← Back to Insights
AI AgentsCISOAutomationCase Study

We Replaced Our Team of 6 with AI Agents — Here's What Actually Happened

Alexandre Medarov · February 17, 2026 · 8 min read

We Replaced Our Team of 6 with AI Agents — Here’s What Actually Happened

The Spreadsheet That Changed Everything

It was 11 PM on a Tuesday in October 2025, and I was staring at a spreadsheet that made me feel slightly sick.

Not because the numbers were bad. Because they were honest.

I’d been running cybersecurity operations for over twenty years — Allianz, Monash University, University of Auckland, enterprise engagements across six countries. I knew what a competent security team costs. I’d built dozens of them. And now, running dig8ital out of Munich, I was looking at the fully loaded cost of the six-person team I needed to properly service my clients: €847,000 per year.

GRC analyst. Policy manager. Vendor risk assessor. Compliance officer. Incident response coordinator. AppSec lead.

Six roles. Six salaries. Six sets of benefits, training, management overhead, and — let’s be honest — six people spending roughly 60% of their time on work that doesn’t actually require human judgment.

I’d spent the last few months building AI agents as a product. Agents designed to do exactly these jobs for CISOs at enterprises like Telefónica Germany and Sixt. And sitting there at 11 PM, coffee going cold, I had a thought that was either brilliant or completely reckless:

What if I deployed them on myself first?

Not as a demo. Not as a proof of concept. As my actual operating team.

Here’s what happened.

What a 6-Person Security Team Actually Looks Like

Before I tell you what changed, let me paint the picture of what I was replacing. Because if you’re a CISO, you’ll recognise this immediately.

A proper security operation — the kind that can handle GRC, policy, vendor risk, compliance, incident response, and application security — needs at minimum six dedicated people. In the German market, here’s what that looks like:

The GRC Analyst (€85-110K loaded): Maintains the risk register. Maps controls to frameworks. Spends three days every quarter assembling board reports that executives glance at for four minutes. Knows ISO 27001 backwards but spends most of their time in Excel, not in strategy sessions.

The Policy Manager (€80-100K loaded): Writes policies. Updates policies. Answers the same twenty questions about policies. “Does our remote work policy cover contractor laptops?” Yes, section 4.3. “What’s our data retention requirement for customer PII?” 36 months, per policy DR-003. Rinse, repeat, forty times a week.

The Vendor Risk Assessor (€75-95K loaded): Sends out questionnaires. Chases responses. Reviews questionnaires. Scores vendors. Produces reports. A single vendor assessment takes two to three weeks — not because the analysis is complex, but because the process is a bureaucratic marathon of follow-ups and form-filling.

The Compliance Officer (€90-120K loaded): Monitors regulatory changes. Maps them to existing controls. Identifies gaps. Produces evidence for auditors. Lives in a permanent state of audit preparation, because by the time one audit ends, the next one is already looming.

The IR Coordinator (€85-110K loaded): Maintains playbooks. Runs tabletop exercises. Coordinates response when something goes wrong. Spends 90% of their time preparing for the 10% of the time when they’re actually needed — and you can’t cut that 90% because the 10% is existential.

The AppSec Lead (€90-115K loaded): Reviews code. Triages vulnerabilities. Argues with developers about why that SQL injection actually matters. Drowns in scanner output, trying to separate the signal from a tsunami of noise.

Total loaded cost: €600K to €900K per year, depending on seniority and location.

And here’s the thing that kept me up that Tuesday night: I’d managed teams like this for two decades. I knew — knew — that roughly 60% of what these people do is mechanical. It’s important. It’s necessary. But it doesn’t require human creativity, judgment, or experience.

Risk register updates. Policy lookups. Questionnaire processing. Evidence collection. Alert triage. Framework mapping.

It’s structured work with structured inputs and structured outputs. The kind of work that burns out good people and makes them leave the industry.

The other 40%? That’s where the magic happens. Strategic thinking. Judgment calls under pressure. Reading the room in a board meeting. Knowing when a vendor’s answer smells wrong even though it technically checks the box. That’s irreplaceable human work.

My question was simple: What if AI agents handled the 60%, and I handled the 40%?

The Experiment: Building the Agents, One by One

I didn’t try to boil the ocean. I started with one agent and gave myself permission to fail.

