Let’s begin by rejecting an outdated assumption: Threat Intelligence (TI) is still widely treated as Security Operations Center material: monitoring, detection, response. A technical discipline owned by IT and security teams. That framing no longer matches reality.

RecordedFuture’s 2025 State of Threat Intelligence shows TI increasingly shaping decisions that have nothing to do with day-to-day SOC triage: it supports purchasing decisions, business risk assessment, incident resource allocation and other strategic choices.

IBM’s Cost of a Data Breach 2025 analysis highlights an “AI oversight gap,” and states that one in five studied organizations experienced breaches linked to "shadow AI", individual AI tools adopted by employees without IT or security oversight.

© Belgaimage

ISACA’s summary of top AI incidents in 2025 makes the same point in sharper language: the biggest failures weren’t technical. They were organizational: weak controls, unclear ownership, and misplaced trust.

AI is not a gadget. TI is not a technical add-on. They are both organization-critical. Boards and executive teams have governance responsibility here.

AI accelerates cyber risk. It lowers the barrier to entry and helps attackers scale faster. On the other hand, AI is exactly what defenders need in order to cope with the scale: correlating massive volumes of signals, spotting patterns, and detecting collective threats earlier.

But it would be unwise to leave the defensive part to individual organizations or to a single models and cybersecurity vendors. If everyone buys the same threat feeds, relies on the same sources, and uses the same model assumptions, we create systemic fragility: the same blind spots, multiplied across the ecosystem.

RecordedFuture’s 2025 State of Threat Intelligence contains a telling indicator of institutional under-readiness: the legal, compliance and policy teams of governments and institutions are among the least likely to actively consume threat intelligence.

Even when corporate governance improves, corporate governance alone is not enough. TI has become part of collective resilience.

The societal cost of cyber risk is not limited to the cost of breaches, reputational damage, or ransoms. It increasingly includes attacks and pressure on critical infrastructure: energy, transport, public services and the information supply ecosystem.

When information supply becomes a target, cyber risk becomes democratic risk. When energy supply becomes a target, cyber risk becomes economic stability risk. When public services become targets, cyber risk becomes societal continuity risk.

This is why looking at TI as public good is crucial. Public budgets and public policy cannot remain spectators.

NATO’s post-Hague framework explicitly commits Allies toward 5% of GDP for defence and defence and security-related spending by 2035, with 3.5% for core defence and 1.5% for security-related areas such as resilience and protection of infrastructure.

Cyber resilience and information security belong inside that logic because they now sit on the same layer as societal continuity.

Governments have to treat cyber resilience and information security as part of national security and resilience spending aligned with the broader security logic reflected in NATO’s 5% commitment framework.

We have to build public literacy about the underwater current, the disinformation dynamics and infrastructure risk and learn to see beyond surface waves for the depts of the cyber ocean.

We need shared situational awareness and accept Threat Intelligence from now on as a Public Good.

This blog is written by Patrick Lacroix in a personal capacity. AI tools are used for research, structuring, drafting and language support. All content is selected, verified, and edited by the author, who retains full editorial responsibility.