They fail because they ask busy people to absorb too many messages at once. If the audience cannot quickly see what action matters, the campaign becomes background noise. Security behaviour changes when the message is narrow, relevant, and tied to one control the client can actually adopt.
Why This Matters for Security Teams
Broad awareness campaigns often fail because behaviour changes only when people can act on a message immediately, and most security campaigns do not meet that bar. They compete with real work, so the audience hears the headline but cannot translate it into a specific decision, tool, or control. That is why NHI Management Group emphasises evidence-backed, narrow interventions over general education, especially where secrets, OAuth access, and privileged automation are involved. In the current research on the The State of Non-Human Identity Security, only 1.5 out of 10 organisations are highly confident in securing NHIs, which shows how often messaging outruns operational maturity. The same pattern appears in broader security programmes: awareness exists, but conversion into control adoption does not. Security teams usually overestimate the effect of repeat messaging and underestimate the need for a single, concrete next step tied to a current risk. The result is that campaigns become background noise while the underlying exposure stays unchanged. In practice, many security teams encounter failed behaviour change only after an incident review shows that the message was understood but never made operational.
How It Works in Practice
Effective security behaviour change is less about volume and more about reducing friction around one desired action. For example, if the goal is better secret handling, the campaign should point to one observable behaviour, such as rotating exposed credentials, removing shared tokens, or using a central secrets manager instead of copying keys into chat or code. If the goal is to reduce risky AI usage, the message should focus on one control such as approved model access, logging, or prompt handling, not a broad warning about AI risk in general. This is consistent with the direction of the NIST Cybersecurity Framework 2.0, which ties security outcomes to measurable governance and risk actions rather than generic awareness.
The most effective campaigns share four traits:
- They target one audience with one relevant risk.
- They define one concrete action that can be taken within the current workflow.
- They connect the message to a control owner, not just end users.
- They measure adoption, not clicks or attendance.
NHIMG’s research on third-party exposure also shows why broad messaging alone is insufficient: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which means users cannot fix what they cannot see. A campaign that says “be careful with access” will not change that condition. A campaign that says “review and remove unused OAuth grants this week” gives teams a decision they can actually execute. Current guidance suggests pairing awareness with just-in-time prompts, policy enforcement, and removal of barriers like unclear ownership or manual approval loops. These controls tend to break down when the organisation has many business units using different SaaS tools because the message fragmentates faster than the control can be standardised.
Common Variations and Edge Cases
Tighter messaging often increases coordination cost, requiring organisations to balance precision against the desire to reach everyone at once. That tradeoff is real, especially in large enterprises where a single campaign spans many roles, tools, and risk levels. For frontline staff, a narrow message may be enough. For administrators, developers, or AI operators, the guidance has to be role-specific and tied to a workflow, or it will be ignored. There is no universal standard for campaign cadence or format yet, but best practice is evolving toward behaviour-specific nudges, control-based training, and short reinforcement loops rather than annual awareness blasts.
Some edge cases need special handling. High-risk events such as exposed credentials or an active incident may justify a short, urgent message with a single action, while lower-risk hygiene topics work better as recurring reminders embedded in tooling. In environments with autonomous systems or agentic workflows, broad awareness is even less effective because the relevant actor is not a person reading a banner but a system that needs policy, identity, and runtime guardrails. That is why security teams should treat awareness as support for controls, not a substitute for them. For deeper context on how exposed credentials are operationalised by attackers, the DeepSeek breach demonstrates how quickly weak governance turns into real abuse, especially when secrets and access paths are already dispersed. In practice, broad campaigns fail most often in organisations that equate visibility with change and never connect the message to a control owner, a deadline, or a measurable adoption target.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RM-01 | Awareness must tie to measurable risk decisions, not generic education. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Broad messaging fails when secret handling and rotation are not operationalized. |
| NIST AI RMF | GOVERN | Behaviour change for AI-related risk needs governance and accountability. |
Pair awareness with secret rotation, ownership, and enforced lifecycle controls.