Agent #1: GRC (The Trojan Horse)

I chose GRC first because it’s the connective tissue of everything else. If you get the risk register right — really right, with live data flowing in and out — everything downstream gets better.

The first version was terrible. I fed it our risk register, control library, and framework mappings (ISO 27001, NIST CSF, BSI IT-Grundschutz — because Germany), and asked it to generate a board report.

It produced something that was technically accurate and completely useless. It read like a robot had eaten a spreadsheet and regurgitated it in paragraph form. No narrative. No “here’s what the board actually needs to worry about.” No prioritisation based on business context.

So I rebuilt it. Not as a report generator, but as a conversational analyst. Something I could talk to the way I’d talk to a sharp junior GRC analyst sitting across the desk.

“What’s our current risk posture against ransomware, weighted by business impact?”

“Which controls have the widest coverage gaps across our framework mappings?”

“Draft a board summary that highlights the three things the CFO will actually care about.”

That version worked. Not perfectly — I’ll get to the failures — but well enough that I stopped maintaining the risk register manually. The agent became the source of truth, and I became the editor and strategist.

Agent #2: Policy

Policy was the easiest win. It turns out that answering “what does our policy say about X?” is exactly the kind of task that AI excels at — retrieval over a well-structured corpus with natural language understanding.

Within a week, I had an agent that could answer any policy question instantly, cite the specific section and version, and flag when a policy hadn’t been reviewed in over 12 months. I connected it to our internal chat and watched it handle forty-plus queries in the first week that would have previously required a human to stop what they were doing, look something up, and write a response.

Agent #3: Vendor Risk

This one surprised me. Vendor risk assessment is one of the most tedious processes in security — and one of the most important. The agent didn’t just speed up the process; it fundamentally changed it.

Instead of sending a generic questionnaire and waiting three weeks for responses, the agent could:

  • Pre-populate assessments based on publicly available information (SOC 2 reports, published certifications, news about breaches)
  • Generate targeted questions based on the specific risk profile of the engagement
  • Cross-reference vendor responses against known data points for consistency
  • Produce a risk-scored assessment with flagged areas for human review

A process that took two to three weeks now took about three hours. And the quality was better, because the agent caught inconsistencies that a human reviewer would miss on page 47 of a 60-page questionnaire.

Agents #4, #5, #6: Compliance, Incident Response, AppSec

I’ll spare you the blow-by-blow, but the pattern was the same each time:

Compliance became a continuous monitoring function instead of a periodic panic. The agent tracks regulatory changes, maps them to our control framework, and tells me what needs attention — before the auditor does.

Incident Response was the most sensitive build. The agent maintains playbooks, can walk through initial triage, and coordinates evidence collection. But — and this is critical — it escalates to me for any decision that involves business impact, legal exposure, or client communication. More on this in the honesty section.

AppSec was the noisiest. Vulnerability scanners produce mountains of findings, and the agent’s job is to triage, deduplicate, correlate with threat intelligence, and present me with a prioritised list of what actually matters. It turned a daily two-hour slog into a fifteen-minute review.

What Actually Worked

Let me give you real numbers, because vague claims are worthless.

Board Reports: 30 Seconds vs. 3 Days

Before: Assembling a quarterly board report meant three days of pulling data, building charts, writing narrative, and getting it reviewed. Three days that could have been spent on actual security work.

After: I tell the GRC agent what the board’s current concerns are (M&A activity, new regulation, recent industry breach — whatever’s in the news), and it produces a draft report in about 30 seconds. I spend another 30 minutes editing for tone and adding strategic commentary. Total time: under an hour, and the quality is better because I’m spending my time on insight rather than data assembly.

Vendor Assessments: 3 Hours vs. 3 Weeks

I mentioned this above, but it’s worth emphasising. When Telefónica needed vendor risk assessments for a batch of new suppliers, the agents processed the initial assessments in a fraction of the time it would have taken a human team. I reviewed and approved the outputs, flagged two vendors for deeper scrutiny, and the whole process took days instead of months.

24/7 Compliance Monitoring

Regulations don’t publish updates on a convenient schedule. The compliance agent monitors sources continuously and alerts me to relevant changes. It caught a BaFin guidance update at 2 AM on a Saturday that would have affected a client’s data processing setup. I had an impact analysis ready by Monday morning. Before the agents, that update would have sat in an RSS feed until someone got around to checking it.

