AI in the SOC: What Could Go Wrong?

CYBERSECURITY OPERATIONS CYBER RISK VULNERABILITIES & THREATS NEWS AI in the SOC: What Could Go Wrong? Two cybersecurity leaders tested out AI in their respective SOCs for six months — and here's what they learned. Becky Bracken,Senior Editor,Dark Reading March 23, 2026 4 Min Read SOURCE: HAKINMHAN VIA ALAMY STOCK PHOTO RSAC 2026 CONFERENCE – San Francisco – External, internal, and operational pressures to deploy AI to unlock its promise of increased speed and efficiency has left enterprise cybersecurity professionals in a tough spot — finding they need to enable innovation, while trying to foresee the risks it might introduce.  Two enterprise cybersecurity leaders decided to take on the AI challenge and share at this year's RSAC 2026 Conference what they determined it can do well, and what it isn’t ready to take on.  Both of their enterprise environments carry big risk when it comes to cybersecurity attacks. One cybersecurity leader, Ankit Gupta, oversees a Fortune 500 food manufacturing company, and the other, Shilpi Mittal, is charged with protecting a financial company. Both decided to run a six-month trial period to find out how AI could work for them in their security operations centers (SOCs).  Gupta and Mittal shared their findings at this year's RSAC 2026 Conference during a session entitled "We Put AI in Our SOC — Here’s What Worked and What Didn't." Related:AI Dominates RSAC Innovation Sandbox AI in the Fortune 500 Food Manufacturing SOC  Mittal reports that she found success using a large language model (LLM) inside her food manufacturing company's (SOC) case workflow as a "read-only triage assistant," she explains in an interview with Dark Reading. In general, Mittal found the AI-powered SOC tool to be able to evaluate data from multiple sources and perform analysis based on created rules. Over the SOC AI pilot period, Mittal’s team measured improvements in key metrics: "Mean time to discovery (MTD) improved by 26% to 36%, mean time to response (MTTR) improved by 22%, and false positives were reduced by 16 points," Mittal says, adding that the security team "maintained strict guardrails, including enforced citations, human approval gates, tool allow lists, and full audit logging." In one instance, "AI detected a suspicious .git file at an endpoint," Mittal explains. "The AI determined it contained potential malware and automatically quarantined the file and shut down the software on the endpoint, demonstrating proactive threat prevention."  Along with the gains in the various metrics though, AI did introduce additional false positive alerts for teams to manage. And going forward, Mittal adds that layering additional AI tools on top of her manufacturing organization's sprawling operational technology (OT) and legacy systems will present its own set of challenges.   Mittal found that placing AI inside a SOC in manufacturing requires different thinking; in her organization, operational downtime directly impacts revenues, production lines, and worker safety.  Related:Clear Communication: The Missing Link in Cybersecurity Success "This reality shaped every architectural and governance decision," she notes. For instance, during her trial period, AI was intentionally not positioned as a control mechanism over industrial systems.  "Instead, we embedded it strictly inside security case management workflow as a read-only triage assistant that synthesizes alerts from endpoint detection and response (EDR), network telemetry, cloud systems, applications, and OT monitoring feeds," she says. "AI was never allowed to directly interact with programmable logic controllers (PLCs), SCADA systems, or any production equipment." AI in the Financial Institution's SOC  Financial institutions face a separate set of challenges, making deploying AI in the SOC tricky. Ankit Gupta's organization deals with huge amounts of structured and unstructured data that are "tightly regulated, economically sensitive, and directly tied to consumer trust. They are constantly monitored by regulators, including state-level regulations from (states like) California and Texas," he said.  Gupta’s six-month trial period found AI was very useful with speeding up tasks like fraud detection, automated underwriting, algorithmic trading, customer service automation, and risk modeling.  Related:Why Stryker's Outage Is a Disaster Recovery Wake-Up Call He also found that AI was able to improve existing playbooks, which Gupta has found to be "deterministic and rigid, working well only when patterns are predictable."  Implementing AI in the SOC though was a less compelling use case. Gupta shares that his organization conducted a two-week test on a non-production system where AI was given full control. The results were bad.  "SOC reality is messy — alerts arrive with incomplete fields, inconsistent identifiers, and ambiguous signals," Gupta explains, adding, "AI incorrectly removed users from the system." All of this led him to conclude AI can assist in the SOC, but final action calls would always remain with humans. Rather than replacing security analysts or taking full control of alert management, it helps by connecting dots: "LLMs are particularly strong at summarizing important information, correlating context, and generating structured narratives from inputs from various security tools," he says. On the positive side, Gupta did see measurable reductions in analyst fatigue during the pilot period in his financial organization.  "The biggest shift was reducing context switching and repetitive documentation," Gupta says. "Analysts were spending 10-15 hours per week creating documentation and gathering information for business — this work has been transferred to AI with excellent results."  The trial runs are timely, given that leaders across almost every sector are facing pressure to roll out AI tools.  "Boards and executives hear constant messaging about AI-driven efficiency, not just in security but in productivity tools like Copilot and ChatGPT," Gupta says. "Pressure in finance is amplified because the industry is data-rich, innovation-sensitive, and heavily regulated."  It's critical that cybersecurity teams stay engaged with adoption across the organization and not get into the trap of being a roadblock to innovation, Mittal and Gupta advise.  "Business drives security," Mittal adds. "Security doesn't drive the business." RSAC Conference MAR 23, 2026 TO MAR 26, 2026 Join thousands of your peers at RSAC™ 2026 Conference in San Francisco from March 23–26. Discover new strategies, explore bold technologies, and connect with peers who share your challenges and ambitions. Don’t just attend the Conference—be part of the community that defines what’s next. SECURE YOUR SPOT About the Author Becky Bracken Senior Editor, Dark Reading Becky Bracken is a senior editor with Dark Reading who brings decades of journalism experience across, radio, print, online and video channels. Becky lends her particular voice and cybersecurity expertise to the Dark Reading Confidential podcast as the host and producer, and moderates the Dark Reading editorial webinars. In addition, she oversees the site's Commentary section, hosts Dark Reading's Black Hat News Desk, and contributes regularly as a writer and reporter. Prior to joining Dark Reading, Becky covered cybersecurity and hosted webinars for Threatpost. Other national media outlets she has contributed to include PBS, SheKnows, Complex, and more.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBERSECURITY OPERATIONS Cyberattacks Likely Part of Military Operation in Venezuela by Robert Lemos, Contributing Writer JAN 07, 2026 CYBERSECURITY OPERATIONS Contrarians No More: AI Skepticism Is on the Rise by Rob Wright DEC 31, 2025 CYBERSECURITY OPERATIONS Prep is Underway, But 2026 FIFA World Cup Poses Significant Cyber Challenges by Robert Lemos, Contributing Writer SEP 26, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE