By NHI Mgmt Group Editorial TeamPublished 2026-05-07Domain: Cyber SecuritySource: Drata

TL;DR: Agentic AI is widening the human-risk problem as 68% of breaches still involve people, 82.6% of phishing emails now use some form of AI, and 43% of workers admit sharing sensitive information with AI tools without permission, according to Drata and its cited research. Static awareness training is no longer enough when both humans and AI agents influence access, behaviour, and audit evidence.


At a glance

What this is: This piece argues that agentic AI and human behaviour now form a shared security problem, with AI-amplified phishing, shadow AI, and audit friction all pushing teams toward risk-based governance.

Why it matters: It matters because IAM, PAM, GRC, and security awareness teams now have to govern people and AI-assisted workflows together, not as separate programme tracks.

By the numbers:

👉 Read Drata's partner perspective on agentic AI, human risk, and audit readiness


Context

Agentic AI changes the security problem because it can act, decide, and move through workflows at runtime, which makes old training-first and policy-only models too slow to govern. In practical terms, this is an identity and access issue as much as a security awareness issue, because both humans and AI agents can become pathways into sensitive data, audit gaps, and delegated actions.

Drata’s article uses KnowBe4’s partner perspective to argue that security programmes need to quantify behaviour, not just publish rules. That framing is directionally correct for IAM and GRC leaders: once AI use becomes embedded in knowledge work, the control question shifts from whether people saw a policy to whether the organisation can measure, constrain, and evidence access behaviour across the workforce.

The article’s starting position is not unusual for large enterprises that already struggle to correlate human actions, cloud evidence, and policy compliance across different tools.


Key questions

Q: How should security teams govern AI use alongside human behaviour risk?

A: Treat AI usage, user behaviour, and access governance as one control problem. Map the sensitive workflows first, then decide where training, conditional access, approval steps, and monitoring need to apply. If AI tools can touch regulated or confidential data, govern them with the same discipline used for privileged human access and evidence collection.

Q: Why do AI-driven phishing and deepfakes change identity risk management?

A: They increase the speed and credibility of trust exploitation, which means standard awareness campaigns are no longer enough on their own. Identity programmes need behavioural telemetry, stronger verification for high-risk requests, and controls that can adapt when users or AI tools show risky interaction patterns.

Q: How do organisations know whether a risk-based awareness programme is working?

A: Look for changes in risky behaviour, not just course completion. Useful signals include lower click-through rates, fewer policy bypasses, reduced sensitive-data sharing, and faster escalation of high-risk users or workflows. If those indicators do not improve, the programme is producing activity, not risk reduction.

Q: Who is accountable when AI tools expose sensitive information or weaken audit evidence?

A: Accountability should sit with the control owner for the workflow, not with the tool itself. Security, IAM, and GRC leaders should define ownership for data-handling rules, approval paths, evidence capture, and exception handling before AI use expands, so responsibility is clear when something goes wrong.


Technical breakdown

Why human behaviour and AI use now create a shared attack surface

The article points to a workforce where human error, policy bypass, and AI-assisted social engineering overlap. AI does not replace the human layer in most attacks, it amplifies it by making phishing, vishing, and impersonation cheaper, faster, and more convincing. That means the relevant control boundary is no longer just endpoint or email filtering. It extends into identity governance, access conditioning, and behaviour telemetry that can distinguish ordinary use from risky use across people and AI-enabled workflows.

Practical implication: treat behavioural telemetry as a control input for IAM and GRC, not just a training metric.

Risk scoring as a governance layer for digital workforce security

A quantified risk score becomes useful when it combines signals from simulations, email behaviour, and user interaction patterns into a prioritisation model. The technical value is not the score itself, but the ability to route controls, training, and escalation based on observed risk rather than calendar-driven campaigns. For identity teams, this is analogous to moving from periodic review to continuous entitlement and behaviour assessment, especially where AI tools can change how quickly people reveal information or approve actions.

Practical implication: connect risk scoring to conditional access, targeted training, and review queues instead of leaving it as a dashboard metric.

Why audit evidence must be continuous in hybrid human and AI programmes

The article also shows that compliance evidence breaks down when training records, risk actions, and control mappings live in separate systems. Continuous evidence collection matters because it preserves a traceable link between human behaviour, AI-use governance, and the controls auditors ask to see. This is where identity governance intersects with GRC: if access is dynamic and AI-assisted, evidence must be automatically collected, normalised, and mapped to frameworks before the audit window opens.

Practical implication: automate evidence capture for training, policy attestation, and access-related controls rather than reconstructing them at audit time.


Threat narrative

Attacker objective: The attacker’s objective is to exploit human trust and AI-amplified deception to gain access, steal data, or create downstream control failures.

  1. Entry begins with AI-assisted social engineering, where phishing, vishing, or deepfake impersonation reaches users through trusted communication channels.
  2. Escalation follows when a user clicks, shares data, or approves a request, giving the attacker behavioural leverage rather than just technical access.
  3. Impact occurs when compromised trust is translated into credential theft, sensitive-data exposure, or audit and compliance blind spots across the programme.

NHI Mgmt Group analysis

Human risk and agentic AI now belong in the same governance conversation: the article captures a real shift in control scope, because both humans and AI-enabled workflows can now drive risk from the same operational layer. Behavioural training alone cannot contain that risk if organisations cannot measure what people and agents actually do. Practitioners should treat human behaviour, AI usage, and access governance as one programme boundary.

