Will humans always be in the loop?

Nothing lasts forever—maybe not even the human-in-the-loop protocol.

During a March 23 panel at the RSAC 2026 Conference, Francis deSouza, COO and president of security products at Google Cloud, told the audience that the idea of human-led defenses is “long gone” because the speed of AI attacks is making it hard for traditional safeguards to keep pace.

“The idea of having a human in the loop on a lot of defense processes [is] just too slow when you have an agentic attack,” he said.

Sounds about right. DeSouza wasn’t the only professional with doubts about the future of human-led defenses. Vodafone Global CISO Emma Smith said scale is another factor that may eventually make “human in the loop” operations outdated.

“If we think about our traditional security controls, the ones that rely on human or human behaviors are the ones that we don’t rely on the most,” Smith said during the panel. “Let’s face it, we rely on the ones that are technical and that are automated and that we can prove over time. So, a human in the loop is not the solution for the long-term, certainly on scaled operations.”

Some professionals are already practicing what they preach: Shaun Khalfan, PayPal SVP and CISO, told the crowd his company has forgone human-led defenses in “some high-confidence use cases” so that it could respond to threats at “AI speed and not human speed.”

The disbelievers. However, not everyone is willing to do without humans supervising agentic decisions just yet. Erez Yalon, VP of security research at Checkmarx, told IT Brew at the conference that he hears from many organizations without a security posture mature enough to support expanding their overall employee headcount, leading him to believe most organizations are far from totally automating their cybersecurity.

“If your organization is not mature enough for that then it’s not mature enough to have AI controlling your security,” Yalon‏ said. “So, making the leap from here to removing the humans completely, for me at the moment, it’s hard to consider.”

David Boda, chief security and resilience officer at Nationwide Building Society, said in a March 24 Illumio panel that he wouldn’t let an agent lead his defense process today. However, he understands things may change down the line.

“Is it my job to make sure that in the future that could be a possibility? For sure, because if, like any technology, it proliferates, organized crime will start using it,” Boda said.

Sign of the times. For organizations that see a future where humans play a smaller role in cybersecurity defenses, Randall Degges, VP of AI engineering and developer relations at AI software development company Snyk, told IT Brew at RSAC that there is a very “scientific” way to determine when people can actually be removed from the “loop.”

Degges said companies should log all the decisions AI makes within an organization and have a human review whether or not they’d make the same calls. From there, they can calculate a deterministic score that can be used to make the final verdict.

“The way that most engineers determine if something should or should not have a human in the loop is, ‘What does that confidence number look like?’” Degges said. “As that percentage gets closer and closer to 100%, that’s when people start to feel confident removing the human from the loop.”