Abstract
This teaching case follows Maya Mercer, Head of Cyber Defence at ‘Meridian Water & Power’, a United Kingdom critical national infrastructure (CNI) operator, as the security team introduces agentic artificial intelligence (AI) into its security operations centre (SOC). Over roughly 2 years, Mercer’s team moves from a fragmented, alert-saturated environment to one in which three custom multi-agent systems support incident analysis, detection engineering and threat intelligence under human-in-the-loop oversight. The case culminates in a decision: with strong early returns and growing pressure to pursue ‘frontier’ status, should Mercer approve the next phase – granting agents the autonomy to take limited containment actions without waiting for a human – or continue with decision-making by human analysts while the foundation matures? The case raises issues around the use of autonomous AI agents in security management, workforce anxiety and role evolution, and the governance of agentic AI in regulated environments. It is suitable for courses on digital and AI transformation, AI strategy, cybersecurity leadership, and technology and operations management at advanced undergraduate, postgraduate and executive levels.
Keywords
Learning objectives and key issues
The case is organised around three core themes, each with associated learning objectives:
The use of autonomous AI agents in security management
• To evaluate why agentic AI initiatives, succeed or fail, and the importance of starting from a clearly defined problem rather than an available technology. • To assess the data, process and organisational foundations required before deploying autonomous or semi-autonomous agents in an operational setting. • To consider how the value of agentic AI should be measured, and how a leader should balance return on investment against risk when deciding how far and how fast to extend agent autonomy.
Workforce anxiety and role evolution
• To examine the human and cultural dimensions of AI transformation, including job anxiety, role evolution, psychological safety and change management. • To explore how trust between human analysts and AI agents is built, sustained and, potentially, lost.
The governance of agentic AI in regulated environments
• To analyse the security, assurance and governance controls needed to make AI agents trustworthy in high-stakes, regulated environments. • To weigh the accountability and transparency expectations that regulators place on autonomous decision-making in critical national infrastructure.
The problem
It was late on a Thursday evening, and Maya Mercer had stayed behind long after the day shift of the security operations centre (SOC) had gone home. On the desk sat the slide pack for the following week’s risk committee. The recommendation came down to a single sentence: that Meridian’s AI incident-analysis agent be authorised to move from ‘recommend’ to ‘act’ – allowing it to take limited containment actions itself, without a human analyst approving each one. Two years earlier the idea would have been unthinkable. But the three agents the team had built were performing well: triage was faster, false positives were down, and analysts finally had time to hunt. The executive was enthusiastic, talking openly about becoming a ‘frontier’ organisation. And yet Mercer hesitated. Meridian ran critical national infrastructure; a wrong automated containment action could disrupt a service that millions relied on. The regulator was asking sharper questions about AI accountability every quarter. The team had only just begun to trust the agents – and some still quietly feared for their jobs. Threat actors, meanwhile, were rumoured to be building agents of their own. Should Mercer sign the recommendation and push towards the frontier, or hold the agents at human-in-the-loop oversight for another year and keep building the foundation? The committee would need an answer on Monday.
Background
Meridian Water & Power is a (fictional) United Kingdom operator of critical national infrastructure, supplying water and electricity to several million households and businesses across a large region. Like its real-world counterparts, Meridian runs a mix of modern digital systems and older operational technology, sits within a tightening regulatory regime, and presents an attractive target to financially motivated criminals and hostile states alike. A successful attack could mean not just data loss but disruption to an essential service. Its security operations centre therefore operates around the clock.
Maya Mercer had spent more than 15 years in cyber security, moving from hands-on analyst and detection-engineering roles into security leadership. By the time of the case, Mercer led the cyber defence function at Meridian, with accountability for the SOC, detection engineering, threat intelligence and incident response. The role carried a familiar tension for security leaders: personal accountability for decisions that increasingly depended on systems too complex for any one person to inspect in full.
