Governing AI-Assisted Security Operations: A Design Science Framework for Operational Decision Support

TL;DR

This paper proposes a governance framework for AI-assisted security operations, emphasizing management practices, risk mitigation, and accountability in deploying AI tools within high-risk environments like SOCs.

Contribution

It introduces a design science framework for governing AI-assisted operational decision support, focusing on management, accountability, and risk control rather than new technical algorithms.

Findings

Develops a governed AI query-broker artifact for security operations.

Identifies risks associated with AI-assisted queries in security contexts.

Provides a management framework with design propositions, accountability roles, and evaluation criteria.

Abstract

Engineering managers increasingly must decide how to introduce generative artificial intelligence (AI), retrieval-augmented generation, and coding agents into high-risk operational functions without weakening accountability, privacy, cost discipline, or auditability. The central message of this study is that AI-assisted operational decision support should be managed as a governed engineering capability before it is scaled as automation. Security operations centers (SOCs) provide a suitable setting because they combine privileged telemetry, specialist expertise, software repositories, cloud services, and evidence-sensitive decisions. This study uses Kusto Query Language (KQL) and Microsoft Azure security capabilities as a bounded technical instantiation of that broader engineering management problem. KQL is read-only in ordinary query use, but read-only does not mean risk-free: AI-assisted queries can still create privacy, cost, performance, schema-validity, and decision-quality risks through broad scans, sensitive-field exposure, stale intelligence, and misleading interpretations. Using design science research, the study develops a governed AI query-broker artifact that separates AI planning from operational execution through schema-grounded retrieval, approved templates, policy validation, read-only adapters, normalized outputs, auditable agent traces, and engineering review board gates. The contribution is not a new KQL technique, security product, or detection algorithm. Rather, the study contributes a management framework for governing AI-assisted operational decision support in high-risk digital infrastructure by specifying design propositions, role accountability, maturity stages, quality gates, evaluation criteria, and evidence boundaries.