Next Article in Journal
How Can High-Tech Manufacturing Achieve High Total Factor Productivity? A Dynamic QCA Under the TOE Framework
Previous Article in Journal
A Systems-Based Model of Platform-Enabled Freight Orchestration for Cross-Border E-Commerce Fulfillment
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Systems
Volume 14
Issue 5
10.3390/systems14050573
systems-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Rethinking Vulnerability Management: How AI and Automation Reshape Organizational Routines and Supports Adaptive Cybersecurity Systems †

by
Mehdi Saadallah
,
Abbas Shahim
* and
Svetlana Khapova
Department of Management & Organisation, School of Business and Economics (SBE), Vrije Universiteit Amsterdam, 1081 HV Amsterdam, The Netherlands
*
Author to whom correspondence should be addressed.
This paper is an extended version of our paper published in the Proceedings of the 39th IFIP International Conference, SEC 2024, Edinburgh, UK, 12–14 June 2024.
Systems 2026, 14(5), 573; https://doi.org/10.3390/systems14050573
Submission received: 1 April 2026 / Revised: 8 May 2026 / Accepted: 14 May 2026 / Published: 18 May 2026
(This article belongs to the Section Complex Systems and Cybernetics)
Browse Figures
Versions Notes

Abstract

Vulnerability management (VM) is becoming increasingly important as organizations face growing cybersecurity threats. This study examines how organizations adapt their vulnerability management routines in response to evolving vulnerability signals through the integration of artificial intelligence (AI) and automation. Drawing on data from an international fast-moving consumer goods (FMCG) company, we investigate how human expertise and AI interact across the full VM process, from triage to remediation. Using Organizational Routine Theory (ORT), we show that AI does not simply automate tasks but acts as a co-performer, influencing how decisions are made, work is coordinated, and actions are adapted. We develop a three-phase model capturing (1) the integration of AI-enabled automation into strained routines, (2) the manifestation of tensions between human expertise and automation as well as between usability and system complexity, and (3) the stabilization of hybrid routines through iterative adaptation and feedback loops. We identify two key tensions in this process: technology versus human expertise, and usability versus the complexity of multi-vendor tools. These tensions create frictions in practice but also open opportunities for learning and improvement. Rather than treating AI as a technical tool, our findings highlight its role as an active routine participant. Importantly, we show that routine evolution enables organizations to improve how vulnerability signals are interpreted and acted upon, thereby supporting more coordinated and adaptive cybersecurity practices. This has both theoretical implications for understanding how routines evolve with technology and practical relevance for improving adaptive cybersecurity practices. By linking micro-level routine dynamics to broader organizational outcomes, this study contributes to explaining how organizations sustain stable and adaptive operations under conditions of continuous cyber threat exposure.

1. Introduction

Vulnerability management (VM) is traditionally seen as a technical process for identifying, prioritizing, and remediating weaknesses in digital infrastructure [1]. Organizations of all sizes and sectors are increasingly reliant on digital infrastructures, making them susceptible to various cyber threats [2,3]. From a broader perspective, organizations can be understood as socio-technical systems whose stability depends on their ability to manage and respond to such threats over time [4]. In this context, vulnerability management does not only represent an operational process, but a critical function contributing to the overall viability of the organization. Traditionally, cybersecurity [5] researchers, professionals, IT administrators, policymakers, and even end-users have a vested interest in improving and optimizing the VM process [6,7]. The existing literature explores both human-driven and technology-led approaches to VM. Some studies highlight the benefits of automation and artificial intelligence (AI), emphasizing improvements in speed, scalability, and consistency of vulnerability management processes [8,9]. Recent research further demonstrates AI’s ability to quickly detect patterns and anomalies that might elude human analysis alone [10]. Others stress the continued importance of human expertise in interpreting and acting on threat data, pointing out that automated systems alone often lack the contextual understanding required to accurately judge nuanced threats [4,11]. Recent work therefore shows two important developments. On the one hand, AI-enabled automation can accelerate detection, scoring, and prioritization. On the other hand, human expertise remains necessary when vulnerability data are incomplete, when remediation affects critical business services, or when accountability cannot be delegated to a tool [12,13,14]. However, while we know a great deal about the theoretical benefits and limitations of AI-enabled tools, we know much less about how organizations integrate AI and human judgment dynamically across entire VM routines, from detection to remediation. More importantly, the existing research tends to treat vulnerabilities as isolated technical issues, rather than as manifestations of broader systemic conditions that reflect how well an organization can anticipate, absorb, and respond to disruptions. These are the key concerns of this paper. To address this gap, we ask “How does the organizational integration of AI and automation reshape vulnerability management routines in practice?” This question focuses on how routines evolve over time, and how the introduction of AI and automation changes the relationship between what organizations plan to do (ostensive routines) and what they actually do (performative routines). In particular, we examine how AI-enabled automation influences interactions among actors, modifies decision-making dynamics, and reshapes established accountability structures within these routines. By doing so, we also explore how these routine transformations contribute to the organization’s capacity to maintain stable and secure operations, thereby linking routine dynamics to broader system-level viability.
Our study uses a qualitative, process-based approach grounded in the Gioia methodology [15]. We draw on 32 interview interactions with 22 participants in a leading fast-moving consumer goods organization, including strategic, managerial, operational, and specialist roles. Interviewees represented a diverse set of perspectives, encompassing strategic decision-making, operational oversight, and frontline execution roles. This breadth allowed us to gain comprehensive insights into routine adaptation across organizational levels. The organization had recently begun automating routine tasks and was exploring the use of AI for prioritization and decision-making. This provided a rich context to examine not only how current routines function, but also how they are being redefined.
To explain the findings, we draw on Organizational Routine Theory [16]. ORT is appropriate for this study because it explains how formal procedures, actual work practices, and technological artifacts interact over time. Within this study, routines are further interpreted as mechanisms through which organizations regulate their responses to vulnerabilities, thereby contributing to system coherence and continuity over time. This theoretical lens allows us to examine AI-enabled automation not only as a technical tool, but as an artifact that participates in the enactment and adaptation of VM routines.
This paper makes several distinct contributions to the literature on AI-enabled automated cybersecurity practices. First, it provides an in-depth empirical account of how VM routines adapt to AI integration. While existing research has predominantly explored AI’s potential from theoretical or isolated technical standpoints, this paper offers a grounded analysis of real-world organizational practices, capturing how actors dynamically interact with and adjust to AI in everyday VM operations. Second, the paper develops a three-phase model explaining routine evolution, highlighting the emergence of hybrid routines. Existing studies typically focus either on the initial implementation of automation or the final outcomes. In contrast, we offer a comprehensive, phase-by-phase account of how tensions arise, persist, and are gradually reconciled through feedback and recalibration, demonstrating the iterative nature of routine adaptation under AI influence. Third, the paper conceptualizes AI-enabled automation as a dynamic co-performer in VM routines. This means that AI does not simply support or replace human actors. It shapes prioritization, validation, coordination, and feedback processes while remaining dependent on human contextualization and accountability. Finally, the study extends ORT by showing how routines stabilize under AI-enabled conditions not by eliminating tensions, but by accommodating them through hybrid human and AI coordination. In addition, by situating these dynamics within a broader system perspective, the study contributes to understanding how AI-enabled routines support or challenge the organization’s ability to remain viable under evolving threat conditions, thereby connecting micro-level routine adaptation with macro-level system stability.
This paper continues with a brief overview of related AI and human roles research and introduces organizational routine theoretical foundations. Then, after explaining our methodology, we provide an in-depth analysis of our empirical findings describing two tensions: (1) between AI and human expertise, and (2) between usability and complexity in multi-vendor systems. Building on these findings, we propose a conceptual model of how hybrid routines evolve. Finally, we discuss contributions for both research and practice and suggest directions for future work.

2. Theoretical Background

2.1. AI-Enabled Automation and Vulnerability Management Routines

Existing cybersecurity research often treats technological advancements, such as AI and automation, as distinct from human elements [8,17]. This separation limits our understanding of how technology and human expertise interact in practice. Although AI’s predictive capabilities and automation’s operational speed are well-documented, their joint influence on everyday work routines is less understood. From a broader perspective, this separation also obscures how these interactions contribute to the functioning of the organization as a system, where human and technological elements jointly shape the ability to respond to evolving threats. Organizations can be understood as adaptive systems that must continuously respond to environmental disturbances in order to maintain stability [18].
Studies such as those presented in Springer and IEEE Xplore stress the need to consider both individual and organizational factors when examining cybersecurity [17,19]. However, these works tend to present AI and automation as technical tools, rather than as active participants in organizational life [20]. They focus on system-level capabilities such as prioritizing vulnerabilities or accelerating responses without analyzing how these tools shape the flow of decisions and actions across time [21]. As a result, vulnerabilities are often framed as isolated technical deficiencies, rather than as indicators of deeper systemic misalignments between processes, technologies, and human actors.
The role of AI and automation in VM is often reduced to isolated steps, such as scoring or scanning [22]. Few studies explore how these technologies influence the routine as a whole. Ethical concerns, particularly about accountability in AI-driven decisions, are often discussed in theory but not in the context of daily cybersecurity operations [23]. For example, recent studies highlight AI’s capacity for anomaly detection and rapid threat identification [10], but they rarely address how analysts interact with AI outputs or how AI reshapes established processes over extended periods. Consequently, the literature provides limited insight into how organizations maintain coherence and continuity in their cybersecurity practices when integrating AI-enabled automation into existing routines.
This gap is important because vulnerability management is not only a technical activity [1]. It is also an organizational routine that requires interpretation, prioritization, coordination, and follow-up across multiple actors. A vulnerability signal only becomes actionable when it is connected to asset criticality, business context, remediation capacity, ownership, and operational constraints. Therefore, the central issue is not only whether AI can detect or score vulnerabilities, but how AI-generated outputs become embedded in the everyday routines through which organizations decide what to remediate, when to act, and who remains accountable.