Cross-Agent Intelligence

This is where the system becomes more than the sum of its parts. When the IR agent processes a security event, it automatically feeds relevant findings to the GRC agent to update the risk register. The compliance agent checks whether the event triggers any notification requirements. The policy agent flags if any policies need updating based on lessons learned.

No human coordinator needed. No meetings to “sync up.” No information falling through the cracks because someone forgot to CC the compliance team.

One example: a simulated phishing exercise revealed that a specific department had a 40% click rate. The IR agent logged the finding. The GRC agent automatically escalated the associated risk score. The policy agent flagged that our security awareness training policy required annual review — which was overdue. The compliance agent confirmed that our training records would satisfy the upcoming ISO 27001 surveillance audit.

That chain of events would have taken a human team a week of emails and meetings. The agents handled it in minutes.

Policy Q&A for Everyone

This seems small, but it might be the highest-impact change. Employees across our client organisations can now get instant, accurate answers to policy questions without waiting for the security team. “Can I use my personal phone for work email?” “What’s the process for reporting a suspected data breach?” “Do I need approval to share this document with an external partner?”

Previously, these questions either went unanswered (bad), got answered incorrectly by a well-meaning colleague (worse), or sat in the policy team’s queue for days (frustrating). Now they get answered in seconds, with citations, 24/7.

What Didn’t Work (The Honesty Section)

If everything I’ve said so far sounds too good to be true, good — you should be sceptical. Here’s where it went wrong.

AI Hallucination on Specific Control Numbers

Early on, the GRC agent confidently cited “ISO 27001 Control A.12.4.3” in a risk assessment. That control doesn’t exist. It had fabricated a plausible-sounding control number that would have sailed past anyone who wasn’t intimately familiar with the standard.

This is the single scariest thing about AI in security. It doesn’t say “I don’t know.” It says something wrong with complete confidence.

We solved this by grounding every agent in verified data. Control libraries with exact numbering. Framework mappings from authoritative sources. The agents can only reference what’s actually in their knowledge base, and they’re instructed to say “I don’t have this information” rather than guess.

It’s not a perfect solution. It requires maintaining high-quality reference data. But it reduced hallucination on factual claims to near zero.

Clients Who Wanted a “Real Person”

Some clients — especially in the German enterprise market — were initially uncomfortable with the idea that AI agents were doing work traditionally done by consultants. “We’re paying for expertise, not a chatbot” was the polite version of the feedback.

This was a legitimate concern, and I handled it wrong at first. I tried to explain the technology. What I should have done — and eventually did — was focus on outcomes. “Your vendor risk assessment is done in three hours instead of three weeks, it’s more thorough, and a 20-year security veteran reviewed every finding. Does it matter how the first draft was produced?”

For most clients, the answer was no. For a few, it took longer to build trust. One client asked to see the agent’s work alongside a traditional assessment for comparison. The agent’s version caught three issues the traditional process missed. That was the end of the debate.

Human Oversight Is Non-Negotiable

There are decisions that AI agents cannot and should not make:

  • Whether to notify a regulator about a potential breach
  • How to communicate a security incident to the board
  • Whether a vendor’s risk is acceptable given the specific business relationship
  • When to deviate from policy because the situation demands it
  • How to handle a finding that has political implications within the organisation

These are judgment calls that require experience, context, and sometimes courage. No agent has that. I review every critical output. I make every significant decision. The agents do the preparation; I do the thinking.

If you take nothing else from this article: AI agents without human oversight in security is malpractice. Full stop.

You Can’t Automate Relationships

Security is a people business. When a client’s CISO calls at 7 PM because they’re worried about a threat they saw in the news, they don’t want to talk to an agent. They want to talk to someone who understands their business, their risk appetite, and their board dynamics. That’s still me. That will always be a human.

The Numbers

Let me lay this out plainly.

