The human factor: Why AI-powered SOCs still need people in charge

Artificial intelligence is changing security operations centers (SOCs), especially in cases when SOCs are staffed or supplemented by managed detection and response (MDR) services.

AI agents can blaze through massive volumes of telemetry, dampen alert noise, and accelerate investigations. But as organizations worldwide move toward agentic SOCs, one truth remains: Humans must make the most important security decisions.

That's because while AI can augment analysts and improve efficiency, it can't replace human judgment, contextual understanding, or accountability.

"Human‑in‑the‑loop validation remains central," states a recent white paper from Sophos, a major provider of MDR services. "The agents accelerate the work, while Sophos MDR analysts confirm findings, refine conclusions, and take action."

Why human control maintains organizational goals and risk tolerance

As you'd expect, AI-powered SOCs are very good at repetitive tasks that might seem like drudgery to humans.

Sophos MDR's Triage Agent, for example, quickly analyzes detections, removes duplicate findings, sorts out benign activity, and prioritizes threats for analysts to act upon. According to the white paper, this reduces alert noise by more than 60%, giving analysts a chance to focus on truly high-impact threats.

Yet cybersecurity is never just technical. Deciding whether to disconnect a server, shut down a user account, or escalate a threat involves business considerations that AI systems cannot fully grasp.

An AI agent, ignorant of the human context, could launch aggressive containment actions that disrupt operations or customer service. Human analysts and managers understand organizational priorities, dependencies, and risk tolerance; AI models may never completely get it.

Human supervision is even more important in MDR services, where a single provider may oversee multiple customer environments, each with different security postures and risk tolerances.

One organization may prioritize uptime above all else. Another might lean toward aggressive containment. AI can quickly make recommendations in either situation, but it's up to human analysts to determine whether those recommendations align with a customer's business goals and security strategy.

How human feedback improves AI performance

AI systems improve their own performance through ongoing feedback about previous actions, but much of that refinement depends on human expertise.

The two Sophos MDR AI agents — the aforementioned Triage Agent, and the Case Investigation Agent, which examines escalated cases — were designed in-house and refined by human MDR analysts. AI handles scale and automation, while human analysts train, validate, and improve the system over time.

The Case Investigation Agent, for example, builds behavioral timelines, enriches indicators of compromise, and recommends actions, reducing mean time to investigate by up to 50%. But the white paper says it's the human analysts who "confirm findings, refine conclusions, and take action."

At this early stage in the AI revolution, models can still generate false positives and misunderstand subtle threat indicators. It takes human analysts, especially those with years of operational experience, to recognize emerging attacker behaviors, interpret ambiguous evidence, and apply their intuition.

How the human-in-the-loop model preserves responsibility

Then there's the responsibility issue. Entirely autonomous AI decision-making can create accountability or compliance problems, especially if their actions affect sensitive systems or customer data. Who takes the blame — and who solves the problem — when something goes wrong?

Sophos addresses this with three principles, the white paper states:

Organizations will be more comfortable adopting AI-assisted MDR services if they know that skilled analysts are responsible for validating conclusions and approving high-impact actions.

Even the best AI-powered SOCs can't replace security teams. Instead, they're force multipliers that make human analysis faster, more efficient, and more consistent.

 Success with agentic SOCs depends not on removing humans from the process entirely but combining machine efficiency with human expertise to produce faster, smarter, and better outcomes.