2.2. Organizational Routine Theory as a Lens for Human–AI Routine Adaptation

In Information Systems (IS) research, organizational routine theory (ORT) has frequently been utilized to investigate how technology reshapes organizational practices. Feldman and Pentland introduced ORT to explain organizational behavior through repetitive yet adaptable patterns of actions involving multiple actors [16]. Early studies emphasized routines as providing structure, coordination, and stability in information-rich environments [24,25]. More recent work has examined the impact of digital systems like enterprise platforms or algorithmic tools on routine dynamics. For instance, Berente [26] demonstrated how digital artifacts often decouple intended (ostensive) routines from actual enactments, while Rossi [27] explored how distributed agency and frontline improvisation emerge when digital tools are adopted. Extending this trend, Mahringer [13] examined how AI promotes both change and stability in organizational routines through dual mechanisms of automation and augmentation showing that these mechanisms can coexist within the same routine. Other studies also show that digital technologies can decouple ostensive and performative aspects of routines, leading to endogenous adaptation when actors adjust their practices around new technological artifacts [26,28]. These studies consistently treat routines as situated accomplishments that evolve through feedback loops involving human actors, digital artifacts, and organizational norms. Importantly, this perspective allows routines to be interpreted as mechanisms through which organizations regulate their activities and sustain operational stability over time. Yet, a key gap remains: few studies have examined AI-enabled automation specifically as a co-performer, actively shaping routine evolution beyond simple efficiency gains. Moreover, limited attention has been given to how these evolving routines contribute to the organization’s broader capacity to manage vulnerability as a systemic condition, rather than as a collection of discrete technical issues. This perspective aligns with prior work on organizational viability, which emphasizes the importance of sustaining adaptive responses under conditions of complexity [29,30].
This study uses ORT to understand how AI and automation reshape vulnerability management in real-world settings. ORT is useful because it moves the analysis beyond formal procedures and examines how people, tools, and organizational expectations interact to shape how work is actually performed over time. In this sense, routines can also be understood as mechanisms through which organizations continuously interpret, coordinate, and respond to disruptions, thereby contributing to the stability of the broader organizational system.
Within this paper, ORT is particularly relevant because vulnerability management routines must remain stable enough to support reliable remediation, yet flexible enough to respond to changing vulnerabilities, tools, and operational constraints. Such feedback processes are especially critical in cybersecurity contexts, where routines must continuously adjust to emerging threats, changing asset landscapes, tool limitations, and evolving remediation priorities.
Consistent with this performative perspective on routines, we adopt Feldman and Pentland’s [16] definition of routine as “a repetitive, recognizable pattern of interdependent actions involving multiple actors.” This definition, widely used in IS literature, highlights both the stability and the flexibility of routines. It also allows us to investigate how routines dynamically evolve when confronted with technological change, such as the integration of AI-enabled automation. Within this study, this definition also enables us to examine how routines contribute to maintaining coherence between intended processes and actual practices, particularly under conditions of uncertainty and disruption.
According to Feldman and Pentland [16], routines consist of three key elements (see Table 1): the ostensive aspect (how work is supposed to happen), the performative aspect (how it actually happens in practice), and the artifacts (the tools that mediate or influence both). Together, these elements provide a lens to understand how organizations process signals related to vulnerabilities and translate them into coordinated action.
The framework is useful for this study for three reasons. First, it clarifies the gap between formal vulnerability management procedures and actual remediation practices. Second, it explains how AI-enabled artifacts, such as scoring engines, dashboards, and ticketing systems, influence how analysts interpret and act on vulnerability signals. Third, it helps explain how repeated human–AI interactions can stabilize into new hybrid routines over time. The framework therefore supports both the empirical analysis of vulnerability management practices and the theory-building aim of explaining AI as a dynamic co-performer in routine evolution.
This framework is well-suited for cybersecurity, where tasks like identifying, prioritizing, and remediating vulnerabilities are carried out by both humans and technologies. When AI and automation are introduced, routines shift; not just by speeding up tasks, but by changing how decisions are made, how responsibilities are divided, and how work is coordinated. From this perspective, vulnerability management routines can be understood as ongoing regulatory mechanisms that enable organizations to detect, interpret, and respond to threats, thereby supporting the continuity and viability of their operations over time.

2.3. Positioning This Study and Theory-Building Contribution

To address these identified gaps, this study takes a different approach. First, we examine how AI and automation are embedded in the full routine of vulnerability management, from triage to remediation. Second, we shift attention from what the technology can do to how it is used in practice. Finally, we use organizational routine theory (ORT) to show that AI is not just an efficiency tool, it acts as a co-performer, shaping how routines unfold, adapt, and stabilize through real-world interactions. By doing so, we position vulnerability management routines as key mechanisms through which organizations interpret threats, coordinate responses, and sustain their operational viability in dynamic environments.
The uniqueness of this study lies in its integration of four areas that are often treated separately: vulnerability management, AI-enabled automation, human expertise, and organizational routine theory. The paper contributes to theory building by showing how AI-enabled automation becomes part of routine enactment rather than remaining an external technical support. It also shows that the integration of AI does not remove human expertise from vulnerability management. Instead, it changes the form of expertise required, as analysts must validate, contextualize, challenge, and refine AI-generated outputs. This allows us to extend ORT by conceptualizing AI as a dynamic co-performer that participates in both the disruption and stabilization of organizational routines.
This theoretical positioning also clarifies the contribution of the paper to cybersecurity management. Rather than treating vulnerability management as a sequence of technical tasks, the study frames it as a routine-based organizational capability. This capability depends on the repeated alignment of formal procedures, human judgment, technological artifacts, and feedback loops. In doing so, the study explains how organizations can sustain adaptive cybersecurity practices under conditions of continuous vulnerability exposure and technological change.

3. Research Design and Execution

To explore how AI-enabled automation reshapes vulnerability management routines in cybersecurity, this study adopts a qualitative research approach focusing on the tensions arising from the evolving relationship between human expertise and advanced technological systems, such as AI and automation. This approach is suited to capturing how organizational routines change when AI and automation are introduced into VM practices. Qualitative methods are particularly useful for understanding context, interpreting phenomena from the viewpoint of participants, and uncovering the underlying reasons and motivations for specific behaviors or trends [31,32]. Given the exploratory nature of this study, which seeks to identify and contextualize how sociotechnical tensions shape routine enactment in VM, a qualitative design is deemed most appropriate. This enables an in-depth exploration of how human actors perform, adapt, and make sense of automation technologies and AI-enabled systems in the context of cybersecurity threats. In addition, this approach allows us to capture how these interactions contribute to the organization’s ability to interpret and respond to evolving vulnerability conditions over time.

3.1. Research Context

The empirical setting is a multinational fast-moving consumer goods (FMCG) organization listed on the London Stock Exchange. The organization provided a relevant context for this study because its vulnerability management process combines centralized cybersecurity oversight, distributed remediation ownership, and a heterogeneous set of security tools across IT and operational technology environments. The organization relies on several tools to support vulnerability identification, prioritization, and remediation. InsightVM (Available online: https://www.rapid7.com/products/insightvm/ (accessed on 8 May 2026)) is primarily used for scanning servers, Defender for endpoint is used for workstation-related vulnerabilities, Claroty CTD (Available online: https://claroty.com/industrial-cybersecurity/ctd (accessed on 8 May 2026)) is used for the operational technology (OT) environment, and Qomplx (Available online: https://www.qomplx.com/ (accessed on 8 May 2026)) focuses on active directory related exposures. The company scans for vulnerabilities across all countries and within its central IT. Vulnerability management is organized around a triage process that combines manual, automated, and hybrid tasks. This makes the case particularly suitable for examining how human judgment and automation interact in routine enactment. Manual tasks include IP range reviews, false positive identification, inventory and classification, and continuous monitoring. Automated tasks mainly include scanning, metrics, and reporting, whereas verification and validation, prioritization, and assurance are managed as hybrid tasks that involve both human oversight and automated functionalities. The VM process is a multi-stakeholder operation involving various roles within the organization. The cybersecurity team uses automated tools for routine tasks and applies human expertise for tasks that require deeper analytical insights, such as vulnerability assessment, prioritization, and verification. This interplay between automation and human agency exemplifies the performative–ostensive duality described in Organizational Routine Theory. From a system perspective, this configuration reflects how different actors and technologies collectively process vulnerability signals and translate them into coordinated responses.
The studied FMCG organization is also modernizing its approach to VM. In March 2022, it transitions into an agile model using the SAFe method to tackle its backlog and prioritize tasks. The organization is also enhancing their configuration management database (CMDB) to automate the assignment of vulnerabilities. This shift underscores the organization’s journey toward integrating AI into VM, as evidenced by the implementation of an emergency patching process to immediately address high-risk vulnerabilities, a precursor to a more AI-informed decision-making process. A high level of awareness regarding VM exists within the company. The roles are well-defined, and the process is becoming increasingly formalized. However, capacity constraints continue to affect routine performance, leading to delays and rework that often require analysts to override or adjust automated recommendations. The lack of capacity for remediation has fostered a shared recognition of the potential benefits of automation and AI within the organization. These constraints provide a relevant context to observe how organizations adapt their routines to maintain operational continuity despite increasing vulnerability exposure.
This context is important for the study because it makes visible the gap between the formal vulnerability management process and the actual work needed to sustain it. The organization has documented procedures, defined roles, and multiple technical artifacts. At the same time, analysts still need to interpret incomplete asset data, reconcile outputs from different tools, validate automated recommendations, and negotiate remediation ownership. These conditions create a rich setting for studying how AI-enabled automation enters existing routines, generates tensions, and contributes to the gradual stabilization of hybrid human–AI practices.

3.2. Data Collection Process

In 2022, the study included continuous observation [33] of the company’s VM activities. This entailed participation in various internal discussions, direct oversight of the security operations environment, and real-time tracking of vulnerability resolution, yielding valuable insights into the routine interactions between human expertise, automation, and the future potential of AI in managing cybersecurity threats [34]. These observations were systematically compiled and helped identify how routines evolved over time in response to tool limitations, coordination gaps, and interactions among human actors, automation technologies and AI-enabled decision-support mechanisms. This longitudinal perspective enabled us to capture how vulnerability-related signals were interpreted, prioritized, and acted upon across different stages of routine enactment.
Several types of organizational documents were analyzed (a total of 44), including automated reports generated from InsightVM, Tenable, which provided crucial metrics on vulnerabilities, assets, and remediation strategies. These reports, such as “All Assets All Vulnerabilities,” “All Assets,” and “All Vulnerabilities,” serve as instrumental resources for creating a remediation tracker that guides the organization’s VM efforts and helps the authors understand the limitations of the current prioritization mechanism. Additional documents and dashboards from tools such as Defender for Endpoint, Qomplx, and Claroty CTD/XDome helped triangulate the performative aspects of vulnerability response practices. These artifacts also provided insight into how vulnerability information is structured, visualized, and operationalized within the organizational system.
Sampling was performed using a stratified and purposeful sampling technique. The aim was to include participants who could provide valuable insights into VM as well as the nascent stages of automation and AI adoption within the organization [35]. The company C-levels identified 34 members, ranging from high-level executives such as the chief information security officer to specialized roles such as VM lead and IT infrastructure lead, who would contribute to this study. We divided the population into subgroups (strata) that share similar levels of seniority within the company. We conducted judgmental interviews that allowed us to purposely select 15 subjects who were committed to our study and presented the right level of VM expertise and security operations awareness. We recruited the remaining seven subjects among the acquaintances of the initial interviewed subjects. This snowballing method was useful for accessing populations that were difficult to reach and were not identified in the initial sample. The duration of our study allowed us to use a hybrid sampling approach initiated by a probability method (stratification) and leverage the non-probability method (purposive and snowball) to further refine the sample and increase the diversity of perspectives across strategic, managerial, operational, and specialist roles.
The final sample includes 22 participants across strategic, managerial, operational, and specialist roles. Participants are selected because of their involvement in vulnerability management, security operations, infrastructure management, remediation coordination, threat intelligence, architecture, or related automation initiatives. This diversity allows us to examine vulnerability management as a cross-functional organizational routine rather than as an isolated technical process. Table 2 summarizes the participants’ roles and organizational levels. The identifiers are anonymized and are used consistently when reporting quotations in Section 4.
We conducted a semi-structured interview with each of the 22 participants to understand how AI, humans, and automation interact to shape VM practices. Follow-up interviews were conducted with participants whose input was particularly relevant to understanding routine misalignments and adaptations. In total, the empirical material includes 22 participants and 32 interview interactions, combining initial semi-structured interviews and follow-up exchanges with selected participants. These interviews are complemented by observations and document analysis, which allows us to compare what participants describe with how vulnerability management is enacted in practice.