Like many security teams, Meridian’s had grown by accretion. Years of procurement decisions – each sensible in isolation – had left a fragmented architecture of tools, detections and alerts. Collaboration between those who operated controls and those who implemented them was limited, and there was no clear, shared view of how the controls interconnected. The SOC suffered from a high false-positive rate, which drove analyst burnout and meant skilled, expensive people spent their days triaging noise rather than hunting threats. ‘The thing that kept me up at night was not the sophisticated attacker,’ Mercer would later reflect. ‘It was watching good analysts burn out clearing false positives, knowing that the time we lost there was time we could never spend getting ahead of the threat.’
Mercer’s working hypothesis was that time saved in the SOC would deliver the greatest gains across the whole of cyber defence, and could be redirected to higher-value work such as proactive threat hunting. That hypothesis is what set the team on the road to agentic AI.
Meridian’s first steps: A false start
The team began with a security-specific AI assistant aimed at repetitive tasks: summarising incident tickets, drafting reports, analysing threat intelligence and suggesting next steps. Early results were modest. The tool had been introduced in a stand-alone fashion, without being embedded into workflows and without clear usage guidelines, baselines or problem statements. Usage became inconsistent and dependent on individual analyst preference. ‘We had been sold plug-and-play,’ Mercer recalled. ‘What we learned was that none of the vendor tools solved an end-to-end problem. That work falls to the people who own the process. If you just plunk a tool in, you flunk.’
The breakthrough came when the team applied the assistant to a specific, high-impact pain point: the detection rule base. Rules were inconsistently named, poorly governed, difficult to search and lacked clear mapping to industry regulatory frameworks (e.g. MITRE ATT&CK). Using the assistant, the team accelerated its migration to detection-as-code, improving efficiency and code quality far faster than manual effort alone. The lesson the team drew was deceptively simple: always start by asking what problem the AI is solving, not what technology is available.
Building agents as teammates
Building on that foundation, the team developed three custom multi-agent systems, each designed around human-in-the-loop principles. Full autonomy was explicitly not the goal; humans remained central to high-stakes decisions and oversight. The first, an incident-analysis support system, orchestrated AI-powered triage, deep analysis across data sources, limited threat hunting and structured recommendations – including call-out decisions – for human analysts. The second, a detection-engineering agent, managed the full rule lifecycle: analysis, code validation, optimisation, overlap checks, ATT&CK mapping and threat-intelligence integration, with analysts able to converse with it directly. The third, a threat-intelligence agent, automatically ingested, normalised and operationalised intelligence, generated hypotheses, ran targeted hunts, assessed detection coverage and created tasks for proactive teams – linking directly to the other two.
A profound shift occurred when the team stopped treating these agents as tools and began treating them as active team members. The agents generated content, made decisions, executed logic continuously and interacted with one another, much like humans on shift. This mindset reshaped the team’s practices: agents were given ‘job descriptions’ with clear objectives, defined collaboration points, access controls and even performance-improvement mechanisms when they underperformed. Development mirrored onboarding a new hire – coaching, feeding context, correcting and building trust gradually. Model upgrades felt like promotions: an agent would suddenly gain new capabilities, prompting the team to revisit its permissions, role and place in the architecture.
Crucially, the team protected the conditions that made this possible. Rather than treating agent development as a side-of-desk activity, Mercer dedicated two team members full-time to designing and building the systems, with sandbox environments and time for deep, uninterrupted experimentation. Open, transparent communication about the initiative reduced suspicion and drew ideas from the wider team. Mercer came to regard this protected time as the single most important factor behind the quality of the agents.
Guardrails, assurance and getting comfortable
Before agents could make decisions in live cyber defence workflows, Mercer needed to be personally confident that they were safe, auditable and appropriately controlled. Security was treated as a foundational requirement rather than an afterthought. The team implemented multi-layered controls spanning access-control infrastructure, inter-service authentication, content-safety guardrails and application-level role-based access controls, drawing on the native security primitives of its technology stack.
Particular attention went to authentication – especially for agent APIs – identity management for inter-agent and agent-to-tool communication, and the governance of secrets and tokens. Access to external systems introduced further considerations. The team established auditable logging of agent decisions to create a verifiable evidence trail, applied content filtering to mitigate prompt injection and jailbreaks, and built in failover logic for safety-critical scenarios. To augment these controls, it introduced independent verification and validation layers: deterministic pre-checks before any AI-driven decision, static risk assessments, conservative downgrade logic, and quality and confidence scoring on machine-generated detections. Purple-teaming exercises and human-in-the-loop validation provided independent assurance that the controls performed against relevant threat behaviours.
