For years, cybersecurity has struggled with measuring performance, risk, and return on investment. Security teams built dashboards, defined KPIs, and attempted to quantify risks, often with increasing levels of sophistication. Yet many of these efforts ultimately failed to produce meaningful clarity. Metrics became disconnected from decision-making, overly precise yet inaccurate, a moving target with rapidly changing definitions, or too abstract to influence action. In many cases, measurement systems were built around what could be easily collected, rather than what needed to be understood. In other instances, many security metrics efforts failed because they focused on responding immediately to urgent information requests, but could never build trends, context, and confidence over time.

As organizations begin adopting AI-enabled security capabilities, there is a risk of repeating these same mistakes. The challenge is not simply measuring AI systems but observing them in a way that supports real understanding and control.

From Measurement to Observability

AI implementations demand a different type of operational intelligence. Traditional security metrics focus on summarization. For example, when we provide measures and metrics such as the number of vulnerabilities, mean time to respond, and control coverage, aggregated into composites, we offer a useful but limited window into operations.  These composites describe outcomes without explaining underlying system behavior. Observability, by contrast, is concerned with how systems behave, why they behave that way, and how that behavior changes over time. In the context of AI, this distinction becomes critical.

AI systems are not deterministic. They are probabilistic, adaptive, and often opaque, requiring a broader governance perspective. Attempting to measure them with traditional, static KPIs risks creating the illusion of control without the reality. Instead, organizations need to shift toward observability models that emphasize traceability of inputs and outputs, visibility into decision pathways, monitoring of drift and performance over time, and contextual understanding of how AI interacts with surrounding systems.

The Illusion of Precision

One of the most persistent pitfalls in security measurement has been the pursuit of precision. Risk quantification efforts, for example, often attempt to assign dollar values or probabilities to inherently uncertain events. While these models can be useful in certain contexts, they frequently rely on assumptions that are difficult to validate. The result can be outputs with “false precision,” numbers that appear authoritative but may not meaningfully improve decision-making due to underlying assumptions.

To be fair, the failure of security metrics has not been purely technical. Metrics did not consistently lead to better decisions, not only because they lacked context, but because decision accountability remained human and organizational. In many cases, leaders were presented with sufficient signal but were unwilling or unable to act on it due to competing priorities, risk tolerance, or unclear ownership. Metrics alone cannot resolve this. They can inform decisions, but they cannot substitute for them.

AI information systems introduce similar risks. It is tempting to define model accuracy scores, detection rates, and confidence thresholds as definitive indicators of system performance. However, these metrics can obscure important realities, such as how models behave under edge conditions, how downstream systems interpret outputs, and how human operators interact with AI-driven recommendations. Without observability, these blind spots remain hidden.

Designing for Observability

To avoid repeating past mistakes, observability must be designed into AI-enabled security systems from the outset. Designing for observability requires:

1. Instrumentation across the stack
   Logging, metrics, and traces should capture not only system performance, but also decision context. A cybersecurity professional needs to know what inputs were used, what transformations occurred, and what outputs were produced.
2. Layered visibility
   Observability should extend beyond the model itself to include areas under a security team’s control, such as:

• data pipelines
• prompt and inference layers
• orchestration and memory systems
• human interaction points

3. Feedback loops
   Systems should enable continuous evaluation and adjustment, allowing organizations to detect drift, misalignment, or unintended consequences early.
4. Decision alignment
   Observability outputs must connect to real decisions. This requires a realistic assessment of which layers in the technology stack are under control. Observability must then inform cybersecurity professionals when to trust the system, when to intervene, and how to adjust controls.

Control Through Understanding

Ultimately, observability is not about collecting more data but about enabling control over an information system where the core model is most likely outside the oversight of the core security team. In traditional systems, control is achieved through deterministic rules and constraints. In AI systems, where internal behavior is less transparent, control must be achieved through external visibility and structured interpretation. This is a shift in mindset that requires a move from asking, “What is the exact value of risk?” to “Do we understand how this system behaves, and can we respond appropriately when it changes?”

Conclusion

AI will not eliminate the need for measurement in cybersecurity, but it will require us to rethink what measurement means and what we want to spend our time on. If the past decade of security metrics has taught us anything, it is that precision without understanding is not enough. Also, observability will not eliminate the need to make hard decisions. Observability improves transparency, but it does not eliminate the need for accountable decision-making. Without that, even the most advanced systems will struggle to produce meaningful outcomes. What observability does is offer a path forward, not by simplifying complexity but by making it transparent. In complex systems, transparency is not a luxury but the foundation of trust.