At first glance, that line of thinking might seem ‘soft’ in a room full of security professionals. It is not. As Janssen put it: “The greatest challenges are rarely technical. They are human.” In cybersecurity, those difficulties encompass incentives, pressure, judgement, trust, communication and accountability.
AI is already stronger than humans in processing data, information and knowledge, identifying patterns at a scale no analyst can match. But pattern recognition is not the same as understanding intent. Attackers do not merely produce anomalies. They pursue objectives.
The analyst is not obsolete
AI may take over some of the workload for analysts buried under thousands of alerts. But that is not the same as replacing the analyst. It is AI removing noise so that human judgement can be used where it matters. AI can summarise, correlate, classify and accelerate. It can support malware detection, incident analysis, secure coding and response preparation. But it cannot define risk appetite. It does not understand organisational context in the way a CISO, architect or incident lead must. It will not assume accountability when an automated response disrupts production, or a false negative is ignored.
Janssen framed AI not only as a micro tasker, but increasingly as a companion, delegate and teammate. An AI agent nowadays can read emails, accesses files, prepares priorities, or participates in decisions. The interaction model is beginning to shift: AI no longer merely responds to human prompts, but increasingly proposes actions, priorities and questions of its own.
Human urgency as a security risk
Janssen’s strongest security point was less about attackers using AI than about employees turning to AI at vulnerable moments. Under pressure, people look for help. They may paste code, contracts, credentials, internal context or incident details into an AI tool because it offers what the official process often does not: immediate structure, speed and reassurance.
The risk is not always malicious intent; often, it is urgency. AI also removes social friction. Employees may ask an AI tool to review code, interpret an error message, or assess an incident detail more easily than they would ask a colleague, manager or helpdesk. This creates a new disclosure channel inside the organisation: informal, fast, invisible and often outside governance.
The humanity check
Janssen proposed a practical lens for assessing AI initiatives: the Humanity Check. It asks three questions:
- Does the system make people more autonomous or more dependent?
- Does it strengthen connection within the team or replace it?
- Does human judgement still matter, or has meaning been removed from the work?
Those questions are highly relevant for security leaders. Used well, an AI assistant can help teams collaborate during incident response and strengthen human capability. Used poorly, it can lock expertise inside opaque automation. The same applies to autonomy: tools that help analysts understand context can increase it; systems that silently decide what matters can reduce it.
Janssen’s argument is not that every AI initiative must preserve every human task. Repetitive and low-value work should be automated where possible. Organisations need to deliberately decide where they digitise and where they humanise. That is a governance question as much as a technical one.
Not speed, but judgement
If security becomes purely a race for speed, humans lose. Machines can process more data, at greater speed and continuously — and attackers will use that speed as well. The human contribution lies elsewhere: judgement, empathy, meaning and accountability. In cybersecurity, that means deciding which risks matter, how to communicate them, when to escalate, which trade-offs are acceptable, and who is responsible when automation acts. The human role will survive only if AI is used to strengthen that judgement, not to bypass it.
