red teaming, and governance.
