Automation is changing cybersecurity workflows, not replacing human expertise

AI and automation are changing vulnerability management in organizations not by replacing cybersecurity professionals, but by altering how they detect, prioritize, validate and remediate risks. A newly published study shows that AI is becoming an active participant in cybersecurity routines, influencing decisions and workflows while still depending on human expertise for context, accountability and final judgment.

The study, titled "Rethinking Vulnerability Management: How AI and Automation Reshape Organizational Routines and Supports Adaptive Cybersecurity Systems" and published in Systems, examines how AI-enabled automation interacts with human expertise across the full vulnerability management process, from triage to remediation.

AI enters vulnerability management as pressure on security teams grows

Vulnerability management is a process of identifying, prioritizing and fixing weaknesses in digital infrastructure. However, the study points out that the process is now more complex because organizations face rising threat volumes, expanding digital environments and growing dependence on multiple cybersecurity tools.

The case organization had a vulnerability management process spanning IT and operational technology environments. It used several tools for scanning, endpoint security, operational technology monitoring and directory-related exposures. The process included manual tasks, automated tasks and hybrid tasks requiring both machine output and human validation. This created a rich setting for studying how AI changes cybersecurity routines. The organization was already under pressure from growing vulnerability signals, incomplete asset data, limited remediation capacity and fragmented tool outputs. Security teams had formal procedures for triage, scoring, patching and reporting, but the actual work often required adjustments, overrides and interpretation.

The authors describe this as a gap between formal routines and performed routines. Theoretically, vulnerability management may look like a linear sequence: identify assets, scan for weaknesses, prioritize risks, assign remediation and confirm closure.Practically, teams must deal with missing asset information, unclear ownership, duplicate findings across tools, patching constraints and business risks linked to downtime.

AI-enabled automation entered this strained environment mainly through scoring, prioritization, dashboards and ticketing support. It helped filter large volumes of vulnerability data and identify higher-risk items. But it did not remove the need for human review. Analysts still had to determine whether a technically severe vulnerability affected a critical business system, whether compensating controls existed, whether patching was feasible and who owned the affected asset.

AI can improve the speed and scale of vulnerability management, but its outputs become actionable only when connected to business context. A vulnerability score alone is not enough, the study insists, adding that it must be interpreted alongside asset criticality, exposure, operational constraints and remediation ownership.

The study's three-phase model explains how AI-enabled routines evolve.

• Automation is introduced into strained routines.
• Tensions appear between technology and human expertise, and between usability and the complexity of multi-vendor systems.
• Organizations gradually stabilize hybrid routines through feedback, analyst calibration, threshold adjustment and updated playbooks.

Human expertise and AI tools now co-perform cybersecurity decisions

The study identifies a major tension between technology and human expertise. Early automation often creates expectations that AI can reduce workload and improve speed, but the research shows that AI cannot fully judge vulnerability risk without human context.

AI systems can score vulnerabilities, flag exploitability and support prioritization. But cybersecurity professionals must still decide whether the recommendation makes sense in a specific operational environment. A tool may classify a vulnerability as urgent because of its severity, but analysts must assess whether the affected system is exposed, business-critical, already protected by other controls or safe to patch immediately.

This results in what the authors call a hybrid routine. Decisions are neither fully automated nor fully manual. AI handles parts of the process by sorting, scoring and surfacing patterns. Humans validate, contextualize, challenge and refine those outputs.

The study also shows that accountability remains human and organizational. If an AI tool recommends delaying remediation or assigning a lower priority, responsibility cannot be transferred to the system. Teams still need to document the rationale, accept or reject the recommendation and remain accountable for the final decision.

As organizations expand AI use in cybersecurity, the study suggests that AI does not eliminate expertise. It changes the type of expertise needed. Analysts increasingly become supervisors, interpreters and calibrators of AI-supported routines. They must understand how AI scores are generated, when to override them, how to spot false positives and how to feed corrections back into the system.

The authors also find that human judgment becomes essential when AI outputs conflict with operational reality. For example, a dashboard may indicate that a vulnerability has been remediated because a patch was deployed. But the vulnerability may still appear in a later scan if the patch failed, the system was not restarted or a different tool used another detection method. Analysts must then verify whether the technical state of the asset matches the automated report.

The study calls this co-performance. AI does not merely support the routine from the outside. It helps enact the routine by influencing prioritization, coordination and feedback, but it remains dependent on human correction and organizational governance.

Over time, this interaction can become more stable. Analysts learn how to use AI outputs, tools are adjusted based on analyst feedback, and formal procedures begin to reflect new human-AI roles. The study shows that successful AI integration depends on this recursive learning process rather than on one-time tool deployment.

Multi-vendor complexity can weaken automation unless routines adapt

The second major tension concerns usability and complexity. Many organizations use multiple cybersecurity platforms across servers, endpoints, operational technology, cloud services and identity systems. Each tool may produce useful data, but together they can create fragmentation.

The study finds that multi-vendor vulnerability management ecosystems can disrupt routine coherence. Different tools and vendors operate on different schedules, produce different outputs and use different detection logic. Vulnerability counts may rise or fall not only because actual risk changes, but because scanning, reporting and patching cycles differ across systems. This creates practical problems for cybersecurity teams. Analysts may need to compare findings from several tools to determine whether a vulnerability is duplicated, already remediated or assigned to the right owner. Without a central correlation mechanism, teams must manually reconcile outputs and decide which source should guide action.

Asset ownership is another bottleneck. A vulnerability may remain unresolved not because no patch exists, but because no team clearly owns the affected asset. In that case, the challenge is not only technical. It is organizational. Remediation requires ownership, approval, coordination and escalation.

Usability gaps also limit the value of AI-enabled tools. Dashboards may present vulnerability counts, risk scores and remediation status, but still fail to show why a finding matters to a specific business process. Analysts then export data, contact asset owners, compare reports and reconstruct missing context outside the tool.

The study sees these workarounds as routine adaptations. Analysts change how they work in order to keep cybersecurity operations functioning despite fragmented systems. They may reintroduce manual validation, maintain duplicate tracking or adjust workflows to compensate for tool limitations.

The study also shows that full automation is rarely realistic at the start. Incremental automation may be more effective. Organizations can first automate specific segments, such as deduplication, enrichment, ticket routing or reporting, while keeping human review for ambiguous risk decisions. Even partial automation can create value if it reduces repetitive work without removing accountability.

In the final phase of the model, hybrid routines stabilize through repeated feedback. Analysts adjust AI-generated priorities, flag false positives, refine thresholds and update procedures. Over time, repeated practices can be formalized into playbooks that define when AI recommendations can be accepted, when human review is required and when issues must be escalated.