Most coverage filed this under intimate partner violence and moved on.

This episode reads it through a threat assessment lens.

This podcast is the audio companion to Grey Inflection Intelligence, the written publication at greyinflection.com. Each episode goes beyond the written analysis, bringing in additional context, extended examples, and the kind of operational detail that doesn’t always fit neatly into print. If you’ve read Issue 002, this episode will deepen it. If you haven’t, it stands on its own.

In Episode Two, Lead Analyst Marcus Cole and Research Analyst Sara Voss reconstruct the pathway to violence stage by stage, and examine the three institutional checkpoints where the trajectory could have been interrupted, and wasn’t.

What we cover: The five-stage pathway from grievance to act, and where each stage should have triggered a structured response. The compounded grievance profile, why personal loss followed by professional loss attributed to the same person is one of the most consistently identified stressors in pre-incident assessments, and why most screening frameworks aren’t looking for it. What the dismissal process should have triggered, and didn’t. Why public creators are a specific and underserved risk category that current Trust and Safety frameworks cannot see. And what the victim’s decision to stay on that video call actually tells us about the structural failures around her.

Read the written analysis first (or after): Issue 002 at greyinflection.com

Grey Inflection Intelligence publishes at least twice monthly. Subscribe free at greyinflection.com and receive every issue directly to your inbox.

In almost every post-incident review, the same finding surfaces: the signals were there. They just weren’t being read correctly.

This podcast is the audio companion to Grey Inflection Intelligence, the written publication at greyinflection.com. Each episode goes beyond the written analysis, bringing in additional context, extended examples, and the kind of operational detail that doesn’t always fit neatly into print. If you’ve read Issue 001, this episode will deepen it. If you haven’t, it stands on its own.

In Episode One, Lead Analyst Marcus Cole and Research Analyst Sara Voss examine why most Trust and Safety teams are operating with the wrong methodology for one of the most serious problems they face, and what three decades of law enforcement threat assessment has to offer.

What we cover: Content moderation vs. threat assessment: why conflating them is a structural problem. The pathway to violence research that law enforcement built its frameworks on, the three gaps in how platforms currently operate, what genuine threat assessment capability actually looks like in practice and why AI-based content moderation cannot substitute for human threat assessment.

Read the written analysis first (or after): Issue 001 at greyinflection.com

Grey Inflection Intelligence publishes at least twice monthly. Subscribe free at greyinflection.com and receive every issue directly to your inbox.

🎙 This issue is also available as a podcast episode. Episode 002 of the Grey Inflection Intelligence Podcast goes beyond this written analysis, extending the discussion with additional context and operational detail that doesn't always fit neatly into print. If you've read this issue, the episode will deepen it. If you're new here, it stands on its own. Listen on Substack ·

Before the Analysis: What the News Said

On June 8, 2026, a 26-year-old Thai content creator known as Pon was shot and killed on the side of Phahon Yothin Road in Saraburi province. The man who killed her was her ex-boyfriend, Beer, aged 42. The killer fled, and was pursued by police across two provinces, before he was found dead in his vehicle. The police believed that the killer had taken his own life.

Details of the news that travelled internationally were vivid. What we know is that the victim had over 200 thousands TikTok followers. Moreover, her two-year-old child was found uninjured in the car at the time of the shooting. The victim’s current partner, Kla, was reportedly on a live video call with her at that time when the argument broke out and shots were fired. The line went dead.

Most coverage filed this under intimate partner violence and moved on. If we read through the threat assessment lens, however, the case looks entirely different. The warning signs were there. The pathway was visible, the behavioural indicators were escalating, and the institutions that could have intervened were present at multiple points. What was actually missing was not the signals, but the framework to recognise what they were seeing.

This issue reads that pathway out loud.

What Threat Assessment Actually Does

Before applying the framework, it is worth stating plainly what threat assessment is and is not.

Threat assessment framework is never about predicting violence. It is also not a checklist that could produce a binary result. The framework, however, uses a structured and evidence-based methodology for evaluating whether a person of concern poses a genuine and escalating risk. Not only so, from the framework, we could potentially determine what form of intervention is appropriate at different point on that trajectory.

