
Intelligence-Led, Privacy-First: A Transatlantic Approach to Human Risk

Intelligence-Led, Privacy-First:
A Transatlantic Approach to Human Risk
A Special Guest Contribution By Stephanie Böhm
American and European companies often approach human risk from different cultural and legal starting points. In the United States, corporate security is often shaped by an intelligence-led mindset: identify vulnerabilities, understand how people may be targeted or exploited, and intervene before fraud, insider activity, executive impersonation, or corporate espionage causes harm. On the other side of the pond, Europe tends to place greater emphasis on privacy, proportionality, legal restraint, and fundamental rights. These differences are sometimes treated as incompatible. In practice, neither approach is sufficient on its own.
Human-risk management needs to anticipate threats, but it also needs clear limits. Performed well, it helps organizations understand exposure without turning into unrestricted surveillance.
The human layer of corporate security
Organizations have invested heavily in technical security. Networks have been strengthened, multifactor authentication has become standard, and incident-response procedures have improved. Even so, many serious breaches still involve people:
- Publicly available information about an executive may support a convincing impersonation attempt.
- An undisclosed conflict of interest may create a vulnerability.
- A candidate for a sensitive role may present risks that a conventional background check does not reveal.
- A hostile actor may combine details from professional networks, social media, company records, leaked credentials, and other sources to build a detailed picture of a target.
Thus, human risk sits at the intersection of personal exposure, organizational access, trust, behavior, and external influence. However, this does not mean that employees or business partners should be treated as threats—most are not. But it does mean acknowledging that people can create risk or become exposed to it, either willingly or unwillingly. They may be pressured, manipulated, impersonated, recruited, or placed in situations that affect both them and their organization.
Understanding that risk requires more than reviewing isolated data points: it means understanding the psychology of influence, coercion, trust, and decision-making.
What an intelligence-led mindset contributes
An intelligence-led approach starts by asking what could happen before an incident occurs:
- Who might target the organization?
- What would they want?
- Which employees, executives, suppliers, or business units could provide access?
- What information is already visible from the outside?
- Which relationships or vulnerabilities might be exploited?
Many human-risk incidents begin with interactions that appear routine. Corporate espionage may start with a professional introduction. CEO fraud may follow a long period of observation. Insider activity may be preceded by changes in access, relationships, financial pressure, or external contact.
The value of intelligence-led security lies in connecting those signals early enough to act on them, and encouraging organizations to consider the adversary’s perspective when drafting risk-mitigation strategies. The question is not only whether procedures were followed, but how those procedures might be bypassed.
Open-source intelligence (OSINT) can support this work. Publicly and lawfully available information can help assess exposure, identify inconsistencies, understand networks, and detect vulnerabilities.
The fact that information is publicly available, however, does not mean every use of it is justified. This is where the European perspective becomes particularly important.
What a privacy-first mindset contributes
Europe contributes clear rules for how human-risk intelligence should be collected, assessed, and used.
Purpose limitation, data minimization, proportionality, accuracy, transparency, and accountability require organizations to explain why information is being collected, whether it is relevant, who may access it, and how long it should be retained. These safeguards are not only legal requirements, they also improve the quality of the assessment. Because human-risk assessments can affect careers, reputations, and even livelihoods, they need clear methods, reliable sources, human review, and a way to correct inaccuracies.
Excessive collection creates noise, increases exposure, and can lead to weak or misleading conclusions. More data does not automatically produce better intelligence. In many cases, a narrower and better-defined inquiry is more useful than broad aggregation.
Open-source information also has limits. Records may be outdated, identities may be confused, and context may be missing. Lawful behavior can easily be misread when viewed in isolation.
From principle to practice
An intelligence-led approach without sufficient restraint can become invasive. It may encourage unnecessary collection, continuous monitoring, or conclusions based on weak correlations. That can damage trust and create legal, ethical, and reputational risk.
A compliance-led approach without an intelligence mindset can fail in a different way. Organizations may document the process correctly while missing the threat itself. A completed checklist is not the same as a meaningful assessment.
In practice, the starting point should be the risk, not the volume of available data.
A pre-employment assessment should focus on information relevant to the sensitivity of the role. It should not become an unrestricted investigation into private life. An executive exposure assessment should identify information that could support impersonation, coercion, fraud, or physical targeting. Insider-threat and corporate-espionage inquiries should separate credible indicators from speculation and use clear thresholds, limited access, and human oversight.
The basic principles remain the same across these use cases: define the purpose, use relevant and reliable sources, minimize unnecessary information, verify findings, document judgments, and limit retention.
Europe can contribute more than regulatory constraints here. It can help shape a distinct model of human-risk intelligence based on European legal standards, regional data sources, accountability, and privacy by design.
That model would not treat data protection as an obstacle to security. Rather, it would show that organizations can identify genuine risks without collecting everything available about a person, and demonstrate that privacy safeguards need not prevent effective, forward-looking security work.
A shared transatlantic opportunity
Europe and the United States face many of the same human risks, including fraud, espionage, influence operations, and insider threats. American intelligence practice brings experience in anticipation, threat assessment, and adversarial thinking. Europe adds proportionality, accountability, and legal discipline. Used together, these strengths can help organizations identify genuine risks earlier without treating employees, candidates, executives, or business partners as objects of unrestricted surveillance.
That is the real transatlantic opportunity: not to choose between intelligence and privacy, but to develop a model of human-risk management that is effective, proportionate, and worthy of trust.