In a security operations centre, incidents rarely arrive neatly labelled. Analysts do not get a single perfect alert saying, “This is the problem. Here is the business impact. Here is the safest response.”
What they usually see is something far messier: an unusual login, a file moving where it should not, a strange endpoint, an email that looks almost legitimate, or a user action that could be a simple mistake, or a sign that someone is exploiting pressure, trust, and timing.
For DigitalShield, this is where AI has become increasingly useful. It can connect signals faster, cut through alert noise, and support threat detection, investigation, and response. Given the pace of modern attacks, no serious security team can afford to ignore it.
“I do not believe the future of cybersecurity is artificial intelligence on its own. In a SOC, the better model is AI²: actual intelligence and artificial intelligence. Human judgment comes first; AI strengthens it,” says Ray Hall, SOC manager at DigitalShield.
That is because cybersecurity depends on interpretation. A tool can tell you something unusual has happened, but people still need to work out whether it is a genuine risk, what it means for the business, and how to respond without unnecessary disruption.
Actual intelligence is the analyst’s understanding of the environment: which systems matter most, which user roles carry greater risk, which alerts need escalation, and which events need more context. It is the judgment that separates a quick reaction from the right response.
When AI exposes old weaknesses
The AI conversation has become more urgent as both defenders and attackers adopt it. Microsoft’s 2025 Digital Defense Report notes that threat actors are using AI to scale phishing and automate intrusions, while defenders need faster detection, automated response and strategies built for scale. Attackers are not waiting for businesses to finish internal AI discussions.
At the same time, AI is exposing weaknesses that were already present in many organisations. IBM’s Cost of a Data Breach Report 2025 found that 63% of organisations lacked AI governance policies, while 97% of those reporting an AI-related security incident lacked proper AI access controls. That should give any business pause before connecting AI to sensitive data, workflows and decision-making without understanding who can access what.
In South Africa, the pressure is sharper because many businesses are modernising with uneven security maturity, stretched IT teams, and complex legacy environments. If the basics are not under control, AI can magnify the risk.
The concern is rarely the AI tool alone. More often, the deeper issue is the underlying data environment. Sensitive information may be spread across systems, access rights may have expanded, classification may be inconsistent, and permissions may no longer match what people need. If that environment is already exposed, AI can accelerate the problem.
The human signal
Verizon’s 2026 Data Breach Investigations Report found that the human element was present in 62% of breaches. Mimecast’s State of Human Risk 2026 also points to pressure on email, collaboration tools, insider risk, credential misuse, and AI-powered attacks.
DigitalShield argues that describing people as the weakest link encourages lazy security thinking. While people are part of the risk, they are also part of the defence. The same employee who clicks on a convincing phishing email may also flag something unusual early enough to stop a broader incident. The question is whether that signal is noticed, understood, and acted on.
AI can prioritise alerts, identify patterns and help analysts move faster. Analysts still need to apply judgment, test assumptions, understand business context and decide what happens next. After an incident, people still need to refine detection rules, tighten access controls, review configurations, update awareness training and strengthen response plans.
The basics have to become operational
For businesses, the AI conversation should start with the parts of security that too often receive too little attention. Sensitive data needs to be identified, access rights controlled, over-permissioned accounts reduced, and continuous monitoring maintained. Incident response plans also need testing in advance, with alerts reviewed by people who understand both the technical signal and the business consequence.
Buying more tools will not solve a visibility problem if no one is watching the environment. Automation will not fix uncontrolled data access. Awareness training also falls short when suspicious behaviour is never connected to technical signals. This is where managed security services and SOC capabilities become valuable for organisations without the people, time, or specialist depth to maintain continuous internal oversight.
AI will keep improving, and defenders should use it. But AI should make security teams sharper, not passive, by combining machine speed with human context, disciplined monitoring, and clear response processes.
Find out more at www.digitalshield.co.za.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version