How emerging risks shape physical security and crisis management plans

The EY Forensic & Integrity Pulse reveals gaps in physical security and crisis management. Security spend is rising, but confidence isn’t.

In brief

• Organizations are pressure-testing crisis scenarios and using advanced technology, but threats still outpace readiness.
• Responsibility for crisis decision-making is fragmented across information technology, enterprise risk, operations and human resources.
• Larger budgets and broader board oversight signal increased support for developing programs focused on physical security threats and resilience.

Physical security and crisis management functions are gaining attention, with concerns about executive protection, workforce safety, global uncertainty and technology threats.

Across boardrooms, university campuses, manufacturing facilities and event venues, leaders are beginning to recognize gaps in crisis management and physical security preparedness as threats and risk evolve. Data centers are bracing structurally to defend against potential insider threat sabotage and drone attacks. Corporations and boards are concerned about the safety of high-profile executives and employees living abroad. Drug manufacturers and retailers are beefing up security at distribution centers and on transport routes.

Findings from the latest EY Forensic & Integrity Pulse indicate that organizations are responding with increased investment and oversight. Survey findings show that security budgets are trending higher, and board oversight has broadened.

More than three in five decision-makers report that excluding personnel, their organization annually spends more than a quarter of their total security budget on physical security. Despite the growing focus on physical security and executive protection, the Pulse Series shows most resources and budget allocation decisions are still directed to cyber and IT. While 29% of decision-makers say the chief security officer owns the budget for physical threat intelligence, 27% place it with IT/ chief information security officer (CISO), 18% say it belongs with operations/chief operating officer (COO), 18% cite shared or converged ownership, and 7% say the budget sits in multiple places, with no central access.

As organizations evolve security programs that have remained unchanged for the past 10 years or longer to fill gaps in security demands, the shift creates new challenges. Some roles are being handed expanded responsibilities they may not have resources or preparedness to meet. For example, because they own the security budget, CISOs are being asked to lead broader security operations, covering not just IT and operational technology security but, in some cases, people and plant management, product safety and crisis planning for weather emergencies. These changes can also lead to overlooked security gaps. As teams adapt and take on new responsibilities, it is important to regularly reassess risk.

The competition for budget is high. Respondents say budget constraints are the biggest barrier to implementing a physical security monitoring program (29%), followed by executive resistance (23%). In separate EY polling, 85% of senior security leaders report that their current cybersecurity budget is insufficient to meet AI-enabled threats.

With spending decisions spread across functions, there may be untapped budgets sitting in areas of the organization that are not situated to drive effective preparedness and response capabilities.

The data points to a growing need for integrated risk oversight focused on all threats and hazards. It is important for security and CISO teams to collaborate, with shared intelligence and faster joint decision-making across security, facilities, IT and operations.

The data also highlights persistent gaps in accountability, decision-making clarity and real-world readiness, particularly when threats target leaders, employees or operations outside core facilities. Fragmented ownership delays escalation, blurs accountability and weakens crisis response when minutes matter.

Nearly nine in 10 respondents say their Board of Directors have increased focus on physical security and executive protection in the last 12 to 18 months

Physical security and executive protection are now board-level governance and fiduciary issues. Today’s executives have influential platforms, visible profiles in the media and public appearance schedules. During travel, they can be exposed to planned attacks or mass violence. In some cases, their families have been threatened or targeted.

Beyond threats to people, security failures can disrupt operations and damage reputations. Even in facilities with strong security, social engineering campaigns and sophisticated attackers may be able to use deepfake credentials to bypass controls.

Having a well-equipped threat intelligence center staffed by experienced intelligence professionals enables organizations to identify and respond to physical security threats earlier, reducing crisis impact. While 84% of respondents report having a functional threat intelligence center monitoring physical risks, many organizations still run understaffed programs that can’t maintain 24/7 coverage.

Board awareness appears to be rising. Most respondents say directors understand the return on investment for security and intelligence functions. This signals potential funding and further support needed to design effective programs with coordinated response.

Organizations aren’t just talking about emerging threats. They are simulating them and fighting harder with AI

Organizations are preparing for conventional attacks, cyber risks and emerging risks across all fronts. Recent demand reflects this shift, with organizations across sectors hardening infrastructure and seeking training on mass acts of violence, multidimensional cyber and physical acts, and drone swarm attacks.

Pulse Series respondents report that they have pressure-tested several crisis scenarios recently, including unauthorized access using deception, digital or privacy breaches, physical threats to executives or employees and sabotage to building systems. 

But is it enough? Although 57% of organizations say they pressure-tested AI compromise in a formal simulation in the past 12 to 18 months, AI compromise is also where 24% feel most vulnerable or least prepared, followed by off-site vulnerabilities (19%).

Despite the increase in attention for physical security, many organizations still have not pressure-tested off-site threats against people or infrastructure sabotage. 

The preparedness paradox:

The biggest gaps in crisis planning often revolve around decisions: how to handle escalation, who makes the call and what happens if designated leaders are not available. Many organizations are getting back to the basics by streamlining response protocols.

While tabletop exercises are valuable, critical crisis scenarios should also be exercised in a more active and realistic setting. Some companies are opting for a “red-team” approach, where they hire outside providers to facilitate a crisis drill and monitor the response, allowing for live dialogue and after-action learning opportunities.

How security teams are using AI to conduct risk analysis

Security teams are aggressively using AI for high-stakes tasks, including risk analysis (76%), active threat detection (73%) and sentiment monitoring (58%). More than three in four respondents use AI to identify travel or residential hot spots, and nearly the same amount (73%) report AI-driven facial or weapons detection. In addition, 58% of senior leaders polled report using advanced technologies to track public vitriol directed at leadership.

Without clear escalation thresholds and human decision ownership, AI accelerates detection, but not resolution.

Three actions to build and enhance physical security, executive protection and crisis response

A mature crisis management and physical security risk management program is built on clear planning and requirements, standardized collection, analysis, information sharing and proactive monitoring.

1. Clarify ownership: Centralize case management and communication. Use one system to track threats and incidents against threat indicators tuned for the organization’s products, customer base and geographic footprint.
2. Consolidate intelligence signals: Develop a comprehensive threat intelligence center and clear protocols for triage, escalation and response. Include cross-functional teams across security, IT, facilities, legal, HR and communications. Determine public and internal communication protocols.
3. Run realistic exercises: Expand simulations beyond tabletop and cyber-only scenarios to include executive travel, corporate events and active assailant scenarios. Train and prepare for response from crisis leaders, executive and management teams and across full-time, part-time and on-call resources. Prepare for decision‑making under pressure, not just detection.