Walk into any modern Global Security Operations Centre today and you’ll find an impressive array of flat screens, real-time data feeds, and dashboards that would look at home in a NASA control room. But ask anyone who has spent time in one of these environments — from the 24/7 watch offices of the 1990s to today’s AI-enhanced GSOCs — and they’ll tell you the same thing: the technology changes, but the feeling in the room doesn’t. The drudgery of quiet hours. The electric shift in energy the moment something happens. The urgent, collective focus on understanding what is occurring, who is affected, and what needs to be done.
The mission, in other words, has not changed. What has changed — dramatically — is the potential of the function to deliver value well beyond that mission. Realising that potential requires clarity about something the industry has long treated as either obvious or irrelevant: the distinction between security and intelligence.
Two functions, one team
When practitioners talk about security, they generally mean the reactive end of the spectrum: monitoring, detection, verification, impact assessment, communication. Fast, procedural, high-stakes. When they talk about intelligence, they mean something slower and more deliberate: historical context, geopolitical landscape, scenario development, forecasting.
In practice, of course, the line blurs. It has to. Consider an explosion near a transport hub in a major city. The security response — verifying the incident, assessing proximity to assets and personnel, initiating communications — depends entirely on contextual knowledge that sits firmly in the intelligence domain. Does this kind of event happen weekly or once a decade in this city? Is the likely cause infrastructure failure or deliberate attack? How will local authorities respond? Is a follow-on event probable? These are not questions a monitoring dashboard can answer. They require an analyst who knows the place.
The reverse is equally true. An intelligence team with a strong analytical culture can develop a bias toward the long view — a tendency to assess whether an event changes the strategic picture while the immediate operational response goes uncoordinated. The explosion may not shift the medium-term risk assessment, but someone still needs to check on the people in the area.
A review of Control Risks’ global embedded consulting population bears this out. Larger teams tend to staff both analytical and security-focused roles deliberately. Smaller teams trend toward hybridised roles — individuals carrying titles like Security Intelligence Analyst or Regional Security Analyst, expected to operate fluently across both disciplines. The line exists, but the work does not always respect it.
Why the distinction still matters
It would be tempting to conclude from this that the security-intelligence distinction is a bureaucratic artefact — useful in theory, irrelevant in practice. We would argue the opposite. Understanding the distinction, even where it is not enforced, enables intentionality in how organisations build and equip their teams.
Security-heavy teams typically need better access to intelligence tools — platforms that can rapidly contextualise an event against historical patterns, geopolitical dynamics, and regional norms. Intelligence-heavy teams often need stronger operational infrastructure: monitoring and alerting systems, response playbooks, and the workflows to act quickly when the situation demands it. Deploying the wrong tools to the wrong team — or assuming that a single hire can cover both competencies without support — is one of the most common and costly errors in this space.
Technology is accelerating the capability of both functions, making knowledge accessible at a scale and speed that was simply not possible a decade ago. But access to capability is not the same as the wisdom to deploy it. That still depends on understanding what your team is built to do.
From efficiency to expansion
This is where the more important strategic question arises. As AI and automation absorb an increasing share of the procedural workload — alert triage, report generation, traveller tracking, event verification — organisations face a choice. The path of least resistance is to treat that efficiency dividend as a cost saving: fewer people, same output, budgets preserved. Stay on mission.
The more consequential opportunity is to treat it as headroom for expansion.
The information held by security and intelligence functions has always had value beyond the security team. What has changed is the context in which that value is being recognised. Geopolitical volatility, supply chain fragility, sanctions complexity, and the blurring of physical and digital risk have forced functions that once operated at a comfortable distance from security to reckon with it directly. Structures and assumptions that held for a generation are being interrogated. In that environment, the depth of knowledge held by a well-run security and intelligence function — about regions, actors, infrastructure, and risk — has shifted from a nice-to-have to a business-critical capability. The barriers to sharing that knowledge across the organisation are falling at exactly the moment the demand for it is rising.
The result, in most organisations, is parallel and duplicated effort. Each function finds its own sources, builds its own picture, and draws its own conclusions — often from inferior information, and without the benefit of the contextual depth that a dedicated intelligence function can provide.
Silos, it is worth noting, are not irrational. When a team is coordinating response to an active incident, the last thing they need is an interruption from a colleague asking how the situation might affect a product launch. The operational logic of separation is real. The question is whether that separation needs to be permanent, or whether it can be made permeable under the right conditions.
The infrastructure layer
This is where agentic AI offers something genuinely new. Think of it not as a replacement for human judgment, but as an infrastructure layer — a set of capable, tireless connectors that can translate security and intelligence outputs into formats that other functions can actually use, without requiring the analysts who produced them to do the translation themselves.
Forecasting data can automatically trigger contingency planning workflows in supply chain. Facility criticality data from business continuity teams can dynamically inform which sites analysts prioritise during a crisis. Situation reports written for a security audience can be restructured and reframed for finance, legal, or communications — in the language and format each function needs — without a single additional hour of analyst time.
The flow works in both directions. The same infrastructure that pushes intelligence outward can pull relevant organisational data inward: vendor relationships, asset registers, personnel locations, facility operational profiles. Connections that previously required sustained advocacy, personal relationships, and careful coordination during the moments of highest pressure can be established once and largely allowed to run.
Realising this potential is not simply a matter of deploying new tools. It requires clean, structured data; risk methodologies that are explicable under scrutiny; and a clear-eyed understanding of where technology should complement human judgment rather than substitute for it. The organisations doing this groundwork now will be the ones positioned to move with confidence as agentic AI shifts from an emerging concept to an operational reality.
The room will still feel the same. But what the team can accomplish within it will be transformed.
