The agent age and the analyst in the loop

_Post 21 of the AI in cyber series, and the closing piece._

Twenty-one posts and twenty-eight months in. The series I started at the beginning of 2024, with a position that felt eccentric — we have been running deterministic, purpose-specific, continuous-learning AI in cyber operations since 2018, and the new wave is going to need to catch up to the operational properties of what we have been doing — has reached the point where the catching-up is largely visible. This is the closing post.

I am going to do three things. Summarise where the wider field has ended up. Be specific about what I have got wrong in the series. Lay out what I will be writing about next.

Where the wider field ended up

Five things that, twenty-eight months ago, I would not have predicted with confidence and that are now the operational reality.

The constrained-agency shape has become the default for regulated deployment. The unbounded-operator agent demos continued; the deployments converged on bounded action vocabularies, deterministic decision-making at the consequential layer, human-supervised correction loops. This is exactly the shape post 8 described. The naming is now standard; the procurement-grade differentiation is now real.

Determinism became a procurement requirement. I described this as a niche concern in post 2. It is now in the standard RFP. The vendors who engineered for it years ago are well-positioned. The vendors who did not are doing the work.

The single-tin / on-premises deployment posture stopped being dismissed as antique. The hyperscaler-default trajectory of 2024 has met the regulatory and operational-resilience reality of 2026. The single-tin posture is now one of several legitimate deployment shapes and is the right shape for a significant slice of regulated buyers.

The CSR Bill's secondary legislation has formalised the expectations. The Bill is now in commencement. The inventory, audit-trail, supply-chain diligence, and reporting obligations all apply to AI in cyber security. The shape of the obligations is the shape that the architectural disciplines I have described make easier to satisfy.

The augmentation tier and the verdict tier have separated cleanly in well-designed systems. Reasoning models, operator-style agents, and conversational interfaces sit above the verdict-making AI as tools for human analysts. The verdict-making AI sits below and does the tier-two triage work in a constrained, deterministic, auditable way. The boundary is the operational shape that has emerged from the past year of practice.

What I got wrong in the series

Three calls I want to be honest about.

The pace of regulatory action was faster than I implied through 2024. I described the regulatory conversation as converging slowly. It converged faster than I expected. The ICO's enforcement action against TikTok in April 2023 was the leading indicator; the autumn 2025 BoE/FCA/HMT signal was the consolidating one; the CSR Bill secondary legislation is the closing brace. The whole sequence happened in twenty-four months. I would have predicted thirty-six.

I under-weighted the operational-resilience angle. I treated the CrowdStrike outage as a single event with implications for AI in security. In retrospect, it was the structural lesson that reframed the entire regulated-buyer conversation about AI provider concentration. The single event mattered more than I thought.

I was too cautious about the open-weight reasoning model wave. Through 2024 I described open-source models as catching up in the middle with the hosted incumbents still ahead at the high end. By early 2026 the catching-up extended to the frontier, the DeepSeek-and-similar wave was operational, and the on-premises deployment of frontier-capable reasoning had become trivial. I should have flagged the trajectory earlier than post 19.

What I think happens next eighteen months

Three predictions for the period from now to late 2027, with the usual humility about predictions.

The first high-profile AI-driven cyber incident lands. I have predicted this through several posts in the series and it has not yet happened in the dramatic form the commentary anticipates. The trajectory we are on makes it more likely than not by the end of 2027. The shape is impossible to predict; the regulatory and product response will be slow.

The verdict-making AI category gets its own name in the public conversation. Constrained-agency agent or purpose-specific decision agent or some equivalent term will emerge from regulator or analyst language and become the procurement-category name. The shape has been operational for years; the name will arrive late, as names usually do.

**The cyber AI conversation shifts from what is the model to what is the architecture around the model.** The model itself is, increasingly, a commodity input. The architectural disciplines around it — schema, audit, lineage, deployment topology, cross-tenant governance — are the differentiation. The vendors that win the next round will be the ones that have built the disciplines.

A note on what this series has been

I want to be explicit about something at the close that I have only implied through the series.

This has been, in some respects, a long-form argument that the operational disciplines around AI matter more than the model choice. I have used EmilyAI as the comparative anchor because she is the system I know best and because the architectural decisions we made in 2018 produced a set of operational properties that the rest of the field has had to converge toward. The argument has not been we are the best AI — I do not think the comparative-quality question is the right question. The argument has been we engineered for the right set of properties and the field has been catching up.

Where the field has caught up — in determinism, in audit, in lineage, in resilience, in the constrained-agency shape — the convergence has been genuinely useful for everyone. The customer in 2026 has more choices that meet the operational and regulatory bar than the customer in 2024 did. This is a wholesome outcome.

Where the field has not yet caught up — in cross-tenant intelligence governance, in continuous learning from feedback at scale, in the structural privacy guarantees — the work remains to be done and most of the major vendors are doing it.

What I will be writing about next

The series formally closes here. The blog will continue, with the weekly Saturday cyber roundup, the monthly board briefing, and occasional pieces on whatever I think is worth writing about. The AI-in-cyber thread will not stop being a topic; it will stop being a thread of its own.

The pieces I have draft material for, that I expect to write over the next few months:

The agent governance question post-incident — what an actual blast-radius AI incident looks like, when it lands.

The verdict-AI category naming — when the public conversation lands on a term for the shape of system the series has been describing.

A six-month update on the CSR Bill implementation — what the regulatory expectations have actually produced in practice, and which vendors and customers have struggled with which provisions.

An update on cross-tenant intelligence governance — as more vendors engage with the question, the practice patterns are likely to converge. The seven principles may be revised or extended.

A short word of thanks

Twenty-one posts is a long series. Several readers have written to me through it, sometimes to push back, sometimes to share their own experience. The conversations have been useful. Some of what I have written is sharper because of the pushback; some of what I have left out is the better for it. Thanks to the people who have engaged.

EmilyAI continues. She has been in production for eight years; she remains the analyst doing tier-two work across the UKCD customer base; she continues to learn from every closed case. The architectural decisions from 2018 still hold. The disciplines still hold.

The series closes. The work continues.