3.3. Data Analysis Methods

Our analysis followed an inductive approach inspired by the Gioia methodology [15], allowing us to stay close to participants’ lived experiences and language in the early stages. The goal was to understand how AI-enabled automation is integrated into vulnerability management (VM) routines and how this integration evolves over time. Importantly, we introduced Organizational Routine Theory (ORT) only after the initial coding and theme development were complete. This sequencing helped avoid forcing theoretical assumptions onto the data and allowed us to use ORT as a sensemaking tool to organize and interpret the findings during later stages of analysis. This approach also enabled us to preserve the empirical grounding of how vulnerability-related dynamics emerge and evolve within organizational routines.
The analysis unfolded in three phases. In the first step, we conducted open coding of the interview transcripts and observation notes. During this stage, we focused on participants’ own terms and expressions, such as “AI doesn’t understand the patching window” or “manual override.” These codes captured detailed experiences of AI-enabled automation integration, friction points, and workarounds. This first stage produces a set of first-order concepts that reflect how participants describe vulnerability management work in their own language. Examples include incomplete CMDB data, conflicting tool outputs, manual validation, AI scoring, analyst override, and fragmented remediation ownership.
In the second step, we grouped similar codes into second-order themes that reflected broader patterns. These included issues such as tensions between machine scoring and human judgment, difficulties in coordinating across multi-vendor tools, and the role of feedback loops in adjusting automation settings. We paid particular attention to how these themes reflected changing dynamics in daily VM routines, including misalignment, improvisation, and reconfiguration. These patterns provided insight into how organizations adapt their responses to evolving vulnerability conditions through routine adjustments. At this stage, we move from participants’ descriptions to more analytical themes such as technological reliance, human interpretive abilities, limitations of technology, interoperability, usability gaps, agile recalibration, and contextual decision-making.
In the third step, we aggregated the second-order themes into broader dimensions that reflect three phases of routine change: initial automation integration, tension manifestation, and routine stabilization. From this process, two core tensions emerged across the empirical material: (1) the challenge of balancing technology-driven decisions with human expertise, and (2) the strain caused by usability gaps within complex multi-vendor automation ecosystems. These tensions structured our findings and were later connected to the conceptual model using ORT’s key constructs: ostensive routines, performative routines, artifacts, and feedback loops. This structuring also enabled us to trace how routine transformations contribute to maintaining or disrupting system-level stability.
The Gioia-inspired data structures presented in Section 4 show the progression from first-order concepts to second-order themes and aggregate dimensions. This structure captures the coding logic behind the two core tensions examined in this study: technology versus human expertise, and the usability versus multi-vendor complexity. The data structure are not developed as isolated visual summaries. They connect participants’ statements to the broader analytical interpretation of how AI-enabled automation reshapes vulnerability management routines.
This approach enabled us to trace how AI-enabled automation interacts with existing human routines, how tensions surface during implementation, and how practices are adapted over time through a mix of human judgment and technological refinement. ORT provided a valuable lens in the final stage to interpret the recursive nature of this evolution and to frame AI not as a static input, but as a dynamic co-performer within cybersecurity operations. In doing so, we also capture how these recursive dynamics support the organization’s capacity to sustain coherent and adaptive vulnerability management practices over time.

3.4. Trustworthiness and Validation

Several measures were taken to strengthen the trustworthiness of the analysis. First, the study relied on data triangulation across interviews, observations, internal reports, dashboards, and workflow documents. This helped compare participants’ accounts with operational artifacts and observed vulnerability management practices. For example, claims about prioritization, remediation delays, or tool fragmentation were assessed against reports, dashboards, and remediation tracking material.
Second, the research team conducted internal inter-coder checks during the coding process. Initial codes and emerging themes were discussed among the authors to compare interpretations, clarify disagreements, and refine the progression from first-order concepts to second-order themes. These discussions helped ensure that the coding structure remained grounded in the empirical material while still supporting theoretical interpretation through ORT.
Third, emerging interpretations were discussed with selected participants who had direct knowledge of the vulnerability management process and were available for validation exchanges. These exchanges helped assess whether the findings accurately reflected the practical realities of AI-enabled automation, remediation ownership, tool fragmentation, and analyst judgment. The aim was not to seek full consensus, but to verify whether the interpretations were plausible and recognizable to knowledgeable organizational actors.
Fourth, we maintained a clear chain of evidence between the empirical material, the Gioia-inspired coding structures, and the final conceptual model. The first-order concepts preserve participants’ language. The second-order themes capture analytical patterns across the data. The aggregate dimensions explain how these patterns form broader routine dynamics. This chain of evidence supports the credibility of the findings and clarifies how the conceptual model was derived from the empirical analysis.
Finally, we treated ORT as an interpretive lens introduced after the initial coding rather than as a predefined coding template. This helped reduce the risk of forcing the data into theory-driven categories. Instead, ORT was used to explain the observed relationship between formal vulnerability management procedures, actual routine enactment, and the artifacts that mediate human and AI collaboration.

4. Findings

This section presents the results of our study on how vulnerability management (VM) routines evolve under the influence of artificial intelligence (AI)-enabled automation. Drawing on organizational routine theory (ORT), we analyze not only how AI-enabled automation is introduced, but how its integration disrupts, reshapes, and eventually stabilizes existing routines. Rather than viewing AI-enabled automation as a linear substitution for human input, our findings show that AI-enabled automation becomes a co-performer in routine enactment, triggering adaptive responses and prompting new configurations of human–machine collaboration. From a broader perspective, these dynamics reflect how organizations adjust their internal processes to interpret and respond to evolving vulnerability conditions, thereby maintaining operational continuity over time.
We introduce the concept of AI as a “co-performer” to describe its evolving role in VM routines. Rather than acting as a passive tool, AI systems participate in the enactment of routines by shaping decisions, prompting reinterpretation of procedures, and influencing how tasks unfold in real time. This perspective highlights that AI does not simply support or replace human actors, it actively contributes to the recursive development of routines. In this sense, AI-enabled automation becomes part of the mechanism through which organizations process vulnerability-related signals and coordinate responses across different actors and tools.
To explain this process, we organize our findings into three distinct but interconnected phases, as reflected in the conceptual model (delineated in Figure 1). Phase I—AI-enabled integration captures the initial efforts to embed AI-enabled automation into the established VM process and the early frictions this generates. Phase II—Tension manifestation explores how routine breakdowns give rise to two core tensions: the first between technology (AI-enabled automation) and human expertise (delineated in Figure 2), and the second between system complexity and usability in multi-vendor VM ecosystems (delineated in Figure 3). These tensions deepen the divergence between ostensive expectations and performative actions. Finally, Phase III—Routine stabilization and learning shows how hybrid routines emerge, stabilize, and are formalized through feedback loops, signaling a longer-term transformation of vulnerability management practices. Across these phases, routines evolve as organizations continuously recalibrate their responses to vulnerability signals, moving from fragmented and reactive practices toward more coordinated and adaptive configurations.
Figure 1 is derived from the Gioia-inspired coding structures and the ORT interpretation developed during the analysis. The first part of the model captures the initial pressure on the ostensive VM routine, where formal triage, scoring, and patching procedures are strained by increasing vulnerability signals and limited remediation capacity. The second part of the model synthesizes the two empirical tensions identified in the data: technology versus human expertise, and usability versus multi-vendor complexity. These tensions explain why AI-enabled automation does not simply produce a more efficient routine, but instead creates new frictions, workarounds, and validation needs in practice. The third part of the model captures how repeated analyst feedback, AI retraining, threshold adjustment, and playbook updates gradually stabilize hybrid routines. The model therefore represents a process of routine evolution, moving from initial AI-enabled automation integration to tension manifestation and then to partial stabilization through human–AI recalibration.
Throughout these phases, AI-enabled automation is not treated as a fixed tool but as an evolving participant in the routine. We show how analysts respond to, adapt, and learn from AI-generated outputs, transforming how tasks are understood, performed, and refined over time. For example, analysts do not only receive AI-generated vulnerability scores. They validate whether the score reflects asset criticality, business exposure, patching feasibility, and remediation ownership. These repeated interactions gradually change how prioritization and remediation decisions are made. In what follows, we trace the trajectory of this transformation and illustrate the recursive relationship between technological capability and routine adaptation. This recursive dynamic highlights how routine evolution contributes to sustaining system-level stability while accommodating ongoing changes in threat environments and technological capabilities.