As established in our first issue, the foundational insight of Behavioural Threat Assessment and Management is deceptively simple. It is not about what someone says. It is about what someone does. More specifically, it is about what someone does over time, in pattern, across multiple domains. Additionally, whether the people around them have the framework to read those behaviours together rather than in isolation.

In Pon’s case, the signs did not fail to appear. What failed was the people around them, and that they did not know what they were looking at.

The Pathway, Reconstructed

Threat assessment practitioners often reconstruct a pathway to violence after an incident, in an attempt to identify where intervention was possible. The sequence in this case is worth laying out for clarity.

Stage one: baseline grievance. The killer and victim had been in a relationship, and separated. Not only so, the victim had reconciled with her former partner, the father of her child. We know that the killer remained in her orbit, and was reportedly deeply unhappy about their breakup. This is the starting condition, a fixated individual having an ongoing attachment to their former partner that had already moved on to someone else.

Stage two: grievance compounded. The victim had previously reported the killer’s alleged misconduct to her workplace supervisor. The report resulted in the killer being dismissed several days before the killing happened. What we should take note is that this is the critical escalation marker. The killer did not only lose a relationship. He lost his livelihood because of her. In threat assessment literature, the risk significantly elevates when the convergence of a personal grievance and a professional one, attributes to the same person. The loss of employment following interpersonal conflict, especially where the individual holds the target responsible, is considered one of the most consistently identified stressors in pre-incident behavioural assessments.

Stage three: pre-incident planning. Before the night of June 8, the killer had contacted a friend to borrow money. This was reported to fund an escape. What we should note is that this is not the behaviour of someone acting impulsively. Pre-incident logistical planning, particularly when it involves financial preparation for flight, is considered a documented behavioural marker of premeditation in most targeted violence cases.

Stage four: engineered access. The killer had arranged to meet the victim by offering to bring fuel. The offer was plausible, as he had previously worked as an oil tanker driver. The victim accepted. Here, the killer managed to create an isolated, one-to-one encounter in a location under the cover of practical assistance.

Stage five: the act, and its denial. Unfortunately, as we had seen it here, the killer shot the victim. Prior to his death, he reportedly denied that jealousy or the relationship was the core motive. Such self-narrative, the reframing of a grievance-driven act as something other than what it should be, is consistent enough with the compounded grievance profile. Though the killer’s own internal accounting, this was not jealousy but a redress. That distinction matters operationally. This is because individuals who have constructed a justification for their actions, are frequently more dangerous than those acting from raw emotion. To put it in another word, they are not in crisis, but, in their own minds, in the right.

Not only for this case, the pathway from stage one to stage five could possibly took weeks, or months. At multiple points along it, observable behaviours existed. That being said, at no point was a structured assessment triggered.

Three Checkpoints, Three Missed Interventions

The Workplace

The dismissal of the killer following the victim’s misconduct report is the clearest institutional checkpoint in this case, and the clearest missed intervention.

In structured threat assessment practice, termination following interpersonal conflict involving a named complainant should be treated as a triggering event. Not because such termination always produce a violent outcome. Rather, the risk changes materially when the individual being dismissed holds a specific person responsible for it, has a prior personal relationship with them, and who no longer has workplace monitoring as a structural constraint on their behaviour.

The questions a threat assessment function would ask at this point are not complex.

• Does this individual have a history of controlling or threatening behaviour toward the complainant?

• Does ongoing contact exist between them?

• Has the individual made any statements (colleagues, friends, social media etc.) that express blame, intent, or a sense of injustice directed at the complainant?

What we know at this time is that there is no reporting to suggest these questions were asked. The dismissal appears to have been processed as an employment matter. The file was closed, but the risk to the victim who opened it was not assessed.

The Platform

The victim was a public-facing content creator. The killer, as a former partner carrying a compounded grievance, had unimpeded access to her public content, her posting schedule, her location patterns, the rhythms of her daily life as she chose to share them.

Even though we do not know if the killer actively monitored the victim’s content in the period before the killing (not established in available reporting), the structural risk is worth naming. We do know that a fixated individual, with a grievance against a public creator has, by default, a surveillance capability that did not exist in the pre social-media era. Such individuals do not need to follow the person physically. The victim’s own platform presence does the work for them.

