Margin of Safety #52: Rethinking Security Post AI
Jimmy Park, Kathryn Shih
April 22, 2026
- Blog Post
The SIEM was built for human eyes. AI removes the human. That should change more than just the query layer.
Cybersecurity operations have always assumed a person in the loop: someone staring at a dashboard, triaging alerts, and deciding what to escalate. The entire architecture of the modern SOC was designed around that person’s attention span, tolerance for noise, and need to retrieve everything from one place. That assumption held long enough to become automatic. It doesn’t hold anymore.
Against attacks operating at machine speed, acting on an alert after it’s been queued and surfaced to a human means acting after the fact. Which raises a question we don’t think the industry has fully confronted: if you remove the human from the first one or two tiers of SOC triage, what’s left of the SIEM’s architectural premise?
We think the answer is: less than most vendors would like to admit.
The human constraint is central to SIEM architecture
SIEMs were historically designed to maximize detection coverage under the key constraint of a finite, cost-effective analyst pool. In such a regime, maximizing coverage means optimizing for what those analysts can realistically process: routing alerts in an easy-to-triage format, calibrating false positive rates to volumes that won’t drown a team, and tuning query performance to human-tolerable latencies[1]. These were all the right engineering decisions given the constraint. However, AI is now changing that exact constraint.
We believe three main technical decisions have been baked into every legacy SIEM to allow the human-centric operationalization of security triage and response. AI simultaneously removes or relaxes all three.
The first is real-time query performance. SIEMs are engineered to support sub-second response — not because ultra-fast queries catch more threats, but because analysts get frustrated waiting five minutes for an answer. If AI agents handle triage, you can run dozens of queries in parallel at whatever latency the data allows (within some basic bounds). In this world, while the latency of any individual investigation or triage decision may increase somewhat, it can still be fast relative to your realistic response timelines. And total throughput can increase dramatically, meaning that the average latency will improve; after all, individual query latency matters less than queue depth, and automated triage collapses queue depth. Looking at it through this lens, the premium Splunk charges for real-time query infrastructure is as much a premium for human attention management as threat detection.
The second is rules tuned for human signal-to-noise tolerances. Detection rules in SIEMs aren’t written to maximize absolute coverage. They’re written to maximize coverage while producing an alert volume a human team can process without becoming paralyzed (or requiring more humans than a security team can reasonably staff). If AI handles first-pass investigation, a million false positives a day becomes a compute problem rather than a people problem. That’s a large enough change to alter the dynamics of detection. Rules that were intolerably noisy or broad before potentially become viable once a machine affordably handles initial triage.
The third is the SIEM as the single source of truth and primary interface. Today, SOC analysts live inside the SIEM because it was built for human real-time retrieval: evidence collection, alert context, case management, workflow resolution, all flowing through one interface. If AI is performing the investigation — pulling evidence, correlating signals, writing a summary — it doesn’t need a pre-centralized store. It can query across multiple sources en route and surface results through whatever interface makes sense. The historical linkage between data and UI breaks, and along with it a portion of the SIEM’s monopoly over SOC workflows.
What this means for the market
We’re not arguing the SIEM disappears overnight. Splunk, Microsoft Sentinel, and others have installed bases and workflow integrations that don’t evaporate. But the value proposition shifts. The SIEM becomes a data layer — primarily a log store — while intelligence moves elsewhere.
The incumbents who recognize that the premium they’re charging is for human workflow accommodation, not security outcomes, may have enough runway to adapt. The ones who don’t are maintaining a moat built around constraints that are dissolving.
New entrants building natively for AI-driven triage — architectures that assume machine-speed analysis and tolerate high-volume, low-fidelity signals — have a structural advantage here. Whether they can build fast enough to capture the transition before incumbents adjust is the question we’re watching most closely, alongside whether the offense-defense asymmetry widens in the gap.
If you’re building in this space, we’d like to hear from you.
Feel free to reach out to jpark@forgepointcap.com and kshih@forgepointcap.com.
This blog is also published on Margin of Safety, Jimmy and Kathryn’s Substack, as they research the practical sides of security + AI so you don’t have to.
[1] https://xkcd.com/303/