4.1. Phase I: AI-Enabled Automation Integration

The first phase in the evolution of vulnerability management (VM) routines centers on the initial introduction of AI-enabled automation into an already fragmented and capacity-constrained operational environment. At this stage, organizations are confronted with an increasing volume and complexity of vulnerability signals (e.g., alerts, exposures, threat indicators), which place pressure on existing routines. At this stage, the ostensive routine (the formal vision of how VM should proceed) is largely intact. Organizations continue to define VM as a linear process of asset classification, scanning, scoring, remediation, and reporting. However, the growing complexity of vulnerability signals and resource limitations strains the ability of teams to enact this routine consistently. This strain reflects a growing misalignment between the system’s input (escalating signals) and its capacity to process them effectively.
Participants described how foundational steps such as asset classification were hindered by outdated or incomplete configuration management databases. One security lead noted: “The CMDB… currently is not up to date… information is missing” (SSO, page 2, 17:41). These gaps disrupted the accuracy of the ostensive routine, prompting the deployment of automated metadata corrections. While such automation artifacts improved data fidelity, they did not resolve broader misalignments across the routine. As a result, inaccuracies at this stage propagated through the system, affecting downstream prioritization and remediation decisions. For example, when a server is not correctly classified in the CMDB, the vulnerability may be assigned to the wrong remediation owner or treated with the wrong level of urgency. In practice, analysts must then correct the asset information, validate ownership, and reinterpret the vulnerability before remediation can proceed. This example shows that AI-enabled automation depends on the quality of the underlying routine and cannot operate effectively when foundational data are incomplete.
In the scanning and triage stages, teams relied on heterogeneous tools that lacked interoperability. As one participant explained, “We do not have a centralized approach or standardized official guidelines… work in progress” (PKO, page 2, 03:11). This fragmentation led to a divergence between ostensive expectations of uniform detection and the performative routine of analysts using ad hoc workarounds. The inability to coordinate across tools revealed the limits of human capacity and laid the groundwork for more intelligent intervention. From a system perspective, this fragmentation disrupted the coherent processing of vulnerability signals, leading to inconsistencies in how risks were interpreted and acted upon. A practical example is the need to compare vulnerability outputs from server scanning, endpoint protection, and OT monitoring tools before deciding whether a finding is duplicated, urgent, or already covered by another remediation action. In such cases, automation can support correlation, but analysts still need to reconcile tool outputs and confirm which signal should drive the remediation decision.
AI-enabled automation entered the routine primarily through triage and prioritization. One VM lead observed: “The teams… do not have the capability or resources to address all the things that we already sent to them” (IBO, page 4, 11:22). This resource gap triggered the integration of AI-based scoring systems that evaluated severity and exploitability to help analysts focus on high-priority items. This shift marked the first significant change in the routine’s structure: AI-enabled automation did not merely support analysts; it began to influence decision logic. This marked the beginning of its role as a co-performer. In doing so, AI-enabled automation started to mediate how vulnerability signals were filtered, prioritized, and translated into action. For instance, rather than sending every detected vulnerability to remediation teams, AI-enabled prioritization can help identify vulnerabilities that combine high severity, known exploitability, exposed assets, and business criticality. The practical value is not only faster scoring, but a more selective flow of work toward remediation teams that already face capacity constraints.
The introduction of AI-enabled automation also altered remediation workflows. While dashboards began to display real-time remediation status, manual validation remained essential. One analyst noted: “You need to validate… are they really remediated… this information comes from the tool that is the source of the vulnerabilities” (SSO, page 9, 59:48). Attempts to automate verification sometimes led to contradictory outputs, forcing analysts to re-check results and reinterpret the data, an indication that the performative routine remained under human control even as automation advanced. These contradictions highlight the difficulty of achieving alignment between automated outputs and contextual human judgment. In practical terms, a dashboard may indicate that a vulnerability is remediated because the patch has been deployed, while a later scan may still report the vulnerability because the asset was not restarted, the patch failed, or the scanner used a different detection logic. Analysts therefore continue to play a validation role by checking whether the technical state of the asset matches the status reported by the tool.
This phase is characterized by a growing gap between the ostensive routine and the performative routine, exacerbated by the expanding role of AI-enabled automation. Rather than simply automating routine steps, these technologies introduced new decision points, generated uncertainty, and surfaced tensions between formal expectations and lived practice. These tensions reflect an emerging systemic strain, where the organization struggles to maintain coherent and coordinated responses to increasing vulnerability exposure. The practical implication is that organizations should not introduce AI-enabled automation only as an additional scoring layer. They must first clarify asset ownership, improve data quality, define validation responsibilities, and establish escalation paths when automated outputs conflict with analyst judgment. This sets the stage for phase II, where tensions manifest more explicitly as AI becomes embedded in the daily enactment of vulnerability management routines.

4.2. Phase II—Tension Manifestation: Technology Versus Human Expertise Tension

The second phase of the routine’s evolution is marked by the manifestation of tensions between AI-enabled automation and human expertise. Rather than replacing human decision-making, these technologies introduce new complexities that reshape how decisions are made, validated, and coordinated in daily practice. These tensions emerge as the organization attempts to process increasing volumes of vulnerability signals while maintaining coherent and reliable responses. Drawing on ORT, we examine this phase through three configurations: Asymmetric Perspective on Technology and Human Expertise, Symmetric Perspective on Technology and Human Expertise, and Bridging the Gap: the Need for a Symbiotic Relationship.
Figure 2 presents the Gioia-inspired data structure behind this tension. The first-order concepts capture participants’ direct statements about automation benefits, human interpretation, technical limitations, accountability, and collaboration. These concepts are then grouped into second-order themes, such as technological reliance, human interpretive abilities, limitations of technology, ethical decision-making, contextual decision-making, and the need for collaboration. These themes are aggregated into three broader patterns. The first pattern shows an asymmetric perspective, where the routine over-relies either on technology or on human judgment. The second pattern shows a more symmetric perspective, where AI-enabled automation and human expertise are combined in decision-making. The third pattern shows the need for a symbiotic relationship, where both sides continuously adapt through training, validation, and feedback.
Systems 14 00573 g002
Figure 2. Data structure presenting technology versus human expertise tension. For optimal clarity, please zoom in or enlarge the figure by 400% when viewing the digital version of this paper.
Figure 2. Data structure presenting technology versus human expertise tension. For optimal clarity, please zoom in or enlarge the figure by 400% when viewing the digital version of this paper.
Systems 14 00573 g002
Asymmetric Perspective on Technology and Human Expertise: In the initial stages of AI integration, VM routines often reflected an overreliance on either AI-enabled automation or human judgment, but rarely both. This asymmetric configuration led to frictions where intended efficiencies clashed with the realities of implementation. Leaders envisioned AI-enabled automation as a way to reduce workload and enhance speed: “Introducing automation is key… to optimize the response on vulnerabilities and allow our people to focus on value-adding activities” (FPA, page 1, 00:58). This represents the ostensive routine, a belief in linear improvement through technology. Yet, in the performative routine, human contextualization remained essential. As one analyst explained, “AI will not be able to produce how critical is the system without human interaction” (TST, page 5, 23:32). This asymmetry becomes visible in practical prioritization decisions. An AI-enabled system may rank a vulnerability as critical because it has a high technical severity score and known exploitability. However, the analyst still needs to determine whether the affected asset supports a business-critical service, whether compensating controls are in place, whether the asset is internet-facing, and whether the remediation can be performed without disrupting operations. In such cases, AI-enabled automation accelerates the first sorting of vulnerability signals, but human expertise remains necessary to interpret the operational meaning of the signal.
Technical constraints further undermined the promise of seamless automation: “We don’t have an automated way to test if the system is working properly after we patch” (TST, page 4, 16:43). Analysts were required to step in, validate outputs, and adjust actions accordingly. This reveals how artifacts introduced to stabilize routines also surfaced new misalignments, reinforcing the need for human judgment and interpretive labor. From a system perspective, this configuration illustrates a misalignment in how vulnerability signals are processed, where neither human nor AI capabilities alone are sufficient to ensure coherent decision-making. A concrete example concerns post-patching validation. Even if an automated workflow confirms that a patch has been deployed, the organization still needs to verify whether the system remains operational and whether the vulnerability is no longer detected. This means that analysts and infrastructure teams must validate both remediation effectiveness and service continuity. The tension therefore does not result from resistance to automation. It results from the fact that automation can confirm some technical steps, while human actors remain responsible for contextual validation and operational assurance.
Symmetric Perspective on Technology and Human Expertise: As routines matured, some began to stabilize through more balanced enactments, where human input and AI-enabled automation were integrated into collaborative workflows. A prime example was found in vulnerability prioritization. AI tools processed data and flagged issues, while analysts contextualized the output: “The important feature is the ability to automatically identify and prioritize vulnerabilities based on the severity and potential impact on the organization” (SNA, page 8, 30:52). In this more symmetric configuration, AI-enabled automation contributes by aggregating vulnerability severity, exploitability, exposure, and asset information. Analysts contribute by validating whether the recommendation fits the business and operational context. For instance, a vulnerability on a test system may receive a lower operational priority than a technically similar vulnerability on a production system supporting a critical business process. The decision is therefore neither fully automated nor fully manual. It is produced through the joint interpretation of machine-generated signals and human contextual knowledge.
This co-performance extended beyond technical decisions into ethical and legal accountability. “You cannot ask for penalties because the AI did something wrong… it’s going to be the person or team who sits behind it” (TDO, page 7, 38:19). In this symmetric configuration, AI was not positioned as a replacement but as a decision-support partner. The ostensive routine began to incorporate human–machine coordination as a design feature, while the performative routine showed how this coordination played out through discretion and situational judgment. Here, vulnerability signals are jointly interpreted through human–AI interaction, enabling more consistent and context-aware responses. This accountability dimension is practically important. When an AI-enabled system recommends postponing remediation, the organization cannot delegate the responsibility for that decision to the tool. A human owner still needs to assess the risk, document the rationale, and accept or challenge the recommendation. AI therefore supports decision quality, but accountability remains embedded in organizational roles, escalation paths, and governance mechanisms.
Bridging the Gap, the Need for a Symbiotic Relationship: Over time, a symbiotic relationship emerged. Rather than being dictated by predefined roles, AI systems and human actors continuously co-adapted. Analysts acquired new capabilities to configure, interpret, and recalibrate AI-enabled automation. “You would still need these people… to train themselves in using the AI and configuring the AI and instructing it to act on their behalf” (TDO, page 9, 47:31).
This co-evolution was evident in decision-making routines: “AI will focus more on prioritization, bringing all the context together… for the analyst… to take a decision” (FPA, page 9, 34:57). Analysts guided and corrected automated processes, especially in cases where systems were too fragmented or legacy applications prevented full automation. “Not all the applications will be able to test it by using the AI… it will be hard to do this reassessment of the criticality… without… human interaction” (TST, page 5, 23:32). The practical implication is that organizations need to invest not only in AI-enabled tools, but also in the human capabilities required to operate them. Analysts must learn how to interpret AI-generated scores, identify false positives, adjust thresholds, challenge weak recommendations, and feed lessons back into the system. This changes the analyst role from manual processor of vulnerability lists to supervisor, interpreter, and calibrator of AI-supported vulnerability management routines.
This phase reflects the emergence of a hybrid model of co-performance, where routines evolve through feedback, learning, and distributed accountability. AI-enabled automation is no longer an external add-on but becomes an actor in the performative routine, influencing how vulnerability management is enacted, stabilized, and redefined. At this stage, the tension is not resolved but sustained, as both human expertise and AI-enabled automation remain simultaneously necessary to process vulnerability signals effectively. This coexistence reflects a shift toward a more adaptive and coordinated system, where stability is achieved through the ongoing balancing of interdependent capabilities.

