A LinkedIn post crossed my feed this week arguing that AI won't sort people by intelligence anymore. It will sort them by willingness to do sustained mental work. The people who thrive will be the ones who treat AI as a sparring partner instead of a replacement, what the author calls "mental marathoners."

That's a good insight sitting in the wrong altitude. It's true, but it's abstract. Security leaders don't need another argument that judgment matters. We need to know exactly where the judgment has to happen and where it doesn't.

A second piece, this one from Disaster Recovery Journal, answers that question with more precision than most AI governance writing manages. It's about incident management, not physical security. But the line it draws is the same line every security leader is being asked to draw right now, just with better resolution.

Signal vs. Noise: Two Different Failure Modes

The DRJ piece breaks AI capability in incident response into three buckets. AI can monitor thousands of signals across infrastructure simultaneously and surface anomalies faster than any on-call engineer scanning dashboards, correlating alerts and grouping related signals into a single incident before a human would have opened a terminal. It can execute the mechanical first ten minutes of an incident, acknowledging alerts, opening a bridge, pulling the runbook, in under sixty seconds.And after the fact, it can reconstruct timelines and draft the factual skeleton of a postmortem.</cite>

None of that requires judgment. All of it is currently eating human attention that should be going somewhere else. A classic industry benchmark found that 74% of IT professionals regularly experience alert fatigue, with median teams receiving over 50 alerts a week. It’s a triage problem wearing a technology costume, and it's the exact kind of noise AI is built to absorb.

Then the article draws the other half of the line. Severity declaration has to stay a human decision, because it drives who gets paged, what the customer hears, and whether leadership gets a midnight call.AI can draft a status update, but a human has to approve it, because when a major customer demands answers, "AI sent that automatically" is not a defensible position.High-blast-radius calls, like failing over to a region that has never carried full production traffic, require human authority and context. And postmortems can be prepped by AI but not run by it, because the retrospective is fundamentally about human accountability and the social dynamics of a team learning together.

Read that list again and swap "incident" for "physical security event" or "insider threat investigation" or "executive travel disruption." The categories hold. Pattern recognition, alert correlation, and first-response mechanics are AI's lane. Severity, external communication, high-consequence tradeoffs, and the accountability conversation are yours.

Operational Reality: The Test Isn't Intelligence, It's Discipline

This is where the Brooks framing earns its keep. His warning isn't that AI will replace security judgment. It's that most people, given a tool that can produce a confident-sounding answer in three seconds, will stop doing the work of forming their own. Not because they're incapable of it. Because sustained mental effort is the thing AI makes easiest to skip, and skipping it feels like efficiency right up until the incident that doesn't match any pattern the model has seen.

The DRJ piece calls this out directly: AI is exceptionally good at recognizing what it has seen before and poorly suited for what it hasn't. A novel failure mode or an ambiguous business impact requires a human reasoning across incomplete information, and AI will give you a confident answer that may be wrong in ways that are hard to detect under pressure.

That's the real risk. Not that AI gets the easy calls wrong. It's that the easy calls get automated so smoothly that the muscle for the hard ones quietly weakens. The DRJ article flags this as skill atrophy: if AI handles all mechanical triage long enough, junior team members never build the technical instinct to run things manually, and when the AI system itself has an outage, the team has to run the incident without it.</cite> Every security leader building an AI-assisted operation should treat that as a standing risk on the register, not a footnote.

From Doers to Orchestrators: A Practical Filter

The DRJ framework offers three questions worth stealing wholesale for physical security and governance work, not just IT incidents: <cite index="2-1">Is the action well-defined with a consistent right answer, or does it depend on fluid context? What is the blast radius if AI gets it wrong? And is there a person who has to own this outcome to leadership or a customer?

Anything that clears all three, automate it without guilt. Anything that fails even one, that's your job, and it's staying your job for a while.

Tuesday Morning Takeaway

Don't ask your team whether they're using AI well. Ask them to name the last five decisions AI made a recommendation on and tell you, specifically, who signed off on each one and why. If they can't answer fast, you don't have an AI governance problem. You have a judgment ownership problem that AI is currently making very easy to ignore.

Northern Signal covers the security and governance questions boards should be asking. Subscribe in the comments.

Reply

Avatar

or to participate

Keep Reading