Autonomy Isn't a Switch. It's a Spectrum

Monday Security Memo

Intellectual Firepower for Professionals

Autonomy Isn't a Switch. It's a Spectrum

“Everything in war is very simple, but the simplest thing is difficult."

— Carl von Clausewitz

Dear A,

I just returned from a weeklong conference on Clearwater Beach called Utilities Unite, focused on critical infrastructure protection and hosted by the global security integration firm Convergint. Over the course of the week, I had the opportunity to deliver a keynote titled How to Think Like a Spy, participate on a panel, and lead a hands-on workshop on the CARVER Methodology. While the sessions covered a wide range of emerging threats and technologies, one theme consistently rose to the surface: the future of critical infrastructure protection will be defined by how well we understand and manage the autonomy of Artificial Intelligence (AI).

AI is undeniably the future of security, just as it is becoming the backbone of nearly every other industry. That said, we need to temper our enthusiasm and manage expectations as we move toward faster and more automated decision-making. Speed without structure introduces risk, especially when lives and critical systems are involved.

To understand where we are headed, it helps to break autonomy into three broad categories. At one end of the spectrum is human-in-the-loop decision-making. In this model, AI supports the process by analyzing data, identifying patterns, and recommending courses of action, but a human still makes the final decision before anything occurs. This remains the standard for most strategic and operational decisions. It preserves judgment, accountability, and context, but it also exposes a fundamental limitation: humans are slow compared to machines.

Further along the spectrum are human-on-the-loop systems. Here, humans are no longer approving every individual action. Instead, they define intent, rules, and boundaries in advance, allowing systems to act within those constraints while humans monitor performance and retain override authority. This model is increasingly common in air defense, counter-drone operations, cyber response, and electronic warfare, where reaction times are measured in seconds or milliseconds rather than minutes.

At the far end is human-out-of-the-loop autonomy. These systems detect, decide, and act without real-time human intervention. While this sounds unsettling, such systems are typically narrow, tightly constrained, and pre-authorized. The most consequential decisions have already been made by humans long before the system activates. What changes is not responsibility, but timing.

CARVER+ ARES (AI Risk Evaluation and Simulation) uses a trained AI agent to conduct threat and vulnerability assessments of critical infrastructure simply by viewing images... cutting down assessment times and offering numeric scoring, observations/recommendations, and "red team" simulations that may have not been considered by the human assessment team.

We are seeing this same evolution in the private sector. In our own work, we have moved into AI-enabled assessments through CARVER+ ARES, our AI Risk Evaluation and Simulation software. Where assessments once relied solely on manual data entry, today an AI agent can analyze imagery or video to identify threats, highlight vulnerabilities, and explore mitigation strategies. It can also simulate how adversaries might exploit those weaknesses, helping assessors think beyond their own assumptions.

Autonomy is not about surrendering authority. It is about understanding where humans must decide, where machines must act, and how to manage the space in between. The future battlefield - and the future of critical infrastructure protection - will belong to those who understand the spectrum and plan accordingly.

Stay safe and vigilant!

Luke Bencie