4.3. Phase II—Tension Manifestation: Dialectic Usability and Complexity in Multi-Vendor VM Ecosystems

The second core tension concerns the struggle to maintain usability while managing the expanding complexity of multi-vendor vulnerability management (VM) ecosystems. As AI-enabled automation is introduced into these environments, routines often deviate from the planned scripts and evolve through situated responses. Drawing on Organizational Routine Theory (ORT), we explore how formal expectations (ostensive routines) are challenged by fragmented technologies and user constraints, and how adaptive performances (performative routines) emerge in response. This tension reflects the difficulty of maintaining coherent interpretation and coordination of vulnerability signals across a fragmented technological landscape. We present three interconnected tensions: Complexity, Usability, and Navigating Technological Change.
Figure 3 presents the Gioia-inspired data structure behind the usability and multi-vendor complexity tension. The first-order concepts capture participants’ direct descriptions of vendor-specific patching cycles, interoperability gaps, scattered asset ownership, dashboard limitations, end-to-end automation expectations, internal policy constraints, and agile adaptation. These concepts are grouped into second-order themes, including vendor diversification, interoperability, fragmented security, user-friendly gap, AI and automation in end-to-end VM, internal policies, and agile methodologies. These themes are then aggregated into three broader dimensions. The first dimension captures complexity in multi-vendor ecosystems. The second captures usability gaps between system design and analyst needs. The third captures the need to navigate rapid technological change through organizational recalibration.
Systems 14 00573 g003
Figure 3. Data structure presenting the dialectic of usability and complexity in multi-vendor VM ecosystem tension. For optimal clarity, please zoom in or enlarge the figure by 400% when viewing the digital version of this paper.
Figure 3. Data structure presenting the dialectic of usability and complexity in multi-vendor VM ecosystem tension. For optimal clarity, please zoom in or enlarge the figure by 400% when viewing the digital version of this paper.
Systems 14 00573 g003
Complexity, The Disruption of Routine Coherence in Multi-Vendor Ecosystems: The first configuration highlights how fragmented vendor ecosystems disrupt the temporal and procedural flow of VM routines. Instead of forming a unified system, vendor-specific update cycles and incompatible tools introduce unpredictability into daily operations. As one infrastructure lead explained, “One vendor… would do pilot patching one month and production the next… vulnerabilities increase then drop” (YBE, page 5, 27:16). These disjointed rhythms undermine the ostensive routine, introducing friction in remediation workflows and reducing the predictability of operations. From a system perspective, this fragmentation disrupts the consistent flow and aggregation of vulnerability signals, making it difficult to maintain a unified view of risk. In practical terms, this means that vulnerability exposure may appear to increase or decrease not only because the risk itself changes, but because different vendors scan, report, patch, and validate at different times. A remediation team may therefore receive fluctuating vulnerability numbers that reflect tool and vendor rhythms as much as actual risk evolution. This makes prioritization harder because teams must distinguish between a genuine increase in exposure and a reporting effect created by fragmented tool cycles.
Beyond misaligned schedules, interoperability limitations compound complexity. Analysts often construct local workarounds to merge outputs from tools like Defender and InsightVM: “If I have the same vulnerability from Defender and InsightVM, I need a central tool to triage and correlate” (ITZ, page 9, 26:27). These adaptations are examples of performative elaboration of local responses that keep routines functioning despite systemic fragmentation. These workarounds illustrate how actors attempt to restore coherence in the system by compensating for gaps in technological integration. A concrete example is the correlation of the same vulnerability reported by multiple tools. Defender may report the vulnerability at workstation level, while InsightVM may report a similar issue at server or infrastructure level. Without a central correlation mechanism, analysts must manually determine whether the findings refer to the same exposure, whether remediation has already been initiated, and which tool should be treated as the source of truth. AI-enabled automation can support this correlation, but only if the underlying data model, asset identifiers, and ownership structures are sufficiently aligned.
This technological disunity also disrupts responsibility structures. “We struggled with who owns this asset… responsibility scattered… very frustrating” (ITZ, page 6, 14:33). As the formal script offers no clear ownership, teams must renegotiate accountability through performative routines. Instead of enforcing top-down responsibility, coordination becomes emergent, shaped by negotiation and shared experience. As a result, the processing of vulnerability signals becomes distributed and contingent, rather than centrally coordinated. This ownership problem has direct operational consequences. When no team clearly owns an affected asset, a vulnerability may remain open even when the technical remediation is known. The bottleneck is not the absence of a patch, but the inability to assign responsibility, obtain approval, and coordinate the action with the correct operational owner. This shows that multi-vendor complexity is not only a technical integration issue. It is also a routine coordination issue involving accountability, ownership, and escalation.
Usability, Mismatches Between AI System Design and Analyst Needs: The second tension arises when AI-enabled automation fails to align with user expectations and organizational needs. Although many tools are introduced to improve workflow speed, analysts often report usability as a major barrier. One incident coordinator stated, “The most neglected part is user interaction with the AI tool” (MST, page 4, 11:39). This reflects a gap between the ostensive routine, which presumes seamless integration, and the performative reality, where tools are bypassed or reconfigured.
Rather than interpreting such behavior as resistance, ORT enables us to view these adjustments as performative adaptations. Analysts reconfigure routines to make them work, sometimes reintroducing manual steps, validating outputs independently, or maintaining duplicate systems. These improvisations reflect human agency in sustaining coherence despite flawed interfaces. From a system perspective, these adaptations compensate for limitations in how AI-enabled tools present and contextualize vulnerability signals. For example, a dashboard may present vulnerability counts, severity levels, and remediation status, but still fail to show why a vulnerability matters for a specific business process or why it should be prioritized over another one. Analysts then export data, compare reports, contact asset owners, and reconstruct context outside the tool. This does not indicate that the tool is useless. It shows that usability depends on whether the tool supports the actual decision sequence followed by analysts.
Still, incremental improvements from automation artifacts were acknowledged. “End-to-end automation… if we automate even 10% or 20%… it’s a good start” (FPA, page 4, 10:37). This cautious integration shows that AI-enabled automation does not replace the routine but becomes selectively embedded into stable patterns. Analysts adopt automation for routine tasks while continuing to exercise discretion over more ambiguous cases. These hybrid routines illustrate how AI supports co-performance rather than substitution. This reflects a balancing dynamic, where usability and complexity coexist as interdependent conditions rather than mutually exclusive outcomes. This incremental view is practically important. In complex VM environments, the realistic objective is not immediate full automation. A more viable path is to automate specific segments of the routine, such as deduplication, enrichment, ticket routing, or status reporting, while preserving human review for ambiguous prioritization and remediation decisions. This explains why even partial automation can produce value when it reduces repetitive work without removing human oversight.
Navigating Rapids Technological Change, Organizational Drift and Recalibration: The third configuration captures how rapid technological evolution disrupts VM stability. While ostensive routines are often designed for long-term predictability, shifting threat landscapes and tool updates demand frequent adjustments. As one SOC leader explained, “It’s getting approval from the product owners to patch the vulnerabilities” (CTZ, page 6, 30:37), policies meant to ensure control now delay time-sensitive actions. This illustrates a practical tension between governance control and operational speed. Product owner approval helps prevent uncoordinated changes, but it can also slow remediation when vulnerabilities require urgent action. In such cases, the routine must be recalibrated so that urgent remediation can proceed through predefined exception paths, while still preserving accountability and change control. The studied organization established emergency patching process as one walkaround measure for high critical vulnerabilities.
Some teams adapt by reconfiguring their work practices. “Initially, upgrades took a year, now it’s a month… three patching weekends” (TDO, page 5, 29:20). These adaptations demonstrate how organizations can become more agile when routines are redesigned collaboratively. Such changes reflect ongoing recalibration processes aimed at maintaining alignment between evolving vulnerability signals and organizational response capabilities.
Organizational Routine Theory helps explain these changes not as breakdowns but as moments of routine recalibration. Analysts engage in performative elaboration, reassessing sequences, realigning roles, and redesigning artifacts to sustain continuity. This continuous updating reflects the dynamic nature of VM routines, in which AI-enabled automation becomes a catalyst for experimentation, learning, and ultimately, stabilization. Through these adjustments, the organization incrementally restores coherence in how vulnerability signals are interpreted and acted upon. For example, moving from annual upgrades to monthly or weekend-based patching cycles changes the temporal rhythm of the VM routine. It requires new coordination with product owners, infrastructure teams, security teams, and business stakeholders. AI-enabled automation can support this recalibration by identifying which vulnerabilities require faster action, but the organization still needs governance rules that define when standard approval paths can be accelerated.
Overall, this phase illustrates that complexity, usability, and technological change do not simply disrupt routines, they prompt new forms of coordination. Through performative routines, human actors actively sustain and reshape cybersecurity operations, incorporating AI not as a fixed solution but as an evolving co-performer in response to dynamic conditions. These dynamics reveal a persistent tension between fragmentation and coordination, where system stability depends on the continuous balancing of competing demands rather than their resolution. The practical implication is that organizations should not treat AI-enabled vulnerability management as a single tool implementation. They need to design integration mechanisms, usability checks, ownership rules, escalation paths, and feedback loops around the tool. Without these organizational supports, AI-enabled automation may add another layer of complexity. With them, it can help transform fragmented vulnerability signals into more coordinated remediation action.

4.4. Phase III—Reconciliation and Routine Stabilization

In the final phase of routine evolution, organizations begin to reconcile the tensions surfaced in Phase II through iterative adjustments and mutual calibration between human actors and AI-enabled automation. Rather than resolving tensions outright, routines stabilize as new forms of hybrid coordination emerge. Using Organizational Routine Theory (ORT), this phase can be understood as the recursive realignment between the performative routine and the ostensive routine, influenced by feedback loops, local experimentation, and learning. At this stage, the organization develops more coherent ways of processing and responding to vulnerability signals, enabling more consistent and coordinated action across actors and tools.
Adaptation occurs as analysts modify their engagement with automation outputs. Rather than passively accepting AI-generated scores or triage suggestions, human actors selectively adjust, interpret, or override them. As one CISO explained, “AI will focus more on prioritization, bringing all the context together… for the analyst… to take a decision” (FPA, page 9, 34:57). These adjustments reflect how humans reshape the performative routine while maintaining alignment with formal objectives, ultimately giving rise to new hybrid routines and analyst feedback. Through these practices, vulnerability signals are not only processed more efficiently but also more accurately contextualized. A practical example is the treatment of a high-scoring vulnerability affecting a non-critical asset. The AI-enabled system may initially flag the vulnerability as urgent based on severity and exploitability. The analyst then reviews the asset context, exposure level, compensating controls, remediation window, and ownership information. If the operational risk is lower than the technical score suggests, the analyst may adjust the priority, document the rationale, and feed this decision back into the prioritization logic. In this way, the routine stabilizes not by removing human judgment, but by making human judgment part of the calibration process.
Over time, consistent patterns emerge. Organizations begin to document, formalize, and share successful combinations of automation and human oversight, leading to the formation of a stabilized sociotechnical pattern. Analysts rely on AI scores + human contextualization to prioritize efforts efficiently while maintaining operational relevance. This reflects a hybrid routine where judgment is distributed between machine-generated logic and human discretion. This stabilization reflects an increasing alignment between system inputs (vulnerability signals), interpretive processes, and coordinated responses. These hybrid routines become visible when repeated practices are translated into shared procedures. For example, analysts may define when AI-generated prioritization can be accepted directly, when it requires human review, and when it must be escalated to a remediation owner or risk committee. Such decision rules reduce ambiguity and help the organization move from ad hoc correction toward more predictable human–AI coordination.
As AI-enabled automation is further embedded into daily practice, human actors begin to influence the logic and behavior of the tools themselves. Analysts tune thresholds, flag false positives, and reprioritize system outputs. One participant reflected on this iterative adjustment: “We are trying to enhance the user stories… to ease the work of the teams… based on the capacity that we have, and other teams are having” (IBO, page 6, 23:51). These actions mark a feedback loop in which human input shapes not only current performance but future system behavior through AI retraining and analyst refinement. This feedback loop represents a form of adaptive system regulation, where past outcomes inform future responses to evolving vulnerability conditions. In practice, this means that analyst feedback becomes part of the operating logic of the VM routine. False positives can be used to adjust scoring parameters. Repeated ownership disputes can trigger improvements in CMDB data. Recurring remediation delays can inform changes to patching calendars, escalation paths, or service-level expectations. The AI-enabled system therefore does not stabilize the routine alone. Stabilization occurs when analysts, process owners, and automation artifacts repeatedly adjust to one another.
Eventually, this mutual calibration is reflected in changes to the ostensive routine. As hybrid approaches are validated and routinized, organizations begin to incorporate them into formal playbooks and standard operating procedures. This results in the formal incorporation of hybrid practice and the formalization of new human–AI roles. AI is no longer just a tool to be used, but a participant in the routine affecting how decisions are made, how work is sequenced, and how accountability is distributed. At this point, AI-enabled automation is embedded as a stable component of the system’s response capability. For example, a playbook may define that critical vulnerabilities are first enriched by automated scoring, then reviewed by an analyst, then assigned to a remediation owner, and finally validated through a combination of dashboard evidence and manual verification. Such a playbook does not remove discretion. It structures discretion by clarifying when human review is required and how AI-generated outputs should be interpreted. This is where the performative routine begins to reshape the ostensive routine. Repeated practice becomes formal guidance.
This phase illustrates how vulnerability management evolves not through top-down transformation but through recursive learning and local adaptation. It contributes to ORT by showing how routines stabilize under pressure not by eliminating contradiction but by reconfiguring performative practices to accommodate evolving technological roles. In cybersecurity, AI-enabled automation becomes a co-performer that participates in both the friction and the repair of organizational work. Importantly, this stabilization enables organizations to sustain secure and adaptive operations over time, reflecting an emergent form of system viability grounded in continuous human–AI coordination. The practical implication is that organizations should design AI-enabled vulnerability management as a learning routine rather than as a one-time automation project. This requires mechanisms for analyst feedback, false-positive management, threshold tuning, escalation review, and playbook updates. When these mechanisms are in place, AI-enabled automation can help transform vulnerability management from a reactive process into a more adaptive routine that learns from prior decisions and improves future responses.

