The Two-Speed SOC: Why Autonomous AI and Analyst Copilots Need Different Guardrails
A design question inside a Fortune 50 security team points to a bigger governance gap for AI in the security operations centre.

Key points
- A Fortune 50 chief information security officer is piloting Anthropic's Claude inside his security operations centre, according to a recent industry account.
- The team is running the AI in two modes: autonomous agents that act on their own, and copilots that assist a human analyst.
- Governance frameworks for AI in security work, including the US National Institute of Standards and Technology's AI Risk Management Framework released in January 2023, treat these two modes as different risk classes.
- No regulator has yet issued a final rule specifically for AI use inside a security operations centre.
- The European Union's AI Act, which entered into force on 1 August 2024, will phase in obligations for high-risk AI systems through 2026.
A senior security leader at one of the largest companies in America is quietly running an experiment that regulators have not yet caught up with. His team has plugged an AI model into their security operations centre, the room where analysts watch for signs of hackers, and given it real work to do.
The account, first surfaced by The Hacker News, is anecdotal. But it maps neatly onto a question that policy staff at several agencies have been circling for a year. When an AI system helps investigate a cyber attack, who is accountable for what it decides?
What is actually happening inside this security team?
The team has connected Claude, an AI assistant made by Anthropic, to a handful of detection tools. Two modes are running side by side.
In the first mode, the AI works as an autonomous agent. It pulls logs, checks alerts, and takes small actions without a human pressing a button each time.
In the second mode, it works as a copilot. A human analyst asks questions, the AI drafts answers, and the analyst decides what to do.
The distinction sounds academic. It is not. Under most emerging AI governance frameworks, an autonomous system that acts on its own sits in a higher risk tier than an assistant that only suggests.
Why this matters for the rulebook
The US National Institute of Standards and Technology published its AI Risk Management Framework in January 2023 as voluntary guidance. Section 3 of that framework asks organisations to map, measure, and manage risk based on how much autonomy a system has and what harm it could cause.
A security operations centre is a high-stakes environment. An autonomous agent that shuts down the wrong server, or misreads a log and clears a real alert, can cause real damage. That is not a hypothetical. It is the kind of failure mode that any final rulemaking on AI in critical operations will have to address.
The European Union's AI Act, which entered into force on 1 August 2024, goes further than the American framework. Article 6 sets out which systems count as high-risk. Security tools that make consequential decisions about network defence may fall inside that scope depending on how they are deployed. Obligations phase in through 2026, with a public consultation window still open on several implementing acts.
In the United States, the Securities and Exchange Commission's cyber incident disclosure rule, adopted in final form on 26 July 2023 and effective for most registrants from 18 December 2023, requires disclosure of material incidents within four business days on Form 8-K, Item 1.05. Nothing in that rule yet addresses whether an AI agent's autonomous action inside the response process must be disclosed or logged.
What organisations should be doing now
Security teams piloting AI in the operations centre should keep a clear paper trail of which decisions the AI made alone and which a human approved. That record will matter if a regulator asks, and it will matter more if something goes wrong.
Boards should ask two questions. Where in our response process does an AI act without a human? And who signed off on that scope?
The rulemaking will catch up. The teams that documented their choices early will have a much easier time explaining them.



