After experiencing a take-over of an employee account by hackers, we faced a set of critical questions to answer. Could we rely on humans reading log entries? Could we defend our users, data and operations working 9 to 5? We had all the tech and alerts to be ‘always on’ after hours but the attack showed the frailty in traditional IT operations faced with adversaries working different time zones and automating attacks that ran 24/7/365.

What we decided to do was to create a virtual SOC and set up a 24/7 desk. All logs would be read by and AI and alerts prioritized and lifted to a human for review and action. The noise this created will the topic for another post. What happened, slowly at first, was AI rushing into the security stack. It seemed logical at first: export telemetry, let a powerful model analyze it and get a faster summary in front of your security operator.

When you send firewall logs, authentication records, and incident traces to an external AI (and that includes the many Microsoft tools we use), you are exporting your organization’s ‘operational map’ outside your legal and technical control. There are hidden costs and consequences all IT leaders have to be aware of:

1. In Europe, data sovereignty and jurisdiction is a GDPR and trust boundary issue. We lose control over where the data goes and who reads and retains it.
2. Relying on a third party’s uptime, pricing models and API limits is a risk your business continuity. A provider outage in a crisis could leave us blind and disable incident response capabilities.
3. The generic models used by cloud providers lack your specific context. They have no insight to your network and applications. This means flagging benign incidents and scheduled back-ups as read alerts.

The solution is to design systems where data stays within your boundaries, deterministic parsing happens before inference, and your team retains the ability to analyze their own environment regardless of outside factors. I believe controlled AI is the future of cybersecurity, built around a trust architecture. Small trained AIs that know your topology will strengthen your security posture, and avoid creating outside dependencies.