Enterprise security has become one of AI's most aggressive marketing frontiers. Every vendor has an AI story. Threat intelligence, anomaly detection, behavioral analysis, automated response. The slide decks are sophisticated, the demos are compelling, and the adoption metrics are frequently not what they seem.
After building security intelligence systems and spending time with the practitioners who actually evaluate and operate them, here's an honest picture of where AI adds real value in enterprise security and where it's theater.
What's genuinely working
Threat intelligence normalization at scale. The most unglamorous and most valuable AI application in security is taking threat data from dozens of sources, government advisories, commercial feeds, ISAC sharing, internal telemetry, and normalizing it into a searchable, queryable format.
This is not a flashy application. It doesn't appear in demo videos. It produces real operational value because the alternative, analysts manually checking sources, reconciling conflicting reports, and maintaining awareness across feeds, doesn't scale.
AI-powered normalization that can ingest a UK FCDO travel advisory, an ACLED conflict event record, an OFAC sanctions update, and a CISA Known Exploited Vulnerability, and represent them in a common schema with entity resolution and source attribution, is genuinely useful work that would otherwise require a team of analysts.
Volume reduction on SIEM alerts. Security information and event management systems produce enormous alert volumes. In environments without AI triage, analysts manually review alerts and a significant percentage are false positives, correct detections of benign behavior that looks suspicious.
AI-powered alert triage that learns the baseline of normal behavior for a specific environment and reduces the false positive rate significantly is one of the highest-ROI applications in production security. The key phrase is "learns the baseline of a specific environment." A model trained on generic enterprise behavior performs worse than one calibrated to the organization's actual patterns.
OSINT at investigation scale. When a security investigation requires understanding what's publicly known about a person, an organization, or an infrastructure target, AI dramatically accelerates the synthesis phase. A threat analyst can brief themselves on a subject using AI-assisted OSINT synthesis in 30 minutes rather than 4 hours, with better coverage across more sources.
The value is in the acceleration, not the automation. The AI synthesis surfaces information; the analyst validates, contextualizes, and draws conclusions. This division is what makes the application work: AI processes volume, humans exercise judgment.
Executive exposure monitoring. Continuous monitoring of what's publicly accessible about senior executives, breach databases, data aggregator sites, property records, social media, enables proactive exposure management rather than reactive incident response. AI makes this monitoring continuous rather than point-in-time.
The monitoring doesn't eliminate exposure. It shortens the time between when exposure appears and when someone notices, which reduces the window during which a threat actor can act on it before the organization does.
What doesn't work as advertised
Predictive threat detection. The claim that AI can predict security incidents before they occur is almost always marketing for pattern recognition applied to historical data. Pattern recognition on historical data is valuable, it's effectively what anomaly detection does. It is not prediction in the meaningful sense of forecasting novel threat activity.
The practical limitation: sophisticated threat actors specifically adapt to avoid the patterns that detection systems learn from. Static models get outpaced by adaptive adversaries. The useful frame is not "AI predicts threats" but "AI identifies deviations from baseline that warrant investigation."
Autonomous response. AI systems that automatically respond to detected threats, isolating systems, blocking traffic, revoking access, create more false positive incidents in most environments than they prevent. The cost of an incorrectly automated response (taking down a production system, blocking a legitimate user, revoking an executive's access mid-meeting) is typically higher than the cost of a few minutes of analyst review time.
The organizations running autonomous response effectively have specific, narrow-scope automation in high-confidence detection categories where the cost of false positives is low and the speed advantage is material. They are not running broad autonomous response.
AI-generated incident reports for legal and regulatory purposes. Incident documentation that will be used in insurance claims, regulatory notifications, or legal proceedings requires precise, verifiable claims with documented evidentiary basis. AI-generated narrative performs poorly here not because it produces inaccurate statements but because the evidentiary basis for each claim needs to be traceable in ways that AI generation doesn't guarantee.
The application that works: AI assists in drafting narrative from verified evidence, then human review ensures every factual claim has a documented source. This is a productivity tool for human drafters, not a replacement for human accountability for the document.
The confidence problem in security AI
The most significant systemic issue with AI in security: AI models express confidence that doesn't reflect actual reliability.
A risk score of 73 looks more precise than "elevated risk with significant uncertainty." A threat brief that reads smoothly looks more reliable than a caveat-laden summary that accurately reflects source limitations. The visual language of AI output communicates confidence that the underlying evidence may not support.
Security decisions made on overconfident AI outputs produce worse outcomes than decisions made on uncertain-but-honest human analysis. The UI design problem, how to display AI output in a way that accurately represents its reliability, is one of the most consequential unsolved problems in security AI product design.
The systems that handle this best show source confidence, source recency, and missing sources directly on the primary decision surface. Not in a technical drawer that analysts open when something seems wrong, but next to the score, every time.
The people problem
AI in security is ultimately a people problem more than a technology problem. The technology is available and capable. The challenge is deploying it in ways that make analysts more effective rather than more confused.
Security analysts who trust AI systems uncritically become slower at judgment and worse at the edge cases where AI performs poorly. Security analysts who treat AI as a processing tool for volume while maintaining their own judgment make better decisions than either humans alone or AI alone.
Building the right relationship between human analysts and AI tools, where AI handles the volume work and humans handle the judgment work, is an organizational design problem, not a technology problem.
Organizations that solve the organizational design problem get the value. The ones that implement the technology without addressing the design problem get a system that runs and doesn't change outcomes.
PurviewX builds security intelligence systems designed around how analysts actually make decisions. Start a conversation.