The conversation around AI in threat intelligence has matured considerably. Teams are no longer asking whether to adopt AI, most already have. The real question now is whether adoption is translating into operational impact, or whether it remains sitting at the edges of existing workflows.

What is becoming clear from organizations actively embedding AI into their intelligence programs is that it is reshaping how intelligence is produced. The analyst remains central, but the nature of their work is shifting, away from manual, repetitive data collection and towards the analytics and judgment that stakeholders need.

AI adoption is widespread, maturity is not

The headline numbers are striking. Between 77 and 83% of businesses are reportedly using AI in some form, and around 75% of workers have used AI tools at least once in their daily work, a figure that has nearly doubled in the past two years. On average, AI is saving workers around three and a half hours per week, and 90% of employees report that it helps them save time.

But these figures tell only part of the story. Only around 1% of organizations describe themselves as genuinely mature in how they use AI. There is a significant gap between experimenting with AI tools and integrating them into structured, repeatable intelligence workflows. Larger organizations are moving faster, enterprise adoption sits above 90% in some studies, but even within those organizations, the depth of integration varies considerably.

For intelligence teams, this gap matters. Surface-level AI adoption, using a chatbot to rephrase a report, for instance, delivers limited value. The organizations seeing the most meaningful gains are those that have moved beyond experimentation and embedded AI at specific, well-defined points in their intelligence cycle.

What threat analysts are using AI for

The most consistent use case, by a significant margin, is summarization and report drafting. Analysts are using AI to turn large volumes of data into concise, structured summaries, helping them to generate first draft reports, reducing the time spent on what many describe as ‘the grunt work’ of intelligence production.

This is particularly valuable in fast-moving situations. Consider a complex geopolitical development, for example the evolving activity around the Strait of Hormuz. At any given moment, reporting needs to be able to span military developments, diplomatic signalling, energy market movements, and downstream supply chain effects.  No single analyst can manually track all of this in real-time. AI summarization allows teams to maintain a comprehensive rolling picture across multiple dimensions simultaneously, not replacing the analyst’s expertise, but by reducing the time required to reach it.

Alongside summarization, two further use cases have emerged consistently across intelligence programs. The first is formatting and communication optimization: using AI to structure outputs, apply report templates, and standardize formats, tasks that are especially time-consuming in smaller teams.

The second is audience adaptation. Analysts are using AI to translate technical intelligence into executive summaries, and to feed the outputs into internal portals and leadership briefing tools. This helps bridge the gap between intelligence production and business consumption, a challenge that remains one of the more persistent pain points in mature programs.

A third, more advanced use case is also present across multiple organizations: technical data processing. This includes alert triage, EDR analysis, malware analysis support, and to improve alert quality. What distinguishes successful implementations here is that, while AI is operating within technical pipelines, it continues to be under human supervision.

Where AI is not trusted in threat intelligence and why that matters

Intelligence teams are largely in agreement that AI should not be used for final analysis without meaningful human involvement. These concerns are well-founded: hallucination, lack of contextual judgment, and the risk of incorrect conclusions drawn from ambiguous or incomplete data. These are not theoretical risks, they are operational ones, and the consequences of acting on flawed intelligence can be significant.

A useful frame is to treat AI outputs the way a senior analyst treats a junior colleague’s work: as a starting point that requires review, verification, and editing, not a finished product. This framing appears widely accepted across organizations that have found a workable equilibrium between AI capability and analytical integrity.

Data governance is a further constraint that limits AI usage in many environments. Concerns around personal data, regulatory obligations, and data sovereignty mean that many organizations restrict or prohibit the use of AI on internal data. For teams handling sensitive intelligence, this is not an abstraction, it directly shapes which use cases are viable and which remain off-limits.

“There’s still a big concern about where data will sit and who may have access to it, which in some cases can significantly limit its usage.” Said Hannah Baumgaertner, Head of Research.

PIR-driven workflows and the intelligence cycle

Where AI becomes genuinely transformative is when it is integrated with Priority Intelligence Requirements (PIRs), the defined questions and information needs that should be driving any intelligence program. PIRs act as a compass: they keep collection, analysis, and reporting aligned with what decision-makers need to know.

When AI features are built around PIRs rather than bolted on separately, the gains compound. Automated collection pipelines can be configured around specific requirements and linked assets, ensuring that reporting is scoped to what matters. Scheduled reports can be generated, formatted, and disseminated without manual assembly. When a major incident breaks, a significant supply chain attack, for instance, analysts can stand up a new monitoring workflow, link it to an existing or new PIR, gather reporting, and produce a structured brief in a fraction of the time it would previously have taken.  

This matters not just for efficiency, but for relevance. Intelligence that arrives late or is poorly scoped to stakeholder needs loses much of its value. AI-assisted workflows tied to clear intelligence requirements help close that gap.

AI for efficiency, not a decision-maker in threat intelligence

The clearest takeaway from organizations that have moved beyond experimentation is this: AI works best when it is treated as a workflow accelerator rather than an analytical replacement. It helps analysts navigate large intelligence environments more efficiently, surface relevant information faster, and reduce the time spent on repetitive manual work. But judgment, prioritization, and analytical reasoning remain human responsibilities.

The organizations seeing the most value are those using AI aggressively for efficiency while keeping humans at the core of analysis, and those focusing on how intelligence is consumed, not just how it is produced. Recommendations, mitigations, and stakeholder engagement are things AI cannot replace. Freeing analysts to focus on exactly those things is what a well-implemented AI layer enables.

Watch the full webinar “Operationalizing AI in threat intelligence: What works today” on demand here.