AI-infused intelligence and investigative capability

Enterprise security has evolved dramatically over the past decade, but many of the tools organisations currently depend on were built for a different threat landscape entirely.

 

Defensive mechanisms like endpoint detection, SIEMs, threat intelligence platforms and network monitoring still protect against certain primary threats, but they no longer serve the whole picture of where current-day threats operate. The threat landscape facing today’s large organisations is far broader than most security strategies account for.

 

In Europol’s EU-SOCTA 2025 report, The Changing DNA of Serious and Organised Crime, it describes such crime as having evolved into global, technology-driven enterprises, exploiting digital platforms and geopolitical instability to extend their reach. Whether it’s industrial-scale fraud, human exploitation networks, or nation-state proxies, criminal groups are professionalising and automating, often using AI to scale deception and evade detection.

 

Threats are also evolving beyond criminal enterprises, with organisations also facing widespread abuse of vulnerable people, opportunistic wrongdoing by individuals, including insiders, and various other concerns that escalate into something far more serious if left unaddressed.

 

What connects these threats is where they frequently operate: inside routine workflows, trusted relationships and everyday commercial decisions. Whether criminal, abusive or simply unethical, harmful activity is increasingly embedding itself within day-to-day organisational processes, exploiting institutional blind spots and the people within them. Most often, the drivers are people who are coerced, colluding or operating without adequate oversight.

 

The goal is no longer simply to block and detect. It is to build intelligence, coordinate disruption, protect people from harm and secure provenance rich outcomes and records that hold up to examination.

 

This shift is being accelerated by rapid advances in AI-driven detection. The emergence of models such as Anthropic’s Mythos demonstrates how quickly modern AI can identify vulnerabilities and potential intrusion paths, significantly compressing the time between exposure and discovery. Security teams will rightly move quickly to address the weaknesses these tools surface. Yet this acceleration also exposes a growing imbalance: as detection becomes faster and more precise, the volume of complexity of issues demanding increases. Historically, most organisations built their security capabilities around a single assumption: detect the anomaly before it becomes a breach. That investment is warranted, but detection alone does not answer the harder questions that follow. What does this pattern of behaviour actually mean? Who is connected to whom? What is the evidential picture, and what should happen next?

 

Core tech stack components

It is the second layer that today’s enterprises consistently underinvest in. Data-driven anomaly detection sits at the top. But below it should sit an equally essential layer: a system that transforms anomalies into a coherent intelligence picture, allowing teams to coordinate disruption, construct robust evidence cases and produce assessments that can reconfigure organisational priorities. This critical second layer remains persistently neglected.

 

Without it, alerts accumulate and suspicions are logged, but the work that determines whether harm is prevented falls back onto fragmented teams of investigators, analysts, HR professionals, safeguarding leads, legal, security and senior decision-makers. All of them rely on shared folders, spreadsheets and email chains, but none of these tools can meet the evidential, legislative or operational requirements of serious harm reduction work.

 

These environments are legally consequential. Evidence must be built to withstand legal scrutiny and be traceable, attributable and defensible at every step. Workflows must reflect legislation, not work around it. That requires deep expertise in intelligence and investigative technique, chain of custody, disclosure obligations and multiagency coordination: capabilities that are very difficult to replicate from a generic internal toolset.

 

Access to codified best practice is equally important. Adversaries adapt rapidly, share tactics and exploit the same weak spots repeatedly. Organisations will only gain advantage by encoding best practice into workflows, sharing intelligence across functions and updating their approach continuously as new threats emerge.

 

AI: transformative in intelligence and investigation

When organisations strengthen this capability layer, new challenges around ‘volume’ emerge rapidly. Interviews, emails, financial records, cross-border intelligence, internal reporting and safeguarding referrals all arrive at speed, in unstructured formats, and from multiple sources simultaneously.

 

This is where AI moves from theoretical promise to actual operational value: not as a replacement for human expertise, but as a force multiplier embedded within it.

 

The starting point is structure - transforming raw, unstructured inputs into clean, consistent records that hold up to examination. Without trustworthy data, AI delivers noise rather than insight. It needs to sit inside legislation-aware workflows, assisting with triage, surfacing relevant entities, detecting signals and making connections across datasets. Tasks that previously took hours can then be completed in seconds, allowing teams to process far greater volumes without expanding headcount.

 

But speed is not the only justification. This work requires AI to operate within auditable, defensible processes where the people responsible (analysts, safeguarding professionals, legal teams and senior leaders) retain clear oversight and final decision-making authority. AI can assist and accelerate, but it cannot replace professional judgment.

 

The path forward must be an operational one: applying AI to the friction points that slow the work by triaging information, linking evidence and preparing material for human review. When embedded into repeatable, best-practice workflows, AI becomes a productivity multiplier that reduces noise and enables teams to direct effort where risk and harm are highest. Used well, it also shifts the function upstream, surfacing conditions where harm can be disrupted before it fully materialises.

 

A strategic capability, not a point solution

The organisations that will manage this environment most effectively are those that treat harm reduction capability as a strategic asset and embed it across functions, rather than siloing it within a single team. The cohort of people who need to work from a shared intelligence picture is broader than ever; when those functions operate in isolation, harm will persist in the gaps between them.

 

This means re-engineering intelligence and investigative capabilities to match how criminal groups and individuals use AI and exploit weaknesses. From encoding best practice, institutionalising knowledge, integrating AI where it genuinely accelerates expertise and ensuring every step strengthens evidential integrity across the full spectrum of harm, from lower-level concerns through to serious and organised threats.

 

Intelligence and investigation are never the end state. Their value lies in the learning they produce: recommendations that feed back into the business, strengthen controls, and reduce future exposure. This closes the loop between sensing a threat, making sense of it and acting. It is this loop that separates organisations that merely respond to harm from those that get ahead of it.

 

Defending the perimeter has never been the entire answer. For organisations serious about using intelligence and investigative capability as a strategic advantage - protecting their people, operations, integrity and society as a whole - this is where the most impactful security work now begins.

 

---

 

Thomas Drohan is Chief Strategy Officer at Clue Software

 

Main image courtesy of iStockPhoto.com WANAN YOSSINGKUM