Foundation Models vs Specialists: Why Security Robotics Requires Vertical Models

The discussion about artificial intelligence in physical security has, for much of the last two years, orbited a single question: which foundation model should we use? It is a reasonable question, but it is the wrong starting point for autonomous security robotics. A large language model that can draft contracts, summarise reports and answer customer queries is not, by virtue of those capabilities, qualified to decide whether a shadow at a loading dock at 03:14 is a maintenance worker, an intruder or a reflection on wet asphalt. Dr. Raphael Nagel, in ALGORITHMUS. Wer die KI kontrolliert kontrolliert die Zukunft, separates the platform layer of general intelligence from the vertical layer where operational value is actually created. For Quarero Robotics, that distinction is not theoretical. It defines how our systems are built, how they are trained, and where the defensible value sits.

The Platform Layer and Its Limits

Nagel describes foundation models in Kapitel 7 as the new platform monopolies. Their scale is real, their generality is impressive, and the capital required to train them at the frontier, in the order of hundreds of millions of euros per run, concentrates that layer in the hands of a small number of global actors. For most operational questions in a modern enterprise, accessing such a model through an interface is both rational and sufficient. The model is broad, it is available, and it is improving at a pace no single operator can match in isolation.

Security robotics, however, is not a broad operational question. It is a narrow one with asymmetric consequences. A false negative at a pharmaceutical site or a data centre perimeter is not a minor inconvenience. A false positive that escalates a routine event into an armed response is equally costly. The generality that makes a foundation model useful for drafting and summarisation is precisely what makes it unsuitable as the sole decision layer for perimeter control, intrusion detection and behavioural anomaly classification. The model has seen everything and therefore nothing in particular. It has no memory of this site, this fence line, this access pattern on a Tuesday night in winter.

Why Perimeter and Anomaly Detection Resist Generalisation

Perimeter security is a problem defined by context. The same silhouette behind the same gate can be routine on one shift and a serious incident on another, depending on schedule, weather, contractor presence and a dozen other variables that are legible only to systems operating on that site over time. General vision models trained on internet-scale imagery can identify a person, a vehicle or a bag with acceptable accuracy. They cannot, on their own, distinguish a contracted cleaner who arrives every Wednesday from a first-time visitor who has copied the uniform. That distinction is not a question of more parameters. It is a question of local memory.

Anomaly detection compounds the problem. An anomaly is, by definition, a deviation from a baseline, and baselines are site-specific. A foundation model has no baseline for a given facility. It has a statistical average of many facilities, which is a different object entirely. Nagel makes a related point in Kapitel 4 on the illusion of neutrality: a model trained on aggregate data reproduces the average, and the average is rarely what an operator needs to see. In security robotics, what matters is the specific departure from the specific norm of the specific site, detected early enough to act.

Proprietary Telemetry as the Strategic Moat

In Kapitel 5, Vom Öl zur Intelligenz, Nagel corrects the familiar slogan that data is the new oil. Raw data is abundant and largely worthless. What creates strategic value is domain data of high quality combined with the algorithmic competence to refine it. He cites mid-sized industrial firms whose decades of sensor and process data constitute a moat that no hyperscaler can replicate by scraping the public internet. The same logic applies with particular force to autonomous security robotics.

A Quarero Robotics deployment generates site telemetry that does not exist anywhere else: patrol paths, dwell times, thermal signatures, acoustic patterns, door and gate events, incident logs, operator interventions and the outcomes of each. Over months and years, this corpus becomes a description of how a specific facility actually behaves, not how facilities in general are assumed to behave. It is this corpus, not the underlying foundation model, that allows a vertical model to separate a genuine intrusion from a fox, a drone test from a hostile overflight, or a stressed employee from a coordinated social engineering attempt at the gate.

The moat is therefore not the algorithm in isolation and not the hardware in isolation. It is the combination of proprietary operational data, the vertical model trained on it, and the robotic platform that both generates the data and acts on the model's output. Each layer reinforces the others. A competitor with access to the same foundation model but without the telemetry and without the deployed platform cannot close the gap by spending more on compute.

Build, Buy or Control in the Security Stack

Nagel's Kapitel 14 frames the strategic question as build, buy or control. Few operators in security robotics can credibly build a frontier foundation model, and few should try. The rational architecture is layered. The general capabilities of language, vision and reasoning are consumed from the platform layer, where the capital intensity is borne by others and where improvements accrue automatically. The vertical layer, where site-specific behaviour is modelled and where operational decisions are made, is built and controlled in-house. The robotic platform, which is the only component that physically acts in the world, is designed, manufactured and governed as a sovereign asset.

This is the architecture Quarero Robotics follows. We do not compete with foundation model providers on their terrain, and we do not expose our clients to the risk of entrusting perimeter decisions to a system that was not designed for them. The vertical model sits between the two, trained on telemetry that belongs to the client and the deployment, and constrained by operational rules that a general model has no reason to respect. Control, in Nagel's sense, is exercised at the layer where the consequences are felt.

Operational Consequences for European Operators

For European operators, the argument has an additional dimension that Nagel develops in Kapitel 9 and Kapitel 26. Dependence on a single external platform for decisions that touch critical infrastructure is a strategic risk, not only a commercial one. The AI Act classifies several security-relevant applications as high-risk and imposes documentation, transparency and audit obligations that a black-box call to a general model cannot easily satisfy. A vertical model, trained on defined data, with defined objectives and defined failure modes, is far easier to document, test and defend before a regulator or an insurer.

The practical consequence is that a specialist architecture is not merely technically preferable. It is also the architecture that survives contact with European regulation, with client procurement processes and with the insurance logic that increasingly governs what autonomous systems are allowed to decide. Quarero Robotics treats compliance not as an overlay but as a design constraint that shapes the model stack from the beginning.

The choice between foundation models and specialists is, on closer inspection, not a choice at all. Foundation models are a layer, not an answer. They will continue to improve, and operators who refuse to use them will pay for that refusal in capability and cost. Specialists are also a layer, and operators who rely only on general models for decisions that require local memory will pay for that reliance in false positives, missed incidents and regulatory exposure. The serious question is how the layers are combined and where control is exercised. Quarero Robotics takes the position, consistent with Dr. Raphael Nagel's analysis in ALGORITHMUS, that the decisive layer in security robotics is the vertical one, trained on proprietary site telemetry and incident history, and that this is where operational value and defensibility accumulate. The foundation model is a supplier. The vertical model, the telemetry it learns from and the platform that acts on its output are the asset. For clients who operate perimeters, data centres, logistics hubs and industrial sites, that distinction is the difference between renting intelligence and owning a security capability.