COMMENTARY: Walking the show floor at RSAC 2026, it was hard to miss the fact that AI still dominated everything, from the booths and the demos to the conversations spilling out into the hallways.But unlike the past two years, something felt fundamentally different this year. The tone has shifted, and skepticism has started to fade.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]For a while, the industry has been stuck on a single question: Is the AI SOC actually real? Not in slideware, not in carefully curated demos, but in the messy, high-stakes reality of enterprise security operations. This year, that question quietly disappeared. In its place was something far more consequential: Now that it works, how far can it go?One of the clearest signals came from the buyers. Large enterprises, the kind that traditionally move cautiously, scrutinize every deployment, and resist unproven technology, are no longer experimenting at the edges, they’re committing. They are actively budgeting for AI-driven SOC platforms, not as innovation projects but as operational infrastructure. When large banks and financial institutions with a high level of regulatory pressure and risk exposure start putting real dollars behind a new category, it signals that the technology has crossed over from interesting to necessary.Last year at RSAC, the AI conversation revolved largely around agents — what they could be, how they might work, where they fit. The reality, however, lagged behind the rhetoric. Most deployments were early, constrained, and carefully controlled.This year, agentic AI systems have caught up to the ambition. They’re no longer confined to narrow experiments but are delivering real outcomes in production environments, at enterprise scale. And nowhere is that more evident than inside the SOC.
Related reading:
At first, the use case was straightforward: investigations — automating triage, reducing alert fatigue, deciding what matters and what doesn’t, etc. It was the most obvious place to start because it addressed the most acute pain. But now, the scope is expanding rapidly into threat hunting, detection tuning, and broader coverage across environments that were previously siloed. And perhaps most significantly, into response.For years, the SOC has been fragmented into discrete functions, each requiring human coordination and interpretation. What’s emerging now is a system that can operate across those functions, continuously and coherently — and not just assisting, but executing. That shift is forcing a deeper rethinking of how security teams actually operate. Because if the system can investigate everything, across any environment, at any time, the bottleneck is no longer analysis, but trust.And that’s where the conversation at RSAC became far more nuanced. There’s a growing recognition that autonomy isn’t binary. This isn’t a switch you flip from human-led to machine-led. It’s a spectrum, and most organizations are somewhere in the middle, feeling their way forward.For a long time, the prevailing model was the “copilot” that saw AI as an assistant, augmenting human analysts but ultimately deferring to them. That model is starting to give way to something more assertive.AI is moving into the driver’s seat, handling first-line investigations, making initial determinations, even recommending or initiating actions. The days of manually triaging endless alerts or stitching together context across disconnected systems are numbered. Instead, analysts are being asked to oversee systems that do those things autonomously, stepping in when judgment, context, or correction is required.Of course, this all requires trust which in this context isn’t given but built over time. It comes from transparency, from consistency, from the ability to interrogate decisions and correct mistakes. This is particularly acute in environments where the stakes are highest, such as critical infrastructure, financial systems, and other highly regulated industries. In these contexts, the idea of handing over control to an autonomous system is as unnerving as it is compelling.But there’s a counterpoint that was impossible to ignore at RSAC, and that’s that adversaries are not waiting. Attackers are already leveraging AI to scale their operations, accelerate their workflows, and increase effectiveness. Phishing, reconnaissance, lateral movement — all of it is being enhanced by the same capabilities defenders are still debating, which creates an uncomfortable asymmetry.Choosing not to adopt AI doesn’t preserve the status quo; it concedes ground.Overlay all of this with the pace of innovation, and the challenge becomes even more complex. One of the more striking themes at RSAC this year was the uncomfortable idea that traditional roadmaps are breaking down. The idea that a vendor can confidently predict what they’ll deliver six months from now feels increasingly outdated.With companies like Anthropic, OpenAI, and others pushing out new models at a dizzying pace, capabilities are shifting faster than product cycles can keep up with. What seems ambitious today can become table stakes in a matter of months. What sounds like science fiction now may be deployed by next year’s conference. That volatility is unsettling, but it’s also energizing because it suggests that we’re not just in a period of incremental improvement, but in the middle of a genuine transformation.RSAC 2026 didn’t feel like the beginning of that transformation, it felt like the moment the industry realized it was already underway. The AI SOC is no longer a promise, it’s a platform that today is handling investigations across environments, expanding into adjacent functions, and starting to reshape how security teams think about their own roles.There are still open questions about trust, governance, and control, and those won’t be resolved overnight, but the direction is no longer up for debate. The real question now isn’t whether AI belongs in the SOC, it’s how much of the SOC we’re willing to give it and when.
RSAC, AI/ML, Security Operations, SOC
RSAC 2026: The AI SOC debate is over – now comes the reckoning

(Adobe Stock)
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds


