Eighteen months ago, the concept of an AI-powered Security Operations Center (SOC) was largely a marketing talking point. Today, it's a critical budget item, with billions invested in AI-driven security platforms, agentic SOC tools, and AI co-pilots integrated across the security stack. Data indicates that SOCs are adopting and deploying AI capabilities at an unprecedented rate. However, despite this rapid adoption, many SOCs are reporting underwhelming results. The inaugural objective benchmark on AI's value in the SOC, published in the **SOC-CMM 2026 Maturity Report** this May, surveyed approximately 200 SOCs. A mere 10% of respondents reported "excellent" value from AI, with 19% citing "good" value. A significant 71% reported "some" or "no" value at all. This trend, eighteen months into widespread AI deployment, signals a structural issue. This article delves into what the data reveals and what the next evolution of AI in security operations must deliver to bridge this performance gap. ## What the SOC-CMM 2026 Data Shows Three key findings from the **SOC-CMM 2026 Maturity Report**'s AI section stand out and are clearly correlated. First, AI adoption is up across every category within the SOC. Off-the-shelf large language models saw a 55% year-over-year increase, AI co-pilots surged by 145%, AI agents by 118%, supervised machine learning by 96%, and customized LLMs by 64%. This suggests that SOC teams are over-investing in AI without possessing the operational maturity necessary to extract meaningful value from their purchases. Second, the predominant adoption pattern is what the report terms the "taker model": deploying off-the-shelf AI within an existing security stack without customization. Approximately 65% of surveyed SOCs identify as takers, while 20% are "shapers" (customizing what they buy), and only 15% are "builders" (training models on their own data). Takers represent the largest cohort and report the least value. This pattern holds true across hybrid, in-house, and MSSP SOCs, indicating a structural rather than circumstantial cause. Third, the report highlights that the two SOC improvement challenges that grew year-over-year are a lack of best practices (+17%) and the complexity of increasing maturity (+11%). Conversely, challenges like budget constraints and lack of management support decreased. This suggests SOCs aren't lacking resources or executive buy-in; rather, they're unsure how to effectively leverage the AI they've acquired. This encapsulates the AI maturity gap in a single data point. ## Why the First Wave of AI in the SOC Underperformed The initial wave of AI SOC tools often shipped as features bolted onto existing security products. **SIEMs** gained AI triage, **EDRs** received AI investigation capabilities, **SOAR** platforms integrated AI playbook generation, and ticketing tools added AI summarization. While each feature was functional in isolation, they lacked shared context. In practice, this means SOC analysts now contend with multiple AI assistants instead of one cohesive system. The triage agent in the SIEM lacks knowledge of what the detection engineer silenced last week. The threat hunting agent in the EDR is unaware of recent threat intelligence. The summarization agent in the ticketing tool doesn't know the full context of an investigation. Each agent accelerates its specific slice of the workflow, but none address the critical handoffs between these slices—where most SOC time and value reside. SOC operators widely report this phenomenon: individual tasks are faster, but the overall workflow remains fragmented. They describe being asked to learn multiple new agent interfaces while the core problem—that the SOC operates as a chain of disconnected stages—persists. AI has accelerated silos without truly connecting them. The **SOC-CMM 2026 Maturity Report** quantifies this dynamic. The technology domain consistently scores highest in maturity (average 2.7 out of 5), while the process domain (governing handoffs between SOC stages) and the people domain (institutional knowledge and decision-making) both score lower at 2.3. Simply acquiring more tools, including AI ones, doesn't improve these numbers; in some cases, each new tool exacerbates the problem by adding another handoff point. ## What's Different About SOCs Reporting Excellent Value The 10% of SOCs reporting excellent value from AI aren't necessarily using different point tools; they've implemented AI within a fundamentally different architectural structure. Three key distinctions set them apart from the 71% reporting minimal value: 1. **AI Operating Across the SOC Lifecycle**: These SOCs implement AI that spans the entire lifecycle—threat intelligence, threat hunting, detection, investigation, and remediation—treating them as interconnected stages of a single workflow. When agents share context across all five stages, the SOC's effectiveness compounds. Every closed investigation refines the next detection, every threat hunt result updates the intel cycle, and every remediation informs future playbooks. This connected fabric is crucial for sustained value, contrasting with organizations that merely stack isolated AI features. 2. **AI Grounded in the Dynamic Environment**: Generic AI yields generic investigations. "Normal" varies significantly between a healthcare environment and a fintech one. A detection rule effective in one context might trigger false positives in another, and an investigation path might miss critical nuances without specific environmental knowledge. High-value SOCs utilize AI systems that capture and retain institutional knowledge: critical assets, analyst judgment from past incidents, sanctioned actions, escalation criteria, and the outcomes of previous tickets. Without this grounding, AI in the SOC defaults to internet averages, which are often irrelevant for specific environments. 3. **Governable AI**: The **SOC-CMM 2026 Maturity Report** identifies effective SOC governance as the most challenging area for improvement (39% of respondents). AI governance and SOC governance are inherently linked. The most successful agentic SOCs operate within customer-defined guardrails, provide defensible reasoning traces for every action, and earn autonomy incrementally rather than demanding it upfront. AI in the SOC cannot be a black box. SOCs that have mastered this foster analyst trust, which is essential for granting standing authority to the AI system and achieving significant productivity gains. ## The Architecture Problem, in Plain Terms Most enterprises struggling to extract value from AI in the SOC are running point AI solutions within a fragmented architecture. The core issue is that even the most advanced point AI cannot fix a fundamentally broken architecture. If a SOC's detection engineering team operates in a different tool from its investigation team, AI in either tool will only accelerate that specific team's workflow slice, doing nothing to improve the critical handoff between them. If threat hunters cannot easily test hypotheses using the same telemetry as investigators, AI in either workflow will only advance that workflow in isolation. If remediation playbooks reside in a **SOAR** tool disconnected from investigation agent conclusions, AI remediation will execute based on stale context. The solution is to connect these stages. Implementing more AI within the same fragmented architecture only compounds the original problem. This connective fabric is the essence of the "second wave" of AI in the SOC. The first wave delivered AI *per stage*; the second wave must deliver AI *across stages*. ## What the Second Wave Must Look Like The five stages of the SOC must operate as one cohesive, agentic fabric, deeply grounded in the customer's unique environment. Every closed investigation should calibrate the next detection, every threat hunt result should update the next intelligence cycle, and every remediation action should feed back into the playbook for subsequent agents. This interconnectedness allows the SOC's capabilities to compound. Practically, a platform built this way would sit atop and integrate with an organization's existing **SIEM**, **EDR**, identity, cloud, ticketing, and threat intelligence stack, rather than replacing them. This connective layer is what enables each stage to inform the next, breaking down operational silos. Where such an architecture is in place, SOCs report sharper, faster investigations; detections that are effectively surfaced and tuned (instead of being silent or noisy); continuous threat hunting; and remediation that operates within defined guardrails, complete with full reasoning traces and audit-grade decision records. The second wave of AI in the SOC must be architectural, not merely an aggregation of features. The vendors and platforms that grasp and deliver this fundamental shift will lead the industry forward.