Trust & Safety functions at platforms hosting public creators are not currently designed to address this. As established in our first issue, content moderation and threat assessment are not the same discipline. A fixated former partner who has not violated any platform policy, probably only watching, silently, is invisible to current T&S frameworks. That invisibility is a structural gap, not an edge case.

The Current Partner

The current partner’s presence on the video call when the victim was killed is the detail in which some threat assessment practitioners would find most significant, and sobering.

The victim appeared to have used the call as a form of protective presence. By maintaining live contact with a trusted person while meeting someone she may already assessed as a risk, is by itself a rational personal safety behaviour. Evidently, this could be read as the victim having conducted her own informal threat assessment of the situation. The victim identified a risk, and tried to mitigate it with the tools she had available. The victim was her own threat assessor, but the tools she had available were not enough.

We also note that no employer safety protocol had flagged the killer as a person of concern after his dismissal. It is also not possible for any platform function in identifying any escalating behavioural pattern. No structured safety net had been activated. All we have here is a video call to her partner, and that was the entirety of her support.

The Compounded Grievance: A Pattern Worth Naming

The behavioural profile the killer exhibited has a name in the threat assessment literature: compounded grievance. It is worth dwelling on because it appears in post-incident reviews with enough regularity that its presence should function as a risk flag in screening frameworks.

The structure is consistent: an individual experiences a personal loss, such as a relationship ending or a rejection. The grievance is real but, under ordinary circumstances, bounded. The risk escalates sharply when a second loss, related to and attributed to the same person, follows. Each loss reframes the other. The relationship ending was not just painful, but, in retrospect, evidence of bad intent. The job loss was not just a consequence of misconduct. It became, in his mind, an act of aggression. The target becomes, in the killer’s internal narrative, the author of a sustained and deliberate harm.

This reframing is operationally significant for two reasons. First, it means the individual is not processing grief but instead building a case. Second, it means that conventional de-escalation approaches, which assume emotional distress as the primary driver, are poorly suited to the risk. You cannot grieve someone out of a perceived debt.

The killer’s denial of jealousy as a motive is the clearest expression of this dynamic in the available reporting. He had, by the time of the killing, constructed a narrative in which his actions were not the behaviour of a jealous ex-partner. It was, to him, the logical conclusion of a ledger of wrongs. That narrative should have been a risk signal. It was not read as one, because nobody was reading.

The Grey Inflection Assessment

Unfortunately, this case will be reported as a tragedy. It is also a case study in the cost of institutional gaps that are neither new nor inevitable.

The killer’s grievance profile was not hidden. The relationship history was known to people around both of them. The dismissal was processed through institutional channels. Their ongoing contact, culminating in a late-night meeting arranged by the person of concern, was not assessed against a risk threshold. No risk threshold existed.

The methodology to have done this differently is not hypothetical. Behavioural threat assessment and management frameworks exist, have been refined over decades, and are designed precisely for cases like this one, where no single indicator is alarming in isolation, but the totality of circumstances represents a genuine and escalating risk.

For human resources and workplace safety professionals: a misconduct dismissal involving a named complainant with a prior personal relationship to the dismissed individual is a threat assessment trigger, not a process conclusion. The file should not close until the risk to the complainant has been explicitly evaluated. That evaluation does not require certainty. It requires a structured question and a documented answer.

For Trust & Safety professionals: public creators are a specific and underserved risk category. A fixated former partner with passive access to a creator’s content, schedule, and location patterns has a surveillance capability that current platform frameworks are not designed to detect or disrupt. This gap is worth naming in product and policy conversations, not only in post-incident reviews.

For security and risk practitioners more broadly: the compounded grievance profile, such as personal loss followed by professional loss, both attributed to the same individual, is by itself a pattern that should be built into screening frameworks. It is not rare. It is simply not being looked for systematically.

The signals in this case existed across a workplace, a platform, and a personal network. What was absent was anyone with the framework, the mandate, and the access to read them together.

The victim read them herself. She stayed on the phone. It was not enough. It should not have had to be.

Grey Inflection Intelligence is currently in its launch phase. All issues are free during this period. A tiered subscription model will be introduced in future, with advance notice given to all subscribers before any changes take effect. When the paid tier launches, free subscribers will continue to receive one issue per month, while paid subscribers will receive a minimum of two issues per month, additional briefs and articles published at editorial discretion, quarterly deep-dive reports, and access to the GLI resource library.

