TL;DR
Gartner's latest research finds that only 11% of organizations have seen real financial value from AI. Most have improved individual productivity but left the underlying process untouched. Security operations have been caught in this trap longer than most industries. Agentic AI matters here not because it makes analysts faster, but because it changes the architecture of how security work gets done.
Key highlights:
Productivity gains from AI rarely translate to financial returns because the workflow stays broken
Security teams have added AI at every layer for years and the core problem, slow response cycles, hasn't moved
The real lever is process transformation, not individual augmentation
Cyware's Agentic Fabric is built to operate across the threat lifecycle, not on top of it
The adversary isn't waiting for enterprise AI to mature
The Productivity Trap
Gartner's 1Q26 Business Quarterly opens with a number worth sitting with. Only 11% of organizations report seeing actual financial value from their AI investments. The other 89% have seen productivity improvements. People are working faster, producing more, spending less time on routine tasks. None of it is showing up on the balance sheet.
The reason is structural. Most AI deployments make individuals faster at tasks inside workflows that were never redesigned. The handoffs, the wait time, the bottlenecks between steps all remain. Productivity improves on paper while outcomes stay roughly the same. This is a problem security teams have been living with for years.
Why Hasn’t AI Improved Security Outcomes Despite Years of Investment?
Over the past several years, threat intelligence and SOC workflows received AI upgrades at almost every layer. Feeds got enriched faster, alerts came with more context, summarization tools reduced reading time, and platforms got better at flagging what mattered. These were real improvements. Analysts spent less time on the tedious parts of the job.
And yet mean time to respond barely moved. Analyst burnout stayed high. The gap between detecting a threat and containing it, which is where most damage actually happens, remained wide. The reason tracks exactly with what Gartner is now telling the broader market. Adding AI to people inside a broken process does not fix the process.
The volume problem in a modern SOC is not one that faster reading solves. Thousands of indicators, multiple feeds, alerts from tools that don't talk to each other, intelligence that needs to be correlated and validated before it means anything actionable.
Process Change is the Actual Lever
Gartner breaks AI value into three categories. Defend, which means augmenting individuals to maintain parity. Extend, which means transforming existing processes for differentiation. And Upend, which means creating entirely new capabilities. Most enterprise AI spending sits in the defend bucket, where returns are marginal. The organizations seeing real ROI have moved into extended territory, where AI doesn't assist the process but redesigns it.
In security, that redesign looks like threat intelligence that gets triaged and acted on before an analyst opens their queue. It looks like an alert context that is already assembled when a ticket is created, not built manually during investigation. It looks like detection logic generated at the moment new intelligence arrives rather than scheduled for the next sprint.
This is the thinking behind Cyware's Agentic Fabric. The agents in Cyware AI don't sit alongside existing workflows waiting to be invoked. They operate across the threat lifecycle. The Attack Flow Agent reconstructs adversary activity and maps it to MITRE ATT&CK without waiting for an analyst to do it manually. The SOC Analysis Agent handles triage and surfaces context before a human touches an incident. The Detection Engineering Agent writes YARA and Sigma rules on demand, closing the gap between new intelligence and deployed detection from days to minutes.
The distinction between a productivity tool and a process-level intervention matters because only one of them actually changes what a security team can do with the resources they have.
What Happens When Defenders Optimize Slowly but Adversaries Move Fast?
There is a dimension to this conversation that most enterprise AI discussions don't account for. In most industries, being slow to extract value from AI means falling behind competitors. In security, it means extended exposure.
Threat actors are already using AI to move faster, generate attacks at scale, and automate the early stages of a campaign. The pace of adversary activity is not slowing down while defenders work through the productivity versus process debate. A defense architecture built on making individual analysts incrementally faster will not keep pace with that.
Gartner asks where the AI value is. In security, that question has a specific answer. It is the time between a threat entering your environment and it being contained. Every step in that cycle that can run without a human waiting in the middle should run that way. That is what agentic AI makes possible. That is what we are building.
Request a demo to experience the shift from assisted workflows to autonomous security operations.
About the Author
