A little context first
My day job is Director of IT Security and Compliance at a mid-sized distribution company. That means my week involves a mix of things that sound exciting (incident response, threat analysis, security architecture) and things that sound exactly as tedious as they are (policy documentation, compliance evidence, vendor questionnaires, status reports for leadership). I also do consulting work on the side, helping small and mid-sized businesses figure out how AI fits into their operations.
I have been using AI tools heavily for the better part of two years. Not casually, as in, I have thought about how I use them, tested different approaches, and adjusted based on what actually works. What follows is an honest account of where AI has genuinely made my work better and where it has mostly just been noise.
The thing I use AI for most: writing that has to be professional
If I had to name the single highest-return use of AI in my day, it is drafting communications that need to land a certain way. Security communications are a particular kind of hard. You are often delivering news that no one wants to hear: a phishing incident, a policy change, a compliance requirement, a breach notification, to an audience that ranges from technical staff to executives to employees who just want to know if they need to change their password.
Getting the tone right, the reading level right, and the information right all at the same time is genuinely difficult. AI does not do it perfectly, but it gets me to a solid first draft in about three minutes instead of thirty. I give it the context: what happened, who the audience is, what action I need them to take, what they should not panic about, and it produces something I can actually work from. I edit it. I own it. But I am editing, not staring at a blank screen.
The same goes for executive summaries, board-level briefings, vendor escalation emails, and anything where the stakes of sounding unclear are higher than usual. AI has made me a more consistent communicator, not because it writes better than I do, but because it gives me something to react to instead of something to create from nothing.
The second thing: policy and documentation work
Writing security policies is important work. It is also, I will be honest with you, not always the most riveting way to spend an afternoon. A good policy has to be accurate, thorough, readable, and defensible in an audit. That is four competing requirements, and they do not all pull in the same direction.
AI has become my first draft partner for policies, procedures, and compliance documentation. I describe what the control needs to accomplish, what framework we are aligning to, and what exceptions exist in our environment. It produces a draft that gets me 60–70% of the way to a finished document. The remaining 30–40% is all me: the organization-specific details, the exceptions that only make sense if you know our environment, the language that has to survive legal review. But that first 60% used to take most of an afternoon. Now it takes twenty minutes.
One thing I have learned: the more context you give, the better the output. A vague prompt gets a generic policy. A prompt that says “we are a 400-person distribution company with three Microsoft tenants, we are aligning to ISO 27001, and our biggest risk is third-party vendor access” gets something I can actually use.
The third thing: research and getting up to speed fast
Cybersecurity moves fast. New threat actors, new attack techniques, new compliance requirements, new tools that claim to solve problems the old tools were allegedly solving already. Staying current is a real job in itself.
AI has become my go-to for getting oriented quickly when I encounter something new. Not as a replacement for real research: I still read primary sources and I still verify anything that matters, but as a starting point. I can ask it to explain a new framework, summarize a regulatory update, or break down how a particular attack technique works, and in five minutes I have enough context to have an intelligent conversation about it or decide whether it warrants deeper investigation.
The key word there is “oriented.” AI gets me oriented. It does not make me an expert, and I do not treat it like it does. On anything high-stakes: an active incident, a regulatory decision, a vendor security assessment, I am going to primary sources and talking to people who know the material deeply. AI is the first conversation, not the last one.
The fourth thing: the spreadsheet and data work nobody talks about
This one surprises people. A big part of security and compliance work involves wrangling data: employee lists, audit logs, training completion reports, vendor inventories, incident tracking. Not advanced data science. Just the kind of spreadsheet work that takes forever when you are doing it manually and goes much faster when you have help.
AI has become my thinking partner for this kind of work. When I need to figure out how to structure a spreadsheet, write a formula I have not used before, or build a logic model for categorizing data, I describe what I am trying to do and ask for help. It saves me the twenty-minute stack overflow rabbit hole and usually gives me something workable in about sixty seconds. I still understand what I am building. I am just not doing it alone.
What I do not use AI for
This part matters as much as everything above.
I do not use AI to make security decisions. If I am assessing a risk, evaluating a vendor, or making a call about how to respond to an incident, that decision belongs to me. AI can help me think through the options. It can help me document my reasoning. It does not get a vote.
I do not paste sensitive data into AI tools without thinking carefully about it first. There are business-grade tools with appropriate data handling agreements, and there are free consumer tools that may use your input to improve their model. I know which is which, and I use them accordingly. Anything with customer data, employee data, or anything under NDA does not go into a consumer-tier free tool. Full stop.
I do not let AI-generated content go out without reading it. Every email, every policy, every report that has AI involvement gets read by a human before it goes anywhere. AI makes things that look authoritative. Looking authoritative is not the same as being correct, and I am the one who has to stand behind everything that leaves my keyboard.
The thing that surprised me most
I expected AI to save me time on writing. That happened, and it was nice.
What I did not expect was how much it would help with the hard conversations. When you work in security, you sometimes have to tell a senior leader something they really do not want to hear. That a vendor they like is a liability. That an incident was more serious than the initial report suggested. That a policy everyone has been ignoring actually needs to be enforced now.
I have started using AI to help me prepare for those conversations. Not to write a script, scripted conversations rarely go well, but to think through the likely objections, stress-test my own reasoning, and make sure I can articulate the “so what” clearly before I walk into the room. It is like having a sparring partner who will push back on your weakest arguments without bruising your ego about it.
That use case does not show up in the AI highlight reels. It is also, genuinely, one of the most valuable things I do with these tools.
What this looks like if you are not in security
The specifics of my job are different from yours. But the pattern is probably pretty similar. You have communications that need to land a certain way. You have documentation that is important but not your favorite way to spend three hours. You have things you need to get up to speed on quickly. You have data you need to make sense of. And you have hard conversations you could stand to prepare for better.
AI is useful in all of those places, for all kinds of jobs. The specific applications vary. The underlying pattern does not.
The people getting the most out of AI right now are not the ones using the fanciest tools. They are the ones who figured out two or three places in their actual day where AI genuinely helps, and they do those things consistently. Width is a distraction. Depth is where the value lives.
Where to start if this resonates
Pick one thing from your week that is taking longer than it should. Something you dread a little because it requires effort that feels disproportionate to the output. Draft an email. Build a template. Write the summary of a meeting that nobody wants to write.
Try doing that thing with AI this week. Give it real context, not just “write me an email” but “write me an email to my manager explaining that this project is going to miss its deadline by two weeks, here is why, and here is what we are doing about it.” Read what comes back. Fix what does not sound like you. Send it.
Then notice whether that felt different. For most people, it does. And “different” is usually the beginning of “I cannot imagine going back.”
This is post two of a two-year series on AI for real people doing real work. Post one covers what AI actually is and where it falls short: worth reading if you are just getting started. Next month: the five AI tools worth trying before you spend a dime. Questions or something specific you want me to cover? Send a note.
