AI is reshaping the Security Operations Centre (SOC), but how far should autonomy really go?
Drawing on experience from the CIA to the private sector, William MacMillan (former CISO of the CIA, former SVP for Info Sec at Salesforce) explores how security leaders should adopt AI in operations; balancing speed, risk, and human oversight as threats accelerate.
Leadership under pressure shapes decision-making
High-stakes environments reinforce the importance of calm leadership and deliberate communication.
In cyber crises, speed is essential, but so is clarity. Leaders who create space for input, maintain composure, and communicate across stakeholders make better decisions under pressure. William describes stepping into the CIA CISO role as the SolarWinds breach unfolded. Drawing on earlier experiences in a war zone and major cyber incidents, he emphasises projecting calm, engaging stakeholders early, and translating complexity into clear communication.
AI in the SOC is moving from exploration to execution
2026 marks the shift from experimentation with AI to operational adoption.
Organisations are moving beyond curiosity into real procurement and deployment decisions. Security teams must now define principles, select platforms, and embed AI into workflows. William notes that earlier “window shopping” behaviour has shifted into active buying, proofs of value, vendor selection, and deployment. However, organisations remain cautious, prioritising controlled adoption over aggressive automation.
The autonomous SOC is still an illusion
Fully autonomous security operations remain unrealistic; human judgment is still critical.
AI can dramatically improve efficiency, but it is not yet ready to make high-risk decisions independently. Over-automation introduces new risks, particularly in critical environments. William advocates a “human at the helm” model. AI excels at observe and orient tasks (data processing, context building, and reducing analyst workload), but decision and action stages still require human oversight to avoid unintended consequences.
Focus AI where it creates immediate value
The strongest near-term value of AI in cyber lies in efficiency and time compression.
AI enables analysts to process information faster, reduce manual effort, and improve investigation speed—delivering measurable ROI without increasing risk exposure. William highlights areas like data correlation, threat triage, and workflow automation, where AI collapses repetitive tasks. Rather than replacing teams, organisations should “keep all skaters on the ice” and use AI to amplify capability.
Data discipline and collaboration are critical enablers
Effective AI adoption depends on better data management and stronger cross-functional alignment.
Poor data quality and organisational silos limit both security and AI outcomes. Collaboration across the digital C-suite is essential to maximise value and reduce risk. William stresses that CISOs and Chief Data Officers must work closely, describing cyber security as fundamentally “data security”. He also highlights AI’s role in identifying redundant data and improving cost efficiency.
Emerging threats demand urgency, but not panic
AI-driven threats and quantum risks are real and immediate, but must be addressed with discipline, not fear.
Organisations face increasing noise and hype, but leaders must stay focused on fundamentals, identity, visibility, and control, while preparing for emerging risks. William points to AI-driven vulnerability discovery and “harvest now, decrypt later” quantum risks as pressing concerns. However, he emphasises practical steps: strengthen basics, improve visibility, and start with crown-jewel data.
Key takeaways:
- AI delivers the most value in augmenting analysts and accelerating workflows, not replacing human decision-making.
- Security leaders must prioritise fundamentals, data discipline, and cross-functional collaboration to unlock safe AI adoption.
- Emerging threats are accelerating, but resilience depends on calm, structured responses, not reactive, hype-driven decisions.