Artificial Intelligence: A model idiot?

Insights, ML&AI Knut Svendsen

In the movie Zoolander (2001), Derek reads a headline that hurts him precisely because he can’t understand it: “Derek Zoolander: A model idiot?”

In 2026, this joke applies uncomfortably well to artificial intelligence. We have built systems that build apps from scratch, speak any language fluently, and can imitate any expert at scale. But something becomes clear when you work with AI; intelligence without context is not intelligence, really. An AI model without grounding is a model idiot.

The Zoolander Problem

Derek competes in the jungle of New York modelling and is working on a new look called ‘Blue Steel.’ And he looks awesome. So do AI’s confidently answering you about security threats. But working with cybersecurity we know that the game is not sounding intelligent but knowing what matters. We need to understand what’s benign, and what traces are the remnants of an intruder doing reconnaissance or making a lateral move.

Why the foundation models are not solving the problem.

I tested ChatGPT as soon as it came out. I was told that I had a problem with the wireless router radio signal fading when in fact it was just me grabbing my phone and going to work. The large models write well, explain things elegantly, and give you polished summaries. This issue is that the general-purpose LLM doesn’t know or understand your environment. They know the concept of a firewall but have no knowledge of your networking and applications. The real question to answer is why this event matters in this environment right now.

The danger of the fluent idiot

The worst thing about AIs is that they give you confident explanations based on incomplete context. The dangerous territory we are entering now is a sense of false confidence, hidden assumptions, and weak auditability. That doesn’t hold for security operations, and worse, regulated environments.

From model idiot to grounded analyst

What an AI security system needs (are many things), but here’s Top 10 what matters most and why:

  • Deterministic parsing —> Structured, repeatable extraction of data so the same input always produces the same output.
  • Normalized events —> Different log formats translated into a common schema so everything speaks the same language.
  • Asset context —> Knowing what a device, server, or service actually is and does in your environment, not just its IP address.
  • Topology —> Understanding how assets are connected and what paths exist between them.
  • Baselines —>What “normal” looks like for each asset, so you can spot what isn’t.
  • State over time —> Tracking how behavior evolves rather than judging a single moment in isolation.
  • Evidence links —> Connecting related observations together so you see an attack chain, not scattered alerts.
  • Confidence scoring —> Telling the analyst how sure the system is, rather than presenting every conclusion as equally certain.
  • Analyst feedback —> Letting humans correct and refine the system so it learns what actually matters in your environment.
  • Local control of telemetry and learned artifacts —> Keeping your data and the models trained on it under your roof, not sent to someone else’s cloud.

Now the model can become useful as an interpretation layer. I do believe that AI will be the most successful when they provide grounded judgments.

A model without context is just that: a model, idiot.