4.5. Summary of Findings

Table 3 summarizes the main findings of the study and shows how the empirical evidence connects to Organizational Routine Theory. The findings show that AI-enabled automation does not enter vulnerability management as a simple technical add-on. Instead, it reshapes how vulnerability signals are interpreted, prioritized, validated, and translated into remediation action. Across the three phases, the routine moves from strained automation integration, to the manifestation of human–technology and usability–complexity tensions, and then toward partial stabilization through feedback, calibration, and formalization.
Overall, the findings show that AI-enabled automation reshapes vulnerability management through a recursive process. First, it exposes weaknesses in existing routines. Second, it creates tensions between automated outputs, human judgment, tool usability, and organizational complexity. Third, it supports the emergence of hybrid routines when analysts, process owners, and automation artifacts learn from repeated interaction. This explains why AI becomes a co-performer in vulnerability management. Its value depends not only on technical accuracy, but on how effectively it is embedded into routines of validation, accountability, feedback, and remediation coordination.

5. Discussion and Conclusions

5.1. Contributions

This study offers empirical, theoretical, and practical contributions by analyzing how AI-enabled automation reshapes vulnerability management (VM) routines through the lens of Organizational Routine Theory (ORT) [1]. In addition, it advances a system-level understanding of vulnerability management by linking routine dynamics to the organization’s ability to sustain stable and adaptive operations under evolving threat conditions [4]. The central contribution is to show that AI-enabled automation does not simply improve VM by accelerating isolated tasks. Instead, it changes how vulnerability signals are interpreted, how remediation decisions are validated, and how accountability is distributed across people, tools, and organizational procedures.
Empirically, the study provides a detailed account of how VM routines evolve through the integration of AI and automation. Rather than acting as a replacement for human decision-making, AI functions as a co-performer that triggers new forms of coordination, adaptation, and judgment. This complements prior research that has largely focused on the technical capabilities of AI for detection and prioritization [9,10], or on high-level ethical concerns [14], without examining how human–AI collaboration unfolds in day-to-day cybersecurity operations. By tracing how routines are disrupted and restructured through feedback loops, we offer a grounded view of the processes that underpin routine stabilization. In doing so, we build on studies that emphasize routine dynamics [12,26], by showing how routine adaptation occurs in high-tempo, multi-vendor environments. These insights illuminate how human–AI collaboration is enacted, not designed in practice, especially in complex, multi-vendor environments [4]. Importantly, our findings show how organizations progressively improve their capacity to interpret and respond to vulnerability signals through iterative adjustments in routine enactment. This empirical contribution is also practical in nature because it shows where AI-enabled automation creates value and where it creates new work. In the studied VM routine, AI-supported scoring and prioritization help reduce the volume of vulnerability signals that analysts and remediation teams must process. At the same time, these outputs still require human validation, asset contextualization, ownership clarification, and remediation feasibility assessment. The study therefore provides a more granular account of AI adoption in cybersecurity operations by showing that automation shifts human work toward interpretation, calibration, and accountability rather than removing it.
Theoretically, we extend ORT by demonstrating how routines evolve through recursive interactions between humans, tools, and organizational scripts. We show that AI-enabled automation participates in shaping both the performative routine (through scoring, triage, and patch workflows) and the ostensive routine (through its influence on formal decision-making structures). While earlier work has discussed the dual structure of routines [16] and the mediating role of digital tools [27], our study advances this literature by conceptualizing AI as a dynamic co-performer that both disrupts and stabilizes routines through continuous feedback. Our model introduces the notion of hybrid routines as the outcome of ongoing tension reconciliation. It also highlights how artifacts like AI dashboards and scoring engines are not neutral supports, but dynamic actors that mediate organizational change. This responds to recent calls in ORT to account for the performativity of digital tools in shaping organizational change [13], particularly in domains where reliability, speed, and interpretation are critical. A further theoretical contribution lies in showing that routine stabilization does not mean the disappearance of tension. In this study, the tensions between technology and human expertise, and between usability and multi-vendor complexity, remain active. What changes is the organization’s capacity to work with these tensions through feedback loops, analyst refinement, threshold adjustment, and playbook formalization. This extends ORT by showing how AI-enabled routines stabilize through recurrent recalibration rather than through final resolution. Beyond extending ORT, we contribute by positioning vulnerability management routines as regulatory mechanisms through which organizations process vulnerability signals and maintain operational coherence. In this view, routine stabilization does not eliminate tensions but enables their continuous reconciliation, allowing organizations to sustain adaptive and coordinated responses over time. This reframes routine dynamics as a foundation for system-level viability rather than merely local process improvement. It also clarifies why ORT is particularly suitable for this study. Other management theories, such as sociomateriality or technology acceptance perspectives, could help explain material agency, adoption, or resistance. ORT is used here because the central phenomenon is the evolution of repeated work practices over time, especially the relationship between formal procedures, actual enactments, and technological artifacts.
Practically, our findings suggest that successful AI integration in VM is not merely a matter of tool deployment. Organizations must actively foster routine adaptation through training, iterative feedback processes, and the formal recognition of new human–AI roles. Leaders should avoid framing AI as a linear efficiency solution and instead embrace its evolving function as a partner in decision-making. This implies designing workflows and governance structures that are flexible enough to incorporate human judgment, contextualization, and local improvisation. We recommend building structured feedback loops that enable analysts to continuously refine both their routines and the AI systems that support them. These recommendations offer guidance to practitioners seeking to navigate AI integration beyond automation, and echo recent insights from applied cybersecurity research calling for more socio-technical approaches to threat management [3,17]. In particular, organizations should focus on developing the capability to continuously interpret, prioritize, and respond to evolving vulnerability signals, as this capability underpins long-term operational stability. For practitioners, the findings suggest four concrete design principles. First, AI-enabled VM should begin with reliable asset data and clear ownership rules. Second, AI-generated prioritization should remain reviewable by analysts, especially when business criticality, exposure, or compensating controls are uncertain. Third, dashboards and scoring systems should be designed around the actual decision sequence followed by analysts and remediation teams. Fourth, organizations should formalize feedback loops so that false positives, remediation delays, ownership disputes, and analyst overrides are used to improve future scoring, routing, and playbook design. These principles translate the conceptual model into actionable guidance for organizations seeking to move from fragmented vulnerability handling toward adaptive and coordinated VM routines.

