Artificial intelligence is changing how cybersecurity teams work, with security professionals spending more time validating AI-generated recommendations and deciding when to trust AI outputs, according to new research from ISC2.
The ISC2 survey of 856 cybersecurity professionals found that 65% spent more time deciding when to trust or act on AI-generated recommendations during the past year, while 63% reported spending more time reviewing or validating AI outputs. The study also found that AI-related mistakes remain common. Nearly nine in 10 respondents (89%) said they have experienced AI recommendations that led to incorrect outcomes, and 50% said human decision-makers are ultimately held accountable when those mistakes occur.
“AI is not replacing cybersecurity professionals; it is changing what the profession requires of them,” ISC2 CEO Scott Beale said in a statement. “As AI takes on more repetitive tasks, cybersecurity roles are shifting toward higher-value work, from asking the right questions to validating findings, interpreting outputs, and applying human judgment.”
The ISC2 survey also revealed that:
Many cybersecurity professionals are expected to act on AI-generated outputs without fully understanding how those outputs were produced, ISC2 found. Nearly a quarter of respondents (24%) said they are often or very often expected to act on AI-generated outputs without fully understanding how those outputs were produced. Still, respondents emphasized the importance of governance and oversight. About 80% said governance frameworks, understanding when to trust AI outputs, and knowing when to override recommendations are critical for effective AI use.
Views on AI’s effect on cybersecurity careers are mixed: More than half of respondents (56%) said AI has reduced the need for entry-level positions, but 53% said AI is creating new types of entry-level roles. Nearly half (48%) said AI has made them more optimistic about their long-term cybersecurity careers.
Despite increased AI adoption, respondents said foundational cybersecurity skills remain important. Nearly two-thirds (62%) said AI has not reduced the need for core cybersecurity skills. Respondents also cited determining when to trust AI outputs (82%), understanding when to override recommendations (80%), and establishing governance frameworks (80%) as critical factors for effective AI use.
“This evolution is not limited to entry-level roles. It changes how work is distributed across security teams, making continued investment in governance, validation practices, mentoring, and skills development essential at every level,” Beale said.