For AI to succeed in the SOC, CISOs need to remove legacy walls now
What separates the SOCs getting results from their AI strategies from those that don't begins with CISOs who take ownership of AI initiatives and anticipate roadblocks early, systematically demolishing legacy walls that get in the way.
The disconnect between AI's promise and delivery dominated discussions at Forrester's 2025 Security & Risk Summit last week. "We have a chaos agent of our own today," said Allie Mellen, a principal analyst, during her keynote. "And that chaos agent is — you guessed it — generative AI."
Her keynote focused on the fact that many organizations and their cybersecurity teams are trapped behind self-imposed barriers that limit their potential.
Closing the gap between agentic AI winners and losers
The gap between AI winners and losers in cybersecurity isn't about technology. It's about organizational readiness.
While leading organizations, including Carvana, City of Las Vegas, Copperbelt Energy Corporation Plc, Inductive Automation, Salesforce, and many others, capture efficiency gains, most enterprises remain trapped behind barriers that have built up over decades. With adversaries achieving a breakout in as little as 2 minutes 7 seconds, and 80% of security teams preferring GenAI integrated into a broader security platform, dismantling legacy walls isn't just strategic, it's existential. More than 70% of enterprises experienced at least one AI-related breach in the past year alone, with generative models now the primary target, according to recent SANS Institute findings.
The latest industry data presents a troubling paradox, however. Carnegie Mellon's AgentCompany benchmark shows that AI agents fail 70 to 90% of the time on complex enterprise tasks. Salesforce's research confirms that its internal agent failure rate exceeds 90% when security guardrails are applied. Yet 79% of executives report meaningful productivity gains from deployed AI agents. The resolution lies not in perfecting AI, but in removing the organizational walls that prevent its effective deployment.
"The legacy SOC, as we know it, can't compete. It's turned into a modern-day firefighter," warned CrowdStrike CEO George Kurtz during his keynote at Fal.Con 2025. "The world is entering an arms race for AI superiority as adversaries weaponize AI to accelerate attacks. In the AI era, security comes down to three things: the quality of your data, the speed of your response, and the precision of your enforcement."
Enterprise SOCs average 83 security tools across 29 different vendors, each generating isolated data streams that defy easy integration to the latest generation of AI systems. System fragmentation and lack of integration represent AI's greatest vulnerability, and organizations' most fixable problem.
The mathematics of tool sprawl proves devastating. Organizations deploying AI across fragmented toolsets report significantly elevated false-positive rates. This equates to about one in four alerts, with some teams facing more than 30% false alarms or more. The majority of enterprises, 74%, rely on multi-vendor cybersecurity ecosystems, with 43% citing lack of cross-platform integration as a significant operational burden.
Dismantling governance gridlock with a single agent architecture
Traditional security governance was built for and assumes human-speed operations composed of quarterly reviews, monthly audits, and daily approvals. AI agents operate at machine speed, making millions of decisions per second. This velocity mismatch creates a governance crisis that paralyzes AI adoption.
Getting governance right is one of a CISO's most formidable challenges and often includes removing longstanding roadblocks to make sure their organization can connect and make contributions across the business. CrowdStrike, Palo Alto Networks, SentinelOne, Trellix, and others are taking on this challenge at the architectural level of their platforms.
CISOs tell VentureBeat that excelling at governance is one of their most crucial tasks to get right. Having a centralized platform that consolidates all sources of telemetry, ideally in a single-agent model, is what's needed. SOC teams need the latest telemetry data to complete real-time correlation, scaling detection, and response. CrowdStrike's Falcon platform, for example, consolidates endpoint, cloud, identity, and threat intelligence streams into a unified telemetry pipeline, enabling SOC teams to make governance decisions at machine speed and precision. From a governance standpoint, this architecture unlocks several critical capabilities.
-
Policy‑as‑code for AI agents: Guardrails (e.g., data residency rules, acceptable use, privileged action limits) can be encoded once and consistently enforced wherever agents operate, instead of being re-implemented per tool.
-
Single source of truth for evidence and audit: Investigations, exception approvals, and AI-driven actions are all backed by the same telemetry and log fabric, simplifying regulatory reporting and reducing audit findings.
-
Continuous control monitoring: Rather than sampling controls quarterly, the platform can continuously test whether identity, endpoint, and workload policies are actually effective in the live environment.
-
Closed‑loop enforcement: Detected policy violations can automatically trigger compensating controls — from revoking tokens to isolating workloads — without waiting on human approval queues when risk thresholds are exceeded.
-
Consistent identity-centric governance: Mapping activity to identities, not just devices or IPs, lets CISOs enforce least privilege, monitor insider risk, and constrain what AI agents can do on behalf of humans.
These design goals equate to fewer agents to manage and patch, fewer conflicting policies, and fewer blind spots across hybrid and multi-cloud environments. For CISOs, that translates into something very concrete: a defensible narrative to the board and regulators that AI initiatives are not rogue automation, but are operating within a provable, monitored, and enforceable governance framework built on a coherent architecture rather than a tangle of tools.
Transforming the culture of "no" forces CISOs to think strategically
A CISO's transformation from security gatekeeper to business enabler and strategist is the single best step any security professional can take in their career. CISOS often remark in interviews that the transition from being an app and data disciplinarian to an enabler of new growth with the ultimate goal of showing how their teams help drive revenue was the catalyst their careers needed.
Andrew Obadiaru, CISO at Cobalt, captures the urgency: "Nothing is particularly new, maybe AI is newer, and the pace at which it's all going keeps increasing, but we need to do better at all of it in 2025."
"Tying my teams' performance to new revenue we enabled by thinking strategically is the single best decision I've made for my teams and my career," a CISO of a financial services firm told VentureBeat.
Pritesh Parekh, CISO at PagerDuty, emphasizes that "when security is done right, we're actually accelerating the business by eliminating manual checkpoints and replacing them with automated guardrails." This approach directly enables the machine-speed governance that AI agents require, which is coincidentally the same governance architecture that CrowdStrike and others are building into their platforms.
Organizations with unified security and IT operations tend to excel at governance while also reporting 30% fewer significant security incidents compared to those with siloed teams. When adversaries achieve a breakout in 2 minutes 7 seconds, cultural silos become attack vectors.
The fix is straightforward. Integrate security teams into development and operations. Build automated guardrails, not manual checkpoints. Enable AI agents to securely tap into unified data streams for instant response while they are monitoring in real-time. This way, security stops being the department that slows everything down and becomes the intelligence that powers automated defense.