5.2. Limitations and Further Research

While this study advances our understanding of how AI-enabled automation shapes vulnerability management (VM) routines, it is important to acknowledge several limitations that also open directions for future research. These limitations are particularly relevant when considering how the observed dynamics may generalize to different organizational systems and vulnerability conditions. They also help clarify how future studies can extend the present findings by examining other organizational contexts, using complementary theoretical lenses, and following the evolution of AI-supported routines over time.
First, the study was conducted within a single multinational organization. This setting provided deep access to routine processes and enabled close observation of performative adaptations as AI is embedded into VM practices. However, the organizational scale, maturity, and security culture may not reflect the realities of smaller firms, government agencies, or less mature contexts. Prior research has shown that the institutional environment strongly influences how technologies are enacted and interpreted [24,25]. For example, Rossi [27] found that digital routines adapt differently depending on local structures and actor configurations. Future work should pursue comparative case studies to examine how different organizational environments shape the feedback loops, tensions, and routine stabilization processes observed in this research. Such comparisons would help assess how organizations with varying capacities manage vulnerability signals and maintain operational stability under different conditions. Comparative studies could also examine whether AI becomes a co-performer in similar ways in organizations with lower automation maturity, fewer specialized security roles, or less formalized vulnerability management routines.
Second, the study relied primarily on semi-structured interviews and internal documentation. While these sources were rich in detail and enabled the tracing of shifts in ostensive and performative routines, they may be influenced by retrospective bias or gaps in recall. Although partial member checks and triangulation across roles were used to enhance credibility, real-time observational studies or ethnographic approaches could offer complementary insights into how co-performance between humans and AI unfolds dynamically in day-to-day cybersecurity work. This is consistent with routine dynamics research, which emphasizes the need to study routines as they are enacted in practice, since actors often adapt, challenge, and refine routines in situated and unexpected ways [12,13]. Future research could further examine how vulnerability signals are interpreted and acted upon in real time, particularly in high-pressure operational environments. Such research could also follow how analysts interact with AI-generated outputs during live prioritization, exception handling, and remediation escalation.
Third, our decision to frame the study through Organizational Routine Theory (ORT) helped capture how routines evolve through adaptation, local experimentation, and interaction with artifacts like AI scoring tools and dashboards. However, ORT focuses on stabilization and recursive learning, and may underemphasize broader issues such as power asymmetries, user resistance, or the emotional dimensions of automation. For instance, recent studies have emphasized how digital transformation and automation reshape visibility, legitimacy, and control structures in ways that can provoke resistance or lead to unintended consequences [26,36]. Future research could draw on sociomateriality, institutional work, or critical perspectives on AI governance to deepen our understanding of the human experience of automation in cybersecurity. For example, Chedrawi and Haddad [37] argue that sociomaterial perspectives can help illuminate how AI artifacts participate in shaping power and agency dynamics. These perspectives could complement ORT by providing additional insight into how systemic conditions influence routine enactment and adaptation. This limitation also points to a theoretical opportunity. ORT is particularly useful for explaining how repeated practices stabilize and change, but other management theories could examine different aspects of human and technology engagement. Sociomateriality could explain how agency is distributed between analysts, dashboards, scoring systems, and workflow tools. Institutional theory could explain how formal rules, compliance expectations, and professional norms shape the acceptance of AI-supported VM routines. Technology acceptance and resistance perspectives could explain why some analysts trust or bypass AI-generated recommendations. Future research can therefore build a more plural understanding of AI in cybersecurity by combining ORT with these complementary perspectives.
Fourth, the study captures a transitional moment in the integration of AI-enabled automation. Many of the routines we analyzed were still evolving through hybrid experimentation and were not yet formalized in organizational playbooks. As AI systems continue to advance and as analyst practices mature in response, new routines, tensions, and unintended consequences are likely to emerge. This echoes more recent insights that routine stabilization is not a fixed endpoint but a fluid, contested process that unfolds through ongoing adaptation and organizational learning [38]. Longitudinal research will be essential to trace how hybrid routines stabilize, decay, or shift over time as organizations adjust their strategies and technologies. Such studies would be particularly valuable for understanding how organizations sustain system-level viability as vulnerability conditions and technological capabilities evolve. One unexpected finding that deserves further research is that AI-enabled automation does not simply reduce human involvement. Instead, it creates new forms of human work. Analysts must validate AI outputs, interpret asset context, correct false positives, adjust thresholds, document exceptions, and feed lessons back into the system. This suggests that AI changes the content of expertise rather than eliminating expertise. Future studies could examine how cybersecurity roles, skills, and accountability structures evolve as AI becomes more deeply embedded in operational routines.
Despite these limitations, this study contributes a grounded, theory-informed account of how vulnerability management routines adapt in practice under the influence of AI-enabled automation. Rather than assuming a linear path from tool deployment to efficiency, we demonstrate that routine change is recursive, negotiated, and shaped by human–AI interaction across time. Importantly, this work highlights that maintaining effective vulnerability management is not only a matter of technical capability, but also of continuously aligning human and technological responses to evolving system conditions. Future research can continue to explore this dynamic by unpacking the temporal, political, and ethical dimensions of AI integration in cybersecurity and beyond. In doing so, future work can further explain how organizations transform AI from a technical capability into a sustainable organizational routine.

5.3. Conclusions

This study examined how vulnerability management (VM) routines evolve under the influence of AI-enabled automation in cybersecurity operations. Guided by Organizational Routine Theory (ORT), we explored the recursive interplay between ostensive routines (formal expectations), performative routines (actual enactments), and the mediating role of artifacts such as AI scoring engines and dashboards. Our central research question asked: “How does the organizational integration of AI and automation reshape vulnerability management routines in practice?” To answer this, we developed a three-phase model grounded in qualitative data: (1) the integration of AI-enabled automation into strained and fragmented routines, (2) the manifestation of tensions between automation and human expertise as well as between usability and complexity, and (3) the stabilization of hybrid routines through iterative adaptation, feedback loops, and routine recalibration.
Our findings show that AI-enabled automation does not simply replace human input or linearize workflows. Instead, it triggers a process of routine reconfiguration, where analysts and technologies co-perform decisions, selectively integrate tools, and shape the evolution of work practices. This transformation is neither uniform nor top-down. It unfolds through localized improvisation, collaborative learning, and emergent adaptation, culminating in new hybrid routines that gradually become formalized into the updated ostensive routine. Through this process, organizations progressively improve their capacity to interpret and respond to vulnerability signals, enabling more coordinated and adaptive cybersecurity practices. The conclusion is directly supported by the three empirical phases. Phase I shows that AI-enabled automation enters VM routines in a context marked by incomplete asset data, fragmented tools, and limited remediation capacity. Phase II shows that automation creates two persistent tensions: technology versus human expertise, and usability versus multi-vendor complexity. Phase III shows that these tensions are not fully removed, but are made manageable through feedback, analyst calibration, threshold adjustment, and playbook formalization. These findings explain why AI-enabled automation becomes a co-performer in VM routines rather than a simple substitute for human work.
Theoretically, this study extends ORT by illustrating how routines stabilize not by resolving tensions but by accommodating them, allowing organizations to maintain coherence in the face of uncertainty. More specifically, we show that routine dynamics operate as mechanisms through which organizations continuously process vulnerability signals and recalibrate their responses. In doing so, we position routine stabilization as a foundation for system-level viability, where stability is achieved through ongoing adaptation rather than equilibrium. Empirically, it offers a fine-grained account of how cybersecurity professionals enact, contest, and renegotiate their roles in collaboration with AI. Practically, it provides guidance for organizations seeking to implement AI in ways that support, not undermine, human expertise, decision-making integrity, and operational effectiveness.
While these insights offer strong contributions, they are bounded by the limitations of a single case study, which may constrain generalizability and call for further comparative and longitudinal research. Future studies can examine whether similar patterns appear in smaller organizations, public sector contexts, or less mature cybersecurity environments. They can also follow how AI-supported VM routines evolve over time as tools, analyst skills, and governance structures mature.
Ultimately, this study contributes a grounded, recursive view of routine evolution in cybersecurity. Rather than portraying AI as a deterministic force, we show how AI-enabled automation becomes a co-performer, a dynamic actor that shapes and is shaped by the routines it enters. By linking micro-level routine adaptation to broader system outcomes, this study highlights how organizations sustain secure and adaptive operations in the face of continuous threat evolution. As organizations continue to navigate the complex integration of AI, understanding the micro-dynamics of routine change will be essential for building resilient, ethically sound, and context-sensitive cybersecurity operations.

Author Contributions

Conceptualization, M.S. and A.S.; methodology, M.S.; writing—original draft preparation, M.S.; writing—review and editing, M.S., A.S. and S.K. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

The study was conducted in accordance with the Declaration of Helsinki, and the protocol was approved by the School of Business and Economics (SBE) Ethical Review Board at VU Amsterdam (27112024) on [15 October 2024].

Informed Consent Statement

Informed consent for participation was obtained from all subjects involved in the study.

