← All use cases
Governed Autonomy

Security Operations (SOAR)

Human-in-the-Loop at Scale.”

AI routes, humans approve critical, all logged.

This demo is about letting AI act, but only within hard governance limits.

The Problem

  • Security teams drown in alerts — 95% are noise.
  • The 5% that matter need immediate action; manual triage takes hours.
  • Attackers move in minutes.
  • Full auto-block locks out legitimate customers and partners on false positives.
  • Full manual is too slow — and burns out the SOC.

Why It Matters

  • AI handles the noise; humans approve the consequential.
  • Time-to-resolution drops from hours to under one second on routine alerts.
  • High-impact actions still require human judgment — no autonomous blocking.
  • Complete audit trail: every decision, every approval, regulator-ready.
  • Same architecture extends to any operational domain with high-consequence actions.

The Pattern

Alert → Classify → Route → Escalate → Log. This is the exception-handling primitive that generalizes across operational domains. The same pattern shows up in Refund Management (financial events) and IT Ops Auto-Remediation (infrastructure events).

How It Works

  1. Alert ingested from any monitoring source.
  2. AI classifies severity (P1 / P2 / P3) and enriches with threat intelligence.
  3. P3: Auto-logged in under one second.
  4. P2: Auto-ticketed with a 4-hour SLA.
  5. P1: System pauses for human approval before any blocking action.
  6. Every input, decision, and approval logged for audit.

Stack: n8n workflow orchestration + your alerting stack + structured audit log.

Alert
AI Classify / Score
Decision
P1: Human Approve
P2: Auto Execute
P3: Auto Log
Audit Log
One pattern, multiple domains. The same diagram appears on Refund Management and IT Ops Auto-Remediation with different input labels — that's the point.

Reference

Vodafone runs 33 workflows on this pattern, processing 3–5 billion security events per month. Reported savings: £2.2M and 5,000+ person-days automated. We did not build the Vodafone deployment — we cite it as a public reference for the architecture.

See how this looks for your organization.

This pattern is one slice of our Enterprise AI Operating Model. Read the full framework →