The human dimension was addressed through a dedicated ‘People Workstream’ focused on governance, assurance, job-description updates and time-reallocation planning. Mercer was candid with the team about job anxiety, offering a now-familiar framing: AI would not take their jobs, but a colleague who used AI might. For high-risk decisions, such as call-out recommendations, the team required documented rationale, independent verification, confidence scoring, parallel running with humans, and shift-handover summaries of agent decisions. Trust was built like the onboarding of a new colleague – gradual, evidence-based and never assumed from day one.
Measuring the value
Selected SOC and agent-specific metrics.
The decision: How far, and how fast?
Nearly two years after the first experiment, the results were undeniable: faster triage, fewer false positives, measurable reductions in manual work, and analysts with time to hunt. The executive’s appetite for ‘frontier’ status was growing, and the roadmap had always pointed towards a next phase of automated containment. Yet, the same factors that made the agents valuable also made expanding their autonomy consequential.
Mercer weighed competing pressures. Extending autonomy promised further efficiency and signalled ambition to the board, but Meridian operated critical national infrastructure, where a mistaken automated action carried real-world consequences and the regulator’s expectations on AI transparency and accountability were tightening. The team’s trust in the agents, though growing, was still young, and the workforce’s anxieties had not fully settled. Hostile threat actors were beginning to field agents of their own, raising the prospect of AI-versus-AI dynamics that current guardrails had not been designed to withstand.
Mercer had come a long way and did not want to stall the momentum the team had earned. The question for the risk committee was no longer whether agentic AI could add value – that had already been demonstrated – but how far, and how fast, a responsible leader should extend its use.
Suggested discussion questions
The questions below are grouped by theme and audience so that instructors can select those best suited to their cohort. The first set suits general digital and AI transformation courses; the second is pitched at cybersecurity and security-management audiences; the third explores trust and collaboration. Instructors may mix across the groups depending on the background of their students.
Questions for digital and AI transformation
• Why did Meridian’s first, stand-alone deployment deliver so little value, and what changed when the team targeted the detection rule base? What does this suggest about how organisations should select AI use cases? • How important were data quality, process redesign and ‘protected time’ to the outcome? Could the agents have been built successfully without them? • Evaluate the decision to treat agents as ‘team members’ with job descriptions, onboarding and performance management. What are the benefits and risks of this framing? • How well does the measurement framework in Exhibit 1 capture the value – and the risks – of the initiative? What is missing? • What does ‘frontier’ status mean in this context, and is it a sensible goal? How would you sequence the journey towards it?
Questions for cybersecurity management
• Assess Mercer’s approach to security, assurance and governance. Which controls matter most in a regulated, critical national infrastructure environment, and why? • What additional assurance would a regulator reasonably expect before an AI agent is permitted to take containment actions autonomously? • How should the team prepare for ‘AI-versus-AI’ dynamics as adversaries begin to field their own agents? • Should Mercer recommend moving the incident-analysis system from ‘recommend’ to ‘act’? Set out the case for and against, and state your own recommendation with conditions.
Questions on trust and collaboration in digital workplaces
• Why is trust important in the use of agentic AI in workplaces, and how does it differ from trust between human colleagues? • What advice would you give Mercer to ensure the AI agents are trusted by their human teammates? • Consider the workforce dimension. How should leaders handle job anxiety and role evolution during an AI transformation? Was Mercer’s framing adequate?
Footnotes
Authors note
This case is based on the first author’s own professional experience leading the adoption of agentic AI in a cyber defence team. The protagonist, the organisation and specific details have been fictionalised and anonymised to preserve confidentiality; metrics and technical details have been generalised for illustrative purposes only, and no confidential, proprietary or organisation-specific information is disclosed.
Funding
The authors received no financial support for the research, authorship and/or publication of this article.
Declaration of conflicting interests
The authors declared no potential conflicts of interest with respect to the research, authorship and/or publication of this article.