Data Availability Statement

The data that support the findings of this study are available from the corresponding author upon reasonable request.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Saadallah, M.; Shahim, A.; Khapova, S. Multi-method Approach to Human Expertise, Automation, and Artificial Intelligence for Vulnerability Management: Investigation of Challenges and Emerging Tensions. In Proceedings of the IFIP International Conference on ICT Systems Security and Privacy Protection, Edinburgh, UK, 12–14 June 2024; pp. 410–422. [Google Scholar]
  2. Haber, M.J.; Hibbert, B. The Vulnerability Management Program. In Haber 2018 Emphasizes the Role of Vulnerability and Compliance Management Initiatives in Securing Critical Information and Demonstrating Regulatory Compliance; Apress: New York, NY, USA, 2018; pp. 111–118. [Google Scholar] [CrossRef]
  3. Riggs, H.; Tufail, S.; Parvez, I.; Tariq, M.; Khan, M.A.; Amir, A.; Vuda, K.V.; Sarwat, A.I. Impact, Vulnerabilities, and Mitigation Strategies for Cyber-Secure Critical Infrastructure. Sensors 2023, 23, 4060. [Google Scholar] [CrossRef]
  4. Saadallah, M.; Shahim, A.; Khapova, S. Navigating identity threats in AI-enabled automated cyber defense: A dynamic model for modern SOC and vulnerability management teams. In Proceedings of the Hawaii International Conference on System Sciences, Maui, HI, USA, 6–9 January 2026. [Google Scholar]
  5. Craigen, D.; Diakun-Thibault, N.; Purse, R. Defining cybersecurity. Technol. Innov. Manag. Rev. 2014, 4, 13–21. [Google Scholar] [CrossRef] [PubMed]
  6. Syed, R. Cybersecurity vulnerability management: A conceptual ontology and cyber intelligence alert system. Inf. Manag. 2020, 57, 103334. [Google Scholar] [CrossRef]
  7. Hazar, D. 2020 Vulnerability Management Survey; SANS Institute: Rockville, MI, USA, 2020. [Google Scholar]
  8. Khan, S.; Parkinson, S. Review into State of the Art of Vulnerability Assessment Using Artificial Intelligence; Springer International Publishing: Berlin/Heidelberg, Germany, 2018; pp. 3–32. [Google Scholar] [CrossRef]
  9. Ahmadi Mehri, V.; Arlos, P.; Casalicchio, E. Automated Context-Aware Vulnerability Risk Management for Patch Prioritization. Electronics 2022, 11, 3580. [Google Scholar] [CrossRef]
  10. Goswami, M. AI-based anomaly detection for real-time cybersecurity. Int. J. Res. Rev. Tech. 2024, 3, 45–53. [Google Scholar]
  11. Saadallah, M.; Shahim, A.; Khapova, S. Reconciling Tensions in Security Operations Centers a Paradox Theory Approach. Big Data Cogn. Comput. 2025, 9, 278. [Google Scholar] [CrossRef]
  12. Feldman, M.S.; Pentland, B.T.; D’Adderio, L.; Lazaric, N. Beyond routines as things: Introduction to the special issue on routine dynamics. Organ. Sci. 2016, 27, 505–513. [Google Scholar] [CrossRef]
  13. Mahringer, C.; Danner-Schröder, A.; Müller-Seitz, G.; Renzl, B. How does artificial intelligence promote change and stability of organizational routines? The role of automation and augmentation. J. Competences Strategy Manag. 2024, 12, 1–17. [Google Scholar]
  14. Odedina, E. AI Can’t Defend What It Can’t Contextualize: The Persistent Value of Human Intuition in Cybersecurity. Iconic Res. Eng. J. 2023, 6, 380–388. [Google Scholar]
  15. Gioia, D.A.; Corley, K.G.; Hamilton, A.L. Seeking qualitative rigor in inductive research: Notes on the Gioia methodology. Organ. Res. Methods 2013, 16, 15–31. [Google Scholar] [CrossRef]
  16. Feldman, M.S.; Pentland, B.T. Reconceptualizing organizational routines as a source of flexibility and change. Adm. Sci. Q. 2003, 48, 94–118. [Google Scholar] [CrossRef]
  17. Pollini, A.; Callari, T.C.; Tedeschi, A.; Ruscio, D.; Save, L.; Chiarugi, F.; Guerri, D. Leveraging human factors in cybersecurity: An integrated methodological approach. Cogn. Technol. Work 2022, 24, 371–390. [Google Scholar] [CrossRef] [PubMed]
  18. Ashby, W.R. An Introduction to Cybernetics; Chapman and Hall: London, UK, 1956. [Google Scholar]
  19. van der Kleij, R.; Leukfeldt, R. Cyber resilient behavior: Integrating human behavioral models and resilience engineering capabilities into cyber security. In Advances in Human Factors in Cybersecurity, Proceedings of the AHFE 2019 International Conference on Human Factors in Cybersecurity, Washington, DC, USA, 24–28 July 2019; Springer: Berlin/Heidelberg, Germany, 2020; Volume 10, pp. 16–27. [Google Scholar]
  20. Goswami, M. Utilizing AI for automated vulnerability assessment and patch management. Eduzone 2019, 8, 54–59. [Google Scholar]
  21. Aota, M.; Kanehara, H.; Kubo, M.; Murata, N.; Sun, B.; Takahashi, T. Automation of vulnerability classification from its description using machine learning. In Proceedings of the 2020 IEEE Symposium on Computers and Communications (ISCC), Rennes, France, 7–10 July 2020; pp. 1–7. [Google Scholar]
  22. Walkowski, M.; Oko, J.; Sujecki, S. Vulnerability management models using a common vulnerability scoring system. Appl. Sci. 2021, 11, 8735. [Google Scholar] [CrossRef]
  23. Macnish, K.; Van der Ham, J. Ethics in cybersecurity research and practice. Technol. Soc. 2020, 63, 101382. [Google Scholar] [CrossRef]
  24. Orlikowski, W.J. Using technology and constituting structures: A practice lens for studying technology in organizations. Organ. Sci. 2000, 11, 404–428. [Google Scholar] [CrossRef]
  25. Pentland, B.T.; Feldman, M.S. Organizational routines as a unit of analysis. Ind. Corp. Change 2005, 14, 793–815. [Google Scholar] [CrossRef]
  26. Berente, N.; Lyytinen, K.; Yoo, Y.; King, J.L. Routines as shock absorbers during organizational transformation: Integration, control, and NASA’s enterprise information system. Organ. Sci. 2016, 27, 551–572. [Google Scholar] [CrossRef]
  27. Rossi, M.; Nandhakumar, J.; Mattila, M. Balancing fluid and cemented routines in a digital workplace. J. Strateg. Inf. Syst. 2020, 29, 101616. [Google Scholar] [CrossRef]
  28. Cavelty, M.D. Cybersecurity between hypersecuritization and technological routine. In Routledge Handbook of International Cybersecurity; Routledge: Abingdon, UK, 2020; pp. 11–21. [Google Scholar]
  29. Ross, R.; Pillitteri, V.; Graubart, R.; Bodeau, D.; McQuaid, R. Developing Cyber Resilient Systems: A Systems Security Engineering Approach; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2019. [Google Scholar]
  30. Abdirad, H. Managing digital integration routines in engineering firms: Cases of disruptive BIM cloud collaboration protocols. J. Manag. Eng. 2022, 38, 05021012. [Google Scholar] [CrossRef]
  31. Yoo, Y.; Park, H.-S. Qualitative Risk Assessment of Cybersecurity and Development of Vulnerability Enhancement Plans in Consideration of Digitalized Ship. J. Mar. Sci. Eng. 2021, 9, 565. [Google Scholar] [CrossRef]
  32. Crotty, J.; Daniel, E. Cyber threat: Its origins and consequence and the use of qualitative and quantitative methods in cyber risk assessment. Appl. Comput. Inform. 2022, 22, 198–209. [Google Scholar] [CrossRef]
  33. Balmer, D.F.; Richards, B.F. Conducting qualitative research through time: How might theory be useful in longitudinal qualitative research? Adv. Health Sci. Educ. 2022, 27, 277–288. [Google Scholar] [CrossRef]
  34. Aguinis, H.; Hill, N.S.; Bailey, J.R. Best Practices in Data Collection and Preparation: Recommendations for Reviewers, Editors, and Authors. Organ. Res. Methods 2021, 24, 678–693. [Google Scholar] [CrossRef]
  35. Young, J.C.; Rose, D.C.; Mumby, H.S.; Benitez-Capistros, F.; Derrick, C.J.; Finch, T.; Garcia, C.; Home, C.; Marwaha, E.; Morgans, C.; et al. A methodological guide to using and reporting on interviews in conservation science research. Methods Ecol. Evol. 2018, 9, 10–19. [Google Scholar] [CrossRef]
  36. Almatrodi, I.; Li, F.; Alojail, M. Organizational resistance to automation success: How status quo bias influences organizational resistance to an automated workflow system in a public organization. Systems 2023, 11, 191. [Google Scholar] [CrossRef]
  37. Chedrawi, C.; Haddad, G. The rise of quasi-humans in AI fueled organizations, an ultimate socio-materiality approach to the lens of Michel Serres. Pac. Asia J. Assoc. Inf. Syst. 2022, 14, 2. [Google Scholar] [CrossRef]
  38. Bennani-Taylor, S. Infrastructuring AI: The stabilization of ‘artificial intelligence’ in and beyond national AI strategies. First Monday 2024, 29, 2. [Google Scholar] [CrossRef]
Systems 14 00573 g001
Figure 1. Conceptual Model of AI as a Dynamic Co-Performer in the Evolution of Vulnerability Management Routines. For optimal clarity, please zoom in or enlarge the figure by 400% when viewing the digital version of this paper.
Figure 1. Conceptual Model of AI as a Dynamic Co-Performer in the Evolution of Vulnerability Management Routines. For optimal clarity, please zoom in or enlarge the figure by 400% when viewing the digital version of this paper.
Systems 14 00573 g001
Table 1. Organizational Routine Theory applied to Vulnerability Management.
Table 1. Organizational Routine Theory applied to Vulnerability Management.
ORT
Dimension		DefinitionTheoretical Insight from This Study
Ostensive RoutineThe formal understanding of how the routine is expected to be carried out.VM processes are often documented as linear workflows (e.g., triage, scoring, patching), but AI introduction reveals the gap between prescribed procedures and operational complexity. These formal representations act as reference points for system coordination, even when they diverge from practice.
Performative RoutineThe actual actions and decisions taken by individuals in practice.Analysts frequently adapt routines, override AI outputs, and develop workarounds. These performative elaborations show how routines evolve in response to AI frictions and limitations. Through these adaptations, organizations continuously recalibrate their responses to vulnerabilities.
ArtifactsTools and technologies that mediate, support, or constrain routines.AI scoring systems and dashboards are not neutral. They shape how decisions are made and introduce new dynamics, sometimes stabilizing routines, other times generating new tensions. These artifacts act as mediating elements that influence how vulnerability signals are interpreted and acted upon.
Table 2. Overview of participants.
Table 2. Overview of participants.
IdentifierPositionLevel
FPAChief Information Security OfficerC-Level
DMAHead Security OperationsDirector
TSTHead of Security PlatformsDirector
ABAHead of Governance Risk and ComplianceDirector
ITZVulnerability Management LeadSME
CTZCyber Defense Center LeadTeam Lead
TDONetwork and Communication Services ART LeaderDirector
CLEEnterprise Architect for Cloud, Services and ApplicationDirector
PKODirector Enterprise Architect Web and MobileDirector
YBEService Line Manager InfrastructureDirector
ADUVMS Service ManagerTeam Lead
SSOProject Manager for Vulnerability ManagementTeam Lead
IBOSenior Remediation Subject Matter ExpertSME
SNAVMS Remediation SupportAnalyst
IAVScrum MasterProject Management
PBUThreat Intelligence LeadTeam Lead
MSTIncident CoordinatorSME
MJCVPenetration Testing Coordinator and ConsultantSME
MWASecurity Dashboard ManagerTeam Lead
BGPGlobal Transversal ArchitectSME
BCZHead of OT SecuritySME
WBOIncident Response LeadSME
Table 3. Summary of findings.
Table 3. Summary of findings.
Empirical FocusFirst-Order ConceptsSecond-Order ThemesAggregate DimensionORT InterpretationPractical Implication
Initial integration of AI-enabled automationIncomplete CMDB data, fragmented scanning outputs, capacity constraints, manual validation, remediation delaysStrained data quality, fragmented triage, resource limitations, initial automation responsePhase I: AI-enabled automation integrationThe ostensive routine defines VM as a linear process, but the performative routine reveals gaps between formal workflow and operational reality.Organizations need reliable asset data, clear ownership, and validation responsibilities before AI-enabled automation can support effective prioritization.
Technology versus human expertiseAI scoring, analyst override, human contextualization, ethical accountability, post-patching validationTechnological reliance, human interpretive abilities, limitations of technology, contextual decision-making, ethical decision-makingPhase II: Technology versus human expertise tensionAI-enabled artifacts participate in routine enactment, but human actors remain necessary to interpret, validate, and account for decisions.AI should be designed as decision support rather than as a replacement for analysts. Human expertise remains essential for business context, risk acceptance, and operational assurance.
Usability and multi-vendor complexityVendor-specific patch cycles, duplicate tool outputs, interoperability gaps, scattered asset ownership, dashboard limitations, approval delaysVendor diversification, interoperability, fragmented security, user experience gaps, internal policies, agile recalibrationPhase II: Usability versus multi-vendor complexity tensionArtifacts can both support and disrupt routines. When tools are fragmented, analysts develop performative workarounds to restore coordination.AI-enabled VM requires integration mechanisms, usable dashboards, common asset identifiers, ownership rules, and escalation paths.
Routine stabilization and learningThreshold tuning, false-positive feedback, analyst refinement, playbook updates, formalized human–AI rolesFeedback loops, hybrid routines, analyst calibration, formalization of practice, routine learningPhase III: Reconciliation and routine stabilizationThe performative routine gradually reshapes the ostensive routine as repeated human–AI practices become formalized.Organizations should treat AI-enabled VM as a learning routine supported by feedback loops, not as a one-time automation project.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Saadallah, M.; Shahim, A.; Khapova, S. Rethinking Vulnerability Management: How AI and Automation Reshape Organizational Routines and Supports Adaptive Cybersecurity Systems. Systems 2026, 14, 573. https://doi.org/10.3390/systems14050573

AMA Style

Saadallah M, Shahim A, Khapova S. Rethinking Vulnerability Management: How AI and Automation Reshape Organizational Routines and Supports Adaptive Cybersecurity Systems. Systems. 2026; 14(5):573. https://doi.org/10.3390/systems14050573

Chicago/Turabian Style

Saadallah, Mehdi, Abbas Shahim, and Svetlana Khapova. 2026. "Rethinking Vulnerability Management: How AI and Automation Reshape Organizational Routines and Supports Adaptive Cybersecurity Systems" Systems 14, no. 5: 573. https://doi.org/10.3390/systems14050573

APA Style

Saadallah, M., Shahim, A., & Khapova, S. (2026). Rethinking Vulnerability Management: How AI and Automation Reshape Organizational Routines and Supports Adaptive Cybersecurity Systems. Systems, 14(5), 573. https://doi.org/10.3390/systems14050573

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop