Human compromise doesn’t look like a security alert. That’s the problem.

The conversation focused on a category of risk that most organisations are not equipped to see, even though it already exists inside their environment.

Here are three key insights from the session.

1. The scale of insider vulnerability is already inside your perimeter

One figure stood out. 1 in 500 corporate devices is being used to access compromising or high risk material, and in roughly half of those cases, additional high risk indicators are present. These are not unmanaged endpoints or unknown users. They are corporate devices on managed networks, used by employees with normal roles, normal access, and no visible red flags in HR or IT systems.

This is where the gap becomes clear. Most security tools are designed to detect intent against the organisation, such as data exfiltration, fraud, or policy violations. They rely on anomalies and behavioral deviations. This is different. These individuals are not acting against the organisation. They are operating within it. Their behavior in corporate systems appears normal, which means there are no anomalies to flag. To detect this category of risk, you need to know what to look for. Traditional approaches are not built for it.

2. The real risk is not the material. It is the vulnerability it creates

The most important shift in perspective is this. The risk is not only that an individual is accessing this type of material. It is what that exposure creates.

Once someone has something to hide at that level, they become predictable and therefore exploitable. Attackers do not need to breach systems. They identify individuals through leaked data, compromised platforms, or dark web sources, validate identity and access, and then initiate contact.

From there, the pressure escalates. The individual, who already has legitimate credentials and organisational trust, becomes a controlled entry point. Documented outcomes from this type of coercion include financial fraud in the millions, large scale data exfiltration, and intellectual property theft. All enabled through coercion, and all originating from a personal vulnerability that the organisation did not know existed. In many cases, that leverage exists long before any attacker makes contact.

3. When it happens, the risk does not manage itself

The data shows that this is not a marginal issue. Around 40 percent of individuals in this category access compromising material during working hours, and many do so on corporate devices outside the office. This makes it a corporate risk, not only a societal one.

The response cannot be improvised. It needs to be owned internally, structured, and proportionate, and it needs to begin at the moment of detection. The challenge for most organisations is not how to respond. Established frameworks already exist for handling sensitive internal risk. The challenge has been visibility. Without insight into this layer of human risk, there is nothing to act on.

From insight to action

What became clear in Stockholm is that this is not about building entirely new security structures. It is about recognising a blind spot. When behavioral research, real world data, and documented attack patterns are considered together, this stops looking like a niche issue and starts looking like a governance question.

Organisations need the ability to detect early indicators of human vulnerability and turn them into high confidence, actionable alerts. Without that visibility, a critical category of insider risk remains undetected.

Most organisations are not aware that this gap exists. Now you are.