1 Apr 2026

CrowdStrike, Cisco, and Palo Alto are all selling agentic SOC products now. Autonomous threat detection, automated response, the works. The pitch is compelling, especially if you're running a lean security function and facing pressure to do more with less. But there's a foundational problem none of them have properly solved: these agents don't have a reliable baseline for what 'normal' looks like in your environment.

For consumer credit brokers and lenders, this matters more than the vendors let on. Our systems don't behave like a typical enterprise. Loan origination platforms see genuinely unusual traffic patterns at tax year end, when a big marketing campaign fires, or when a lender API starts throttling. An agentic SOC that flags anomalous behaviour needs to understand that a spike in decisioning calls at 11pm on a Tuesday might be completely legitimate.

The governance gap is the real story here. When an autonomous agent makes a decision, blocks a process, or escalates an incident, who owns that call? In regulated financial services, the FCA expects firms to understand and explain their operational controls. 'The AI decided' is not an answer that survives a Section 166 review.

• Observability tooling for AI agents is still immature, meaning audit trails are patchy
• Behavioural baselines require months of calibration, which vendors tend to gloss over in demos

Firms buying into agentic security right now are essentially running an extended pilot in production. That's a reasonable bet if you go in with eyes open and treat the first year as calibration. The mistake is treating vendor marketing as a capability statement.

The deeper question for technology leaders is whether autonomous security tooling and autonomous lending tooling are creating compounding governance complexity. Two sets of AI agents, operating across the same infrastructure, with limited visibility into how they interact. That's not a future problem. It's arriving now.