Part 1: The Reporting Gap
Every organisation has a gap between what policies require and what people actually do. Nowhere is this more apparent than in incident reporting.
The policy says: report security concerns. The training says: if you see something, say something. The management system has a procedure, a form, a workflow. Everything is documented. And yet, when you look at the incident log, it's empty. Or near-empty. A handful of entries that feel more like compliance theatre than genuine signals.
This isn't because nothing happens. Things happen constantly. Suspicious emails arrive. Strange login prompts appear. Someone clicks something they shouldn't. Passwords get shared. Devices go missing. Workarounds get invented. The raw material for a rich incident log exists in abundance. It just never gets reported.
The reasons are familiar. Reporting feels like effort. There's a form to fill, a process to follow, a system to log into. People aren't sure if what they saw qualifies. They don't want to waste anyone's time. They don't want to look paranoid, or ignorant, or like they're making trouble. They assume someone else will handle it. They assume it's probably fine.
But underneath these surface reasons is something deeper. People don't report because they don't see others reporting. The silence reinforces itself. If the channel is quiet, the implicit message is: nothing worth mentioning happens here. Or: this isn't the kind of place where people raise concerns. Or simply: why would I be the first?
This is why policies fail. A policy is an instruction. It tells you what you should do. But it doesn't show you what others actually do. And for most people, what others do matters far more than what a document says.
Training has the same problem. You can run workshops. You can send reminders. You can make people click through modules and sign attestations. But the moment they return to their actual work, they take their cues from the environment around them. If that environment is silent, they stay silent too.
This creates a dangerous equilibrium. The less people report, the less others see reporting happening, the less anyone feels like reporting is normal. The incident log stays empty not because the organisation is secure, but because the culture has settled into a pattern of quiet.
And then, when something serious happens, everyone discovers that the warning signs were there all along. Just never mentioned.
Part 2: The Visibility Effect
The way to break this pattern isn't more policy. It's not more training. It's not stricter requirements or better forms.
It's visibility.
When people see others reporting, reporting becomes normal. When they see a colleague mention something suspicious and watch the response unfold, they learn two things at once: this is something worth mentioning, and this is a place where mentioning it is welcomed.
This is social proof applied to organisational behaviour. We're wired to look to others for signals about how to act, especially in situations where we're uncertain. A security incident feels uncertain to most people. Is this a big deal? Should I say something? The policy can't answer that question in a way that feels real. But seeing a colleague raise something similar — and seeing it handled well — answers it immediately.
The effect compounds. One person reports, another sees it and reports something they'd been sitting on, a third realises that the thing they noticed last week probably matters. The silence breaks, and suddenly there's signal where before there was nothing.
Visibility does more than increase volume. It increases quality. When reporting happens in a shared space, people learn from each other's incidents. They see patterns they wouldn't have noticed alone. They understand what kinds of things matter and why. The organisation gets smarter, not just more compliant.
This is the difference between documentation and culture. Documentation records what happened. Culture shapes what happens next. You can have perfect documentation and a broken culture. You can have meticulous records of incidents that arrived too late, because no one felt comfortable raising them when they were still preventable.
Visibility creates culture in a way that documentation never can. It shows people what's normal. It creates permission. It builds the muscle of raising concerns while they're still small.
The challenge is: how do you create visibility in the first place? If the channel is already silent, who breaks the silence?
You need a catalyst.
Part 3: The Agent as Catalyst
This is where AI agents change the equation.
An agent embedded in the tools people already use — Slack, Teams, wherever work actually happens — can do something that policies and training cannot. It can start the conversation.
Not by broadcasting reminders. Not by pushing notifications. By asking questions. Prompting reflection. Creating the conversational surface where visibility becomes possible.
The difference between an agent that asks and one that tells is fundamental. An agent that tells — here's your policy, here's your checklist, here's what you should do — is just automation dressed up as intelligence. It's the same top-down instruction, delivered faster. People tune it out the same way they tune out the training module.
An agent that asks is doing something different. It's inviting engagement. It's creating a moment where someone has to think, has to respond, has to articulate something in their own words. And crucially, when that response happens in a shared channel, others see it.
This is what we've built. An AI agent in Slack, prompting people about potential security concerns. Not lecturing. Asking. The agent surfaces something, asks if it seems right, invites a response. People answer. They answer in the channel, where colleagues can see. And suddenly there's a thread. There's a conversation. There's visible activity where before there was silence.
Within a week of launching this at one client, more incidents were reported than in the previous two years combined. Not because the organisation had suddenly become less secure. Because the things that were always happening finally had a place to surface.
The effects rippled outward. Infiltrated software got discovered and removed. Firewalls that should have been active got switched on. Actions that had been deferred for months happened in days. Not because anyone was told to do them, but because the visibility created urgency. When everyone can see the problem, ignoring it stops being an option.
And the evidence? It took care of itself. Every conversation, every response, every action — logged automatically. Classifications, root causes, corrective actions, all captured as a byproduct of the conversation. No separate documentation task. No retrospective form-filling. The audit trail emerged from the work itself.
This is what meeting people where they work actually means. Not building a compliance portal and hoping people visit it. Not sending links to forms and hoping people fill them in. Embedding intelligence into the environment where work already happens, so that the right behaviours become frictionless and the evidence generates itself.
The agent is the catalyst. It breaks the silence. It creates the first thread. And once visibility exists, culture starts to shift.
The Shift
Traditional compliance tries to change behaviour through instruction. Policies, procedures, training, reminders. The assumption is: if people know what they should do, they'll do it.
But that's not how behaviour works. People take their cues from what they see others doing. They act based on what feels normal, what feels safe, what feels expected. And they can't see a policy being followed. They can only see other people acting.
Visibility creates culture. It makes the right behaviour observable. It turns isolated compliance into shared practice. It breaks the silence that keeps incident logs empty and warning signs invisible.
But visibility needs a catalyst. Someone — or something — has to start the conversation. In a world where silence is the default, you need an agent that asks questions, that prompts engagement, that creates the surface where visibility can happen.
From compliance as instruction to compliance as conversation. From evidence as documentation to evidence as byproduct. From policies that tell to agents that ask.
The culture doesn't change because you wrote better procedures. It changes because people started seeing each other act.