Why IAM should be the starting point for AI-driven cybersecurity - Help Net Security

In this Help Net Security interview, Benny Porat, CEO at Twine Security, discusses applying AI agents to security decisions. He explains why identity and access management (IAM) is the ideal starting point for both augmentation and automation, and shares advice on building trust in AI agents and integrating them into existing workflows.

Why IAM is the Starting Point for AI in Cybersecurity

Identity and Access Management (IAM) is highlighted as the optimal starting point for integrating AI into cybersecurity. This is because identity is a critical attack surface.

Organizations should begin with AI augmentation in IAM for high-volume, low-complexity tasks (like identity hygiene or account verification) before moving to full automation. This build-up helps establish trust and allows the AI agent to learn specific organizational needs.

Restructuring Security Teams for AI Integration

Integrating AI agents into security teams will likely follow a pattern seen with other emerging domains like cloud security. Initially, new specialized teams focused on AI expertise may form. Over time, these capabilities will consolidate, augmenting existing roles and requiring all security professionals to gain proficiency in supervising and interacting with AI agents.

Auditing AI-Driven Decisions

AI-driven security decisions should be even more auditable than human ones. AI agents inherently create complete, immutable audit trails detailing every decision point, data input, logical step, and action taken. Technical requirements include comprehensive logging, explainable AI frameworks, immutable audit logs, and decision provenance tracking.

Metrics for Human-AI Team Performance

To assess the performance and ROI of human-AI teams, start with a project you planned to do anyway. Define clear metrics like time saved, resources used, and desired quality. By comparing the outcome of the AI-assisted process to the expected human-only outcome, you can measure the significant time, resource, and cost savings, while also assessing the quality achieved by the AI agent.

Integrating AI into SIEM, SOAR, and EDR

Integrating AI into high-volume SOC workflows like SIEM, SOAR, and EDR without causing alert fatigue is challenging. Due to the difficulty in verifying the quality of fully automated decisions in such high-volume scenarios, it's suggested that organizations start with less risky domains like IAM first.

For SOC workflows, a better initial approach is to use agentic AI to enrich the context of existing alerts and provide actionable suggestions, rather than immediately automating response actions.