Anwer Gertani

Series · 7 parts

Building Security Operations That AI Can Run

Most AI security programmes fail before they start. They layer AI onto undefined, undocumented processes and wonder why the results are worse than before. This series argues for a different sequence: decision-first, trust built by evidence, authority earned progressively. Seven posts. One argument.

By Anwer Gertani · April — May 2026

  1. 01

    May 17, 2026

    Start With Decisions, Not Data

    The right question is not what should I collect. It is what decisions does my security operation make every day — and which twenty are killing my team.

    Read part 1

  2. 02

    May 10, 2026

    Why AI Security Programmes Fail Before They Start

    The most common AI security failure mode: applying AI to processes that were never defined, documented, or cleaned up. You do not automate chaos. You accelerate it.

    Read part 2

  3. 03

    May 3, 2026

    Define Your Operations Before You Instrument Them

    SOC, IR, and Threat Intel are not three separate teams. They are one interconnected decision system. Map it as such, or your AI programme will optimise the parts while breaking the whole.

    Read part 3

  4. 04

    April 26, 2026

    AI as Second Opinion: Building the Trust Record

    Do not start with AI making decisions. Start with AI making recommendations alongside the decisions your analysts are already making. Trust is earned by evidence, not declared by procurement.

    Read part 4

  5. 05

    April 19, 2026

    SOC, IR, and Threat Intel: Three Different Paths to AI Maturity

    SOC automation is already mature in most enterprise environments. Threat Intel AI augmentation is deployable today. IR autonomy is furthest away. Forcing all three to move in lockstep is a mistake.

    Read part 5

  6. 06

    April 12, 2026

    Policy Autonomy: The Right End State (And Why You're Framing It Wrong)

    "AI as decision maker" creates maximum board resistance. "AI executing human-defined policy at machine speed" gets CISO sign-off. The difference in framing is everything. The difference in practice is almost nothing.

    Read part 6

  7. 07

    April 5, 2026

    The Policy-Driven Security Operation: What It Looks Like When You've Arrived

    The operations centre becomes a policy centre. Analysts become policy authors. The CISO becomes a policy architect. AI runs the operation. Humans make it better.

    Read part 7

← All writing