Towards Sociotechnical Intelligence in Cyber Intrusion Detection: A Systematic Review Integrating ML/DL Performance, Human Adoption, and RAG-Enhanced Explainable AI

Intelligent Intrusion Detection Systems (IDS) routinely report accuracy above 99% on standard benchmarks, yet real‑world deployment remains limited, an operational divergence we formalize as the Performance–Adoption Gap (PAG). This Preferred Reporting Items for Systematic Reviews and Meta‑Analyses (PRISMA) compliant systematic survey integrates 153 empirical IDS studies (2009–2025), an extended UTAUT2 adoption survey of 300 security professionals, and the distributed‑systems literature to examine this gap from a sociotechnical perspective. We contribute: (1) a transparent six‑stage PRISMA pipeline with reproducibility artifacts; (2) a Six‑Axis Sociotechnical Taxonomy that extends four technical IDS dimensions with two empirically grounded human‑factors axes; (3) a quantitative meta‑analysis showing a mean accuracy of 97.1% but a median minority‑class recall of 0.648 and an average cross‑dataset accuracy drop of 18 percentage points; (4) a formal definition of the PAG as a divergence measure; and (5) a ten‑stage Sociotechnical IDS Architecture that maps detection, explanation, and analyst‑interaction stages to distributed edge–cloud and federated deployment scenarios. The analysis highlights scalability constraints, including inference latency, horizontal partitioning, and model‑synchronization overhead, that directly affect cluster‑based IDS deployments. Finally, we outline a prioritized research roadmap, identifying Retrieval‑Augmented Generation augmented (RAG-augmented) explainability as a high‑leverage direction for bridging technical performance with operational adoption in distributed and federated IDS environments.