Training without workflow controls leaves employees responsible for detecting deception in real time, under pressure, and with limited context. That is not a reliable control for high-value requests. Organisations need policy, verification, and approval design that make a fake request harder to complete even when a user is uncertain.
Why This Matters for Security Teams
Awareness training has value, but it is not a dependable control when the request is urgent, plausible, and tied to a real business workflow. Social engineering succeeds because people are asked to make judgment calls under time pressure, while the attacker controls the timing, channel, and urgency. Current guidance from the NIST Cybersecurity Framework 2.0 treats awareness as one layer, not a substitute for process design.
When organisations rely on training alone, the burden shifts to the individual employee to detect deception, remember policy, and stop a request that may appear legitimate. That model breaks down in finance, HR, executive support, and IT support workflows where exceptions are common and approvals are routine. It also fails when attackers reuse internal language, copy vendors, or exploit compromised accounts to make the request look familiar. The result is a control that depends on perfect human performance in imperfect conditions.
NHIMG’s research on the State of Secrets in AppSec shows how quickly control assumptions collapse when real-world behaviour diverges from policy, including the operational drag created by fragmented secrets management. In practice, many security teams discover the weakness of awareness-only defense only after a fraudulent request has already moved money, changed access, or exposed secrets.
How It Works in Practice
Training should be treated as a supporting control that improves user judgment, not as the gate that stops a high-risk action. The stronger pattern is to make suspicious requests harder to complete by changing the workflow itself: out-of-band verification for payment changes, dual approval for privileged actions, callback rules for account modifications, and system-enforced validation for secrets or identity changes. The question is not whether users can spot fraud every time. The question is whether the business process prevents a single mistaken click from becoming an incident.
That is why workflow controls matter more than awareness alone. They shift the burden from memory to design:
- Use role-aware approvals for high-value changes, but require a second channel for confirmation when the request is unusual.
- Require step-up verification for sensitive actions, especially when the request arrives by email or chat.
- Log and challenge exceptions so abnormal behaviour is visible before it becomes routine.
- Separate request, approval, and execution paths so one compromised identity cannot complete the entire action.
The NIST guidance on risk reduction is useful here because it emphasises governance, protection, detection, and response as a system rather than a single awareness intervention. NHIMG’s DeepSeek breach coverage illustrates the same lesson from the identity side: once sensitive material or credentials are exposed, human caution alone cannot contain the blast radius. In other words, training should help a user hesitate, but the control should make the dangerous action fail closed when verification is missing. These controls tend to break down in fast-moving support desks and executive workflows because exceptions are frequent and staff are pressured to keep business moving.
Common Variations and Edge Cases
Tighter verification often increases friction, so organisations must balance fraud resistance against operational speed. That tradeoff is real, especially where urgent customer-facing changes, after-hours operations, or incident response require rapid action. Best practice is evolving, but there is no universal standard for exactly which requests need step-up approval versus simple user confirmation. High-risk actions should have the strongest controls; low-risk, repetitive actions can use lighter checks.
Some environments also create false confidence by combining awareness training with broad exception handling. If employees can bypass verification whenever a manager is unavailable, the control becomes procedural rather than preventive. Likewise, phishing-resistant authentication helps, but it does not solve fraudulent workflow requests once an attacker is already inside an authenticated channel. That is why policy, approval design, and system-enforced checks must be aligned.
For organisations handling secrets and privileged access, NHIMG research on The State of Secrets in AppSec is a useful reminder that control gaps are usually operational, not educational. Training can reduce mistakes, but it cannot compensate for fragmented tooling, unclear ownership, or approval paths that reward speed over scrutiny.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Access should be verified by design, not by user suspicion alone. |
| NIST CSF 2.0 | GV.OV-1 | Security oversight must measure whether workflow controls actually reduce fraud. |
| OWASP Non-Human Identity Top 10 | NHI-06 | Workflow abuse and weak verification often expose secrets and privileged actions. |
Review fraud-prone processes and replace training-only dependence with enforced verification.
