Year in cyber AI 2025: the agentic year that mostly was not

Post 17 of the AI series. The 2025 retrospective. Operator agents arrived but mostly in pilot, the determinism property went mainstream in procurement, the regulators caught up, and constrained agency became the named shape. The honest read going into 2026.

_Post 17 of the AI in cyber series._

The 2025 retrospective. Eight months after the merger that produced UK Cyber Defence, the AI conversation has moved enough that the year-end framing is worth being deliberate about. I tend to think the public AI-in-cyber discourse has spent 2025 catching up with what production practitioners have been saying for some time. The catching-up is welcome and the rest of this post tries to be precise about which parts have caught up and which have not.

Five things that were real in 2025

The constrained-agency shape became the named alternative to unbounded operator agents. I described the shape in post 8 of this series when it was a structural prediction. By autumn the major analyst firms were using the language explicitly and procurement teams were distinguishing the two shapes in RFPs. The unbounded-operator demos continued; the deployments converged on constrained-agency in regulated environments. Post 13 of this series covers the bucket map.

Determinism became a procurement question. The properties I described in post 2 of this series — same input, same output, version-pinned auditing — are now standard line items in enterprise security RFPs. The vendors that engineered for them years ago are now finding the questions converge on what they have always offered. Post 14 connects this to the regulatory shape.

Open-source LLMs continued to close the gap. Llama 4 in spring, Mistral Large 3 in summer, several smaller open-weight models through the year. The on-premises LLM is now a credible default rather than a fallback. Post 5 covers the operational shape; the assessment holds and has hardened.

Regulators arrived at the AI conversation. The Cyber Security and Resilience Bill secondary legislation, the autumn BoE/FCA/HMT joint statements on frontier AI, the ICO's continued enforcement against vendors handling under-18s' data, the EU AI Act implementation. The regulatory environment for AI in cyber security is now operational rather than prospective. Post 16 covers the financial-services lead indicator.

The CISO accountability conversation continued to harden. The SEC's SolarWinds-Brown case progressed through the year, generating supervisory and procurement consequences in the UK that the line the ICO is now drawing describes. The CISO who signs off on AI security tooling is doing so under a personal accountability framework that did not exist in this shape at the start of the year.

Five things that were less real than 2025 predicted

The unbounded autonomous AI cyber operator. Demos continued. Production deployments at scale with consequential authority and no human in the loop did not. The bucket-one population from post 13 — agents in production with consequential authority in regulated environments — remained small and dominated by constrained-agency systems.

The fully AI-driven SOC. A genre piece that has recurred through 2025. Real SOC teams continue to do real SOC work. The team-to-AI ratio has shifted (the same team covering more customer telemetry) but no SOC team I work with has been replaced by AI in any practical sense.

AI-driven cyber offence at scale. Phishing has continued to improve in grammatical quality without materially shifting click-through rates. Voice clone fraud has been used in targeted incidents at small volume. The script-kiddie capability has climbed; the determined-attacker capability has not noticeably done so via AI. The dramatic 2024 claims of fundamental offensive-landscape shift have not landed in 2025 either.

The hyperscaler-AI dominance in regulated security. Through 2024 the conventional wisdom was that hyperscaler-LLM-based security tooling would be the default. 2025 has produced significant counter-pressure — data sovereignty concerns, cost predictability, the regulatory shape from the autumn cycle, the CrowdStrike-shaped resilience question applied to AI. The hyperscaler default has not won the regulated-security category in the way the 2024 trajectory implied.

The displacement of human analysts. Analyst headcount in UK MDR providers has not measurably dropped. AI augmentation has shifted what analysts do, not how many there are. The economics may shift in 2026-27; they have not shifted yet.

Where EmilyAI stands at the end of 2025

A short reflection.

EmilyAI's seventh production year ended without architectural change of consequence. The schema is at v1.2 (the interaction-and-hunting ring), the hardware specification is the same R760 we have shipped for several years, the deterministic-INT8 discipline is the same, the continuous learning loop is the same, the cross-tenant intelligence model is the same. We added more SIEM and case-management connectors. We refined the pre-triage classifier. The model registry now contains versions back to 2019.

What the 2025 year actually changed about how we work is operational rather than architectural. The customer conversations are different. The procurement questions are different. The regulatory engagement is more substantive than it has been. The merged firm — Hedgehog Security plus UK Cyber Defence, now operating as UKCD — has a broader bench for the work the platform demands. The platform itself has not needed to change much; the firm around it has.

What 2026 looks like

Four short predictions, with the usual humility.

The Cyber Security and Resilience Bill commences in some form during 2026. The secondary legislation drafting work has produced enough text to make commencement plausible by spring or summer. The provisions on AI-driven security decisions, on supply-chain diligence, on the 24/72 reporting clock, all begin to bite. Firms that have not done the work this year will be doing it under regulatory pressure next year.

A high-profile agent-driven incident lands. I have predicted this multiple times across the series and it has not happened yet. The trajectory we are on makes 2026 the year it becomes more likely than not. The shape is impossible to predict; the regulatory and product response will be slow.

The reasoning model cost continues to drop. Inference optimisations, increasingly competitive open-source small reasoning models, and competitive pressure on the hosted incumbents will push the cost of reasoning-quality output down by another factor of three to five over the year. The augmentation layer becomes near-ubiquitous as a result.

The constrained-agency category names itself formally. Either by analyst firm or by regulator, the distinction between constrained agency and unbounded operator will get a piece of formal vocabulary in 2026. The naming will accelerate the procurement-grade differentiation that has been gathering for the past year.

What I will be writing about in early 2026

A short forward-look.

In January, the Cyber Security and Resilience Bill implications for AI in security specifically — what the commencement order will and will not change for vendors and customers.

In March, the open-frontier-model question. The supply chain of intelligence — where the model came from, who trained it, what licensing and provenance regime governs it. DeepSeek's recent releases have changed what this conversation looks like and the early-2026 piece will engage with it directly.

In April, six years of EmilyAI — a longer reflective piece on what we kept, what we changed, what we should have done sooner. The architectural retrospective the series has been building toward.

What is next

In six weeks: the Cyber Security and Resilience Bill in commencement. What changes for AI in cyber security specifically when the legislation lands.