Before (traditional 6-person team):

  • Annual cost: €600,000 - €900,000
  • Capacity: Limited to business hours, human throughput
  • Response time: Hours to days for routine requests
  • Coverage: Gaps during holidays, sick leave, turnover

After (AI agent platform + senior human oversight):

  • Annual platform cost: A fraction of the traditional team cost
  • Capacity: 24/7, parallel processing across all functions
  • Response time: Seconds to minutes for routine requests
  • Coverage: Continuous, no gaps

Time savings by function:

  • Audit preparation: 70% reduction
  • Policy Q&A: 90% reduction in response time
  • Vendor questionnaires: 80% reduction in processing time
  • Board reporting: 85% reduction in preparation time
  • Risk register maintenance: 75% reduction in manual effort

But — and this is important — I’m still here. One senior person providing oversight, making judgment calls, maintaining client relationships, and handling the 40% that requires genuine human expertise. The agents didn’t eliminate the need for a human. They eliminated the need for six humans doing work that five of them would rather not be doing.

The real math isn’t “AI replaces people.” It’s:

One senior person + AI agents > Six junior-to-mid people.

Not because the senior person is six times better. Because they’re freed from the 60% of mechanical work that was preventing them from being strategic.

What This Means for CISOs

If you’re a CISO reading this, I’m not telling you to fire your team. Please don’t fire your team.

I’m telling you to 10x them.

Here’s what the future CISO org chart looks like:

Old model: CISO → 6-15 people across GRC, policy, compliance, vendor risk, IR, AppSec, each spending most of their time on structured, repeatable tasks.

New model: CISO → 2-3 senior people providing oversight and strategic direction + AI agents handling execution across all functions, 24/7, with full cross-domain intelligence sharing.

The senior people become better at their jobs because they’re not drowning in grunt work. They review agent outputs instead of producing first drafts. They make decisions instead of collecting data. They think strategically instead of fighting fires.

Your GRC lead stops spending three days on board reports and starts spending three days on actually improving your security posture. Your compliance officer stops manually tracking regulatory changes and starts building relationships with regulators. Your vendor risk team stops processing questionnaires and starts having meaningful conversations with critical vendors about their actual security practices.

The agents handle the floor. The humans handle the ceiling.

Three Things to Do This Quarter

If this resonates, here’s where to start:

  1. Audit your team’s time. Have each person track their tasks for two weeks. Categorise each task as “requires human judgment” or “structured/repeatable.” I guarantee the split will shock you.

  2. Start with one function. Don’t try to transform everything at once. Pick the function with the highest ratio of mechanical work — vendor risk and policy Q&A are usually the easiest wins.

  3. Keep your best people. The goal isn’t headcount reduction. It’s capability multiplication. Your senior people are about to become dramatically more valuable. Make sure they know that.

The Uncomfortable Truth

I’ve been in cybersecurity for over twenty years. I’ve seen the industry go through waves of automation anxiety — SIEMs were going to replace SOC analysts, SOAR was going to replace incident responders, cloud was going to replace infrastructure teams.

None of those predictions came true. But this time is different.

Not because AI agents are going to replace security professionals. They’re not. But because the gap between organisations that use AI agents effectively and those that don’t is going to become a chasm.

The CISO with AI agents will respond to board questions in real-time, complete vendor assessments in hours, maintain continuous compliance, and free their team to do genuinely strategic work.

The CISO without them will still be waiting three days for a board report, three weeks for a vendor assessment, and wondering why their best people keep leaving for organisations that don’t make them do mind-numbing manual work.

I know which side I’d rather be on. I built the platform because I wanted to be on that side myself — and because I believe every CISO deserves to be there too.

See It for Yourself

I didn’t write this article to impress you with theory. Everything I’ve described is running — right now — on our platform. The same agents that handle our operations are available to yours.

Want to see what this looks like for your organisation?

Book a demo — we’ll run your actual security scenario through the platform. Not a canned presentation. Not a slide deck. Your data, your frameworks, your questions. Thirty minutes, and you’ll know whether this is real.

Because it is. And the CISOs who figure that out first will have an advantage that compounds every single day.

Need help with this?

We help enterprise security teams implement what you just read — from strategy through AI-powered automation. First strategy session is free.

Book a Free Call → Or explore the platform
Share: LinkedIn X / Twitter

More Insights

AI Governance

Shadow AI Is Your Biggest Blind Spot — Here's How to Fix It
Security Architecture

Security Architecture in the AI Era: From SABSA and TOGAF to Agent Trust Boundaries
Book a Free Call Contact Us