Risk-first governance is becoming more defensible than training-first governance: the strongest part of the article is its move from awareness as a goal to risk measurement as a control. That is the right direction for identity programmes because access review, policy attestation, and user education all become more effective when prioritised by observed behaviour. Practitioners should expect more evidence-based governance, not more generic training volume.

Behavioural telemetry is emerging as a control plane for identity decisions: the article points to a model where phishing simulations, email behaviour, and user interaction patterns feed prioritisation and escalation. That is a meaningful shift for IAM and PAM teams because it ties identity governance to live signals instead of static role assumptions. Practitioners should build review and response pathways that can consume those signals in near real time.

Continuous evidence will matter more as security and compliance programmes converge: this is not just an awareness story, it is a GRC story about proving that controls worked. Once AI-driven behaviour is part of the threat model, screenshot-driven audits and manual evidence collection become too slow to support operational trust. Practitioners should align identity evidence, training records, and control mappings before the next audit cycle forces the issue.

Digital workforce security is a useful concept, but it only works if AI agents are governed as identities: the article correctly treats the workforce as hybrid, but hybrid governance only succeeds when AI agents are assigned boundaries, monitoring, and lifecycle controls comparable to human access. That is where the identity angle becomes decisive. Practitioners should stop treating AI use as a side channel and start governing it as part of the workforce access model.

What this signals

Digital workforce security will increasingly be judged by evidence quality, not awareness volume. Once AI-assisted behaviour becomes part of the threat model, programme leaders need proof that identity, training, and compliance signals are connected. The practical test is whether a high-risk user or workflow can be identified, routed, and evidenced without manual stitching across tools.

Behavioural risk scoring will become more useful when it informs identity controls directly. If a risk score does not change access decisions, escalation priority, or training targeting, it remains a reporting metric. That is why IAM, PAM, and GRC teams should define where risk telemetry feeds the control plane and where it simply informs management reporting.

Shadow AI should be handled as an access governance issue, not just a policy issue. Once unsanctioned tools can process sensitive data, the real control question becomes who approved the data path, who can revoke it, and how exceptions are monitored. That is where the boundary between identity governance and AI governance starts to converge.


For practitioners

  • Build a combined human-and-AI risk register Track phishing susceptibility, AI tool usage, policy bypass, and sensitive-data exposure in one programme so identity, security awareness, and GRC teams work from the same risk picture.
  • Use behavioural scores to drive access decisions Feed high-risk signals into conditional access, targeted review queues, and escalations so the riskiest users and AI-enabled workflows receive the fastest intervention.
  • Automate evidence capture for audit readiness Connect training completion, policy attestation, and control mappings to your compliance platform so evidence is continuously collected instead of reconstructed at audit time.
  • Treat AI-use policy as an access governance control Define which AI tools can handle sensitive data, who can approve that use, and how exceptions are recorded so shadow AI does not become an unmanaged disclosure path.

Key takeaways

  • The article’s central message is that human behaviour and agentic AI now create a single security and governance problem.
  • The evidence it cites points to scale, with most breaches still involving people and AI-driven phishing raising the pressure on existing controls.
  • The practical response is to move from generic awareness to measurable risk, continuous evidence, and access governance tied to behaviour.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AT-1The article centres on awareness, behaviour change, and risk reduction across users and AI use.
NIST SP 800-53 Rev 5AT-2Training and awareness evidence are core to the article's audit-readiness theme.
NIST AI RMFGOVERNAI governance and accountability are central because the article treats AI use as a managed risk.
GDPRArt.32Sensitive-data handling and human/AI behaviour both affect protection of personal data.

Automate training evidence collection and map it to AT-2 and related control families continuously.


Key terms

  • Digital Workforce Security: The practice of governing security behaviour across both human workers and AI-enabled systems that participate in business processes. It extends awareness and compliance thinking into measurable control over access, actions, and evidence across a hybrid workforce.
  • Risk Score: A quantified measure used to prioritise users, workflows, or systems based on observed behaviour and related indicators. In security programmes, the value is not the number itself but whether it drives access decisions, training, review, or escalation.
  • Shadow AI: AI tools or agents used in an organisation without formal approval, visibility, or governance. The risk is not just policy non-compliance, but unmanaged data handling, weak accountability, and gaps in audit evidence when those tools touch sensitive information.
  • Behavioural Telemetry: Signals collected from user or system actions, such as clicks, approvals, data sharing, or suspicious interaction patterns. Used well, it helps security teams distinguish ordinary activity from elevated risk and route controls accordingly.

What's in the full article

Drata's full article covers the operational detail this post intentionally leaves for the source:

  • How the KnowBe4 and Drata integration maps training evidence into compliance controls and audit workflows
  • The specific way Drata is used to keep evidence continuously updated across 16+ compliance frameworks
  • Customer examples showing reductions in audit meetings, auditor requests, and internal GRC workload
  • The partner’s discussion of how its agentic AI and human risk model is operationalised across the platform

👉 Drata's full article covers the integration details, customer impact, and partner context behind the programme.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and identity lifecycle fundamentals. It helps practitioners connect access, evidence, and control decisions across human and non-human programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-07.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org