Gartner’s research note, The Impact of AI on MDR Services, arrives at a moment when the security operations landscape is shifting faster than most organizations realize. The report’s central argument is clear. AI is fundamentally reshaping what MDR services can deliver, but the benefits are accruing unevenly. Service providers gain operational efficiency. Buyers, meanwhile, are being told not to expect lower costs, and to brace for a more complex relationship with their providers.
For CISOs navigating this transition, the question is no longer whether AI will change the SOC. It is whether the current service model is the right vehicle for that change.
What Gartner is really saying
Gartner’s analysis centers on three impacts. First, AI-enabled MDR services will expand capabilities and claim higher quality, but organizations will face real discrepancies in delivered value across providers. Second, the cost savings that leadership expects from AI in the SOC will largely go unrealized, since MDR providers will absorb efficiency gains rather than pass them through as lower prices. Third, and perhaps most significant, more organizations will consider insourcing MDR functions altogether as AI tools mature.
That third point deserves attention. Gartner explicitly notes that advances in AI SOC agents and existing security tools are “increasing the security team’s internal competition for traditional MDR services.” In other words, the technology that once justified outsourcing detection and response is now making it feasible to bring those functions back in-house.
The report also strikes a cautious tone about trust. It warns that SOC managers become frustrated when their only option is to “talk to an AI chatbot instead of a live person or security engineer.” And it urges buyers to demand transparency with verified outputs, human validation of AI findings, and measurable improvements in speed and accuracy. These are not minor caveats. They point to a structural tension at the heart of the AI-augmented MDR model.
The tension Gartner identifies, and where it leads
Gartner’s recommendations to buyers are telling. They advise organizations to challenge MDR providers to demonstrate tangible value, to refuse machine-driven deliverables that lack context, and to refactor service metrics so they measure actual outcomes rather than volume of AI-processed alerts. The message, read between the lines, is that AI in the hands of an MDR provider benefits the provider first.
This is a reasonable observation, but it raises a deeper question. If the primary advantage of AI accrues to the service provider’s operational efficiency, and the buyer still needs to invest in internal staff, updated processes, and careful oversight of the provider’s output, then what exactly is the buyer paying for?
Gartner stops short of answering that question directly. It recommends that organizations “do the research” to determine whether an AI tool or an MDR service better matches their needs. It even suggests that for certain use cases, like after-hours coverage with no remediation requirement, an AI tool may be sufficient on its own.
The case for a different operating model
At Intezer, we believe the answer to Gartner’s implicit question is becoming clearer by the quarter. The MDR model was built for a world where skilled analysts were scarce and automation was rudimentary. In that world, outsourcing triage and investigation to a provider with deeper expertise and broader staffing made sense. But AI has changed the economics and the capabilities.
What organizations actually need is not a service that wraps AI around a human-labor model. Organizations need AI that executes investigation at a depth and scale that was never possible with human analysts alone, while keeping the security team in control of outcomes. That means every alert is investigated at forensic depth. It means transparent, evidence-based verdicts that analysts can verify and trust. And it means the security team supervises the AI rather than managing a vendor relationship.
Gartner’s insistence on transparency and measurable outcomes aligns with this direction. When the report warns against tolerating “machine-driven deliverables” without context, it is describing the exact failure mode of bolting AI onto a legacy service model. The alternative is an AI SOC platform that makes its reasoning visible, produces evidence behind every verdict, and earns trust through verifiable results rather than vendor assurances.
What this means for security leaders
Gartner’s research validates what many CISOs are already experiencing. The MDR relationship is becoming more complex, not simpler. Costs are not coming down. And the organizations that are moving fastest are the ones exploring how AI can augment their own teams directly, not just enhance a provider’s backend operations.
The practical path forward is not about choosing between AI and human expertise. It is about choosing an operating model where AI handles the investigative work that humans cannot scale, while analysts focus on the judgment calls, escalations, and strategic decisions that require human context. That is the model Gartner’s data points toward, even if the report frames it as a future possibility rather than a present reality.
For organizations still early in this transition, the Gartner report offers a useful framework. Demand transparency. Measure outcomes, not activity. And ask the hard question about where AI-driven value should live: inside a provider’s margin, or inside your own SOC.