Analysis is produced by a founding analyst with a background spanning law enforcement investigation, corporate threat assessment, travel risk management, and trust & safety operations, with formal academic grounding in strategic studies at the postgraduate level. Published anonymously to maintain source independence and editorial discretion. All analysis is based on open-source information.

If this issue was useful, consider forwarding it to a colleague in security, HR, or Trust & Safety.

Reading time: approximately 7 minutes

🎙 This issue is also available as a podcast episode. Episode 001 of the Grey Inflection Intelligence Podcast goes beyond this written analysis, extending the discussion with additional context, deeper examples, and operational detail that doesn't always fit neatly into print. If you've read this issue, the episode will deepen it. If you're new here, it stands on its own. Listen on Substack ·

The Problem Nobody Is Talking About

Time to time, another tech platform makes headlines for the wrong reason.

A user who had been flagged repeatedly for harassment escalates to making credible threats against a public figure. A gig economy worker with a history of boundary violations commits a serious incident against a customer. An online community moderator misses the warning signs of a user in crisis, until it is too late.

The truth is, in almost every post-incident review, the same finding surfaces: the signals were there. They just weren’t being read correctly.

What we do know is that, this is not a technology problem. It is likewise not a resourcing problem. Rather, it is a methodology problem, one with a solution law enforcement figured out decades ago.

In most companies within the technology industry, Trust & Safety teams are among the most dedicated professionals. They work under enormous pressure, processing staggering volumes of content reports, flagging both accounts and user complaints. But the frameworks most platforms use to handle these cases were designed for content moderation (identifying and removing policy-violating material at scale).

There is a need to understand that content moderation and threat assessment are not the same discipline. Conflating them is costing platforms, and the people who use them.

What Law Enforcement Learned the Hard Way

In the 1990s and early 2000s, law enforcement agencies, particularly in the United States and United Kingdom, began developing structured threat assessment methodologies in response to a disturbing pattern: targeted violence in schools, workplaces, and public spaces was almost never truly spontaneous.

There are multiple researches available, and they consistently showed that individuals who carried out acts of targeted violence had followed a pathway to violence - a progression of observable behaviours that were visible to people around them. We could see that the problem was not a lack of signals but rather, nobody had a framework for recognising what those signals meant together.

The result was the development of Behavioral Threat Assessment and Management (BTAM). It is an evidence-based, proactive process used to identify, evaluate, and mitigate potential threats of targeted violence. Not only so, it is a structured methodology for evaluating whether a person of concern poses a genuine risk, and from the findings, what intervention is appropriate.

The core insight of BTAM is deceptively simple: it is not about what someone says. It is about what someone does.

A user who posts “I’m going to kill you” to an individual is almost certainly not a credible threat. However, when the said user who posts the same message, has researched the victim’s home address, has expressed grievance repeatedly over months, and/or has recently experienced a significant personal loss is an entirely different risk profile, even if the language used is identical.

While content moderation catches the first case easily, it almost always misses the second.

The Three Gaps in How Platforms Currently Operate

Gap 1: Binary decision-making in a non-binary problem space

Most Trust & Safety workflows are built around a fundamental binary: content either violates policy or it does not. Remove or keep. Ban or don’t ban.

Threat assessment on the other hand does not work this way, and risk exists on a spectrum. An account that today represents a low-level concern may, following a triggering event, such as relationship breakdown, job loss or perceived public humiliation, may escalate rapidly into a genuine threat. Effective threat assessment monitors the trajectory, not just the current state.

What platforms need is longitudinal case management - the ability to track a person of concern over time, note any escalating behaviours and intervene at the right point on that trajectory. Most current T&S tooling is optimised for high-volume, single-incident resolution. It is poorly suited to ongoing case monitoring.

Gap 2: Context blindness

When a content moderator reviews a reported post, they typically see the post and perhaps the user’s recent history. What they rarely see is the full picture: the pattern of interactions across multiple accounts, the targets being researched, the real-world geography of the situation, or the personal circumstances that may be acting as stressors.

Law enforcement threat assessors call this the totality of the circumstances. It is based on the principle that no single behaviour or statement should be evaluated in isolation. That is to say, a threat assessment is a mosaic, not a single tile.

Building this full picture requires cross-functional collaboration that most T&S teams are not structured to provide. Legal, privacy, and data infrastructure constraints likewise further limit what analysts can access. These are real constraints, and companies need to be designed around, not accepted as permanent limitations.

Gap 3: Intervention is treated as binary

For most platforms, the available responses to a person of concern are limited. They are either warn, restrict, suspend, or ban. These responses are escalating punitive measures, and often, counterproductive when applied to individuals on a pathway to targeted violence.

Several law enforcement and mental health research have shows that abrupt account termination of a fixated individual could be a triggering event rather than a solution. Not to say, it removes the platform’s visibility into the person’s behaviour while doing nothing to address the underlying risk.

Effective threat assessment on the other hand, includes a much wider range of intervention options such as, but not limited to, outreach, de-escalation, referral to support services, coordination with other platforms, and in serious cases, engagement with law enforcement. The right intervention depends on where the individual sits on the risk spectrum, not on which policy they most recently violated.

What Good Looks Like

There are a handful Trust & Safety operations globally that are genuinely doing this well, and they share several characteristics that reflect threat assessment principles:

A dedicated case management function - one that is separated from volume content moderation, staffed by analysts trained in behavioural indicators and risk evaluation, with the time and tools to build full case pictures.

Structured professional judgement tools - these analysts use standardised frameworks for evaluating risk level that reduce inconsistency between analysts and create a defensible, documented decision trail.

Cross-functional threat assessment teams - bringing together T&S analysts, legal, law enforcement liaison, and where appropriate, mental health professionals to evaluate serious cases collectively.

Tiered intervention menus - a range of responses calibrated to risk level, including non-punitive options designed to manage risk without triggering escalation.

Metrics that measure outcomes, not just outputs - moving beyond “cases closed” and “content removed” to tracking whether interventions actually reduced risk over time.

None of the above is beyond reach. What we do know, law enforcement and corporate security have been building and refining these capabilities for decades. The intellectual framework exists. What is missing in most platforms is the deliberate decision to apply it.

The Grey Inflection Assessment

Trust & Safety is one of the most consequential functions in modern technology, and one of the least mature in terms of methodology. The field has grown rapidly in response to regulatory pressure and public scrutiny, but much of that growth has been in scale rather than sophistication.

The next phase of T&S evolution in today’s world is not about hiring more moderators or deploying better classifiers. It is about building genuine threat assessment capability that are structured, human-centred practice of understanding who poses a risk, why, and what to do about it.

Such capability exists. It lives in law enforcement agencies, corporate security departments, and behavioural threat assessment units around the world. It has simply not yet made the full journey into the technology industry in any systematic way.

That gap is both a problem and an opportunity.

For Trust & Safety professionals: the frameworks you need already exist, such as the Behavioural Threat Assessment and Management, WAVR-21, and the work of organisations like the Association of Threat Assessment Professionals (ATAP) represent decades of tested methodology. If your current training does not include these, it should.

For platform leadership: the question is not whether your platform will face a serious targeted violence incident. It is whether you will be prepared when it happens. A content moderation team, however skilled, is not a threat assessment function. Building one requires investment, cross-functional commitment, and a willingness to import expertise from outside the technology industry.

The signals are almost always there. The question is whether anyone is trained to read them.

Grey Inflection Intelligence is currently in its launch phase. All issues are free during this period. A tiered subscription model will be introduced in future, with advance notice given to all subscribers before any changes take effect. When the paid tier launches, free subscribers will continue to receive one issue per month, while paid subscribers will receive a minimum of two issues per month, additional briefs and articles published at editorial discretion, quarterly deep-dive reports, and access to the GLI resource library.

Analysis is produced by a founding analyst with a background spanning law enforcement investigation, corporate threat assessment, travel risk management, and trust & safety operations, with formal academic grounding in strategic studies at the postgraduate level. Published anonymously to maintain source independence and editorial discretion. All analysis is based on open-source information.

If this issue was useful, consider forwarding it to a colleague in security, HR, or Trust & Safety.