AI phishing coaching is replacing check-the-box security training

At a glance

What this is: This is an analysis of how AI is changing security awareness training from compliance-driven modules to behaviour-focused phishing coaching.

Why it matters: It matters because IAM and security teams must treat human identity risk as a continuous governance problem, not a once-a-year training exercise.

👉 Read Abnormal AI's webinar analysis of AI phishing coaching and human risk management

Context

Security awareness training has long been treated as a compliance activity, but it does not reliably reduce the human behaviour that attackers exploit. The problem is not a lack of instruction, but a lack of relevance, feedback, and measurable behaviour change.

The shift now is toward human risk management, where training is tied to observed exposure and response patterns. For identity programmes, that means connecting human identity governance, phishing resilience, and operational measurement instead of relying on completion metrics alone.

Key questions

Q: How should security teams measure whether phishing training is actually working?

A: They should measure whether risky behaviour changes, not whether users completed a module or passed a quiz. Useful indicators include repeat click rates, quality of user responses, improvement after coaching, and which employee groups remain most exposed. If the metrics do not show reduced susceptibility over time, the programme is delivering administration, not risk reduction.

Q: Why do traditional security awareness programmes fail against modern phishing attacks?

A: They fail because they are usually generic, infrequent, and disconnected from the attacks employees actually face. Attackers now use personalised lures, AI-driven reconnaissance, and realistic impersonation, while many training programmes still rely on outdated examples and annual compliance cycles. That mismatch leaves behaviour unchanged even when completion numbers look healthy.

Q: What should organisations do when users keep clicking on phishing simulations?

A: They should treat repeated clicks as a coaching signal, not a punishment trigger. The next step is to analyse the lure type, explain the exact cues that were missed, and deliver targeted follow-up training while the lesson is still fresh. The goal is to reduce future exposure, not simply mark the exercise as failed.

Q: Who should own human risk management in an identity programme?

A: Ownership should sit with security and identity leaders together, because the problem spans behaviour, access, and incident prevention. If the programme is tied only to awareness teams, it becomes a training exercise. If it is tied only to SOC metrics, it misses the governance side. Human risk management works when it is treated as part of identity governance.

Technical breakdown

Why check-the-box phishing training fails

Traditional security awareness training assumes knowledge transfer is enough to change behaviour. In practice, generic modules and annual phishing exercises rarely reflect the tactics attackers actually use, especially when those attacks are personalised through AI and public-data reconnaissance. The result is a programme that measures participation, not resilience. When the training content is detached from live threats, employees learn the test, not the risk signal. That is why teams keep seeing clicks even when completion rates look healthy.

Practical implication: replace static campaigns with training content derived from real attack patterns your organisation is actually seeing.

How just-in-time coaching changes the learning loop

Just-in-time coaching intervenes after a risky action, such as clicking a malicious link, and explains the specific cues the user missed. Instead of scolding, it turns an incident into a feedback moment. That matters because behaviour change happens when the lesson is immediate, contextual, and tied to the exact phishing pattern. AI makes this scalable by converting live threats into tailored simulations and delivering guidance at the point of failure rather than months later in a report.

Practical implication: build coaching into the moment of exposure so the lesson arrives before risky behaviour repeats.

Why risk reduction matters more than completion metrics

Click rates and training completion are vanity metrics when the programme goal is reducing human-driven incidents. A mature human risk programme looks at who is targeted, who is most likely to fall for which lures, and whether behaviour improves over time. That shifts the operating model from admin-heavy campaign management to continuous measurement and prioritisation. Security teams get a clearer view of which populations need intervention and which tactics are losing effectiveness.

Practical implication: measure changes in risky behaviour and exposure patterns, not just attendance or quiz scores.

NHI Mgmt Group analysis

Check-the-box awareness training is a compliance control, not a resilience control. The article describes a model that satisfies audit demands but does little to change behaviour under real attack pressure. That distinction matters because phishing resilience depends on what users do under stress, not whether they finished a module. The implication is that human identity governance must be evaluated by behavioural effect, not by training administration.

Human risk management is now a measurable identity discipline, not a soft-security programme. The article’s strongest point is that behaviour can be observed, scored, and improved continuously rather than once a year. That creates a governance model closer to identity lifecycle management than to awareness theatre. The implication is that security leaders should treat human risk as a managed control surface with feedback loops, thresholds, and accountability.

Real-threat coaching creates a named concept worth carrying forward: risk-to-relevance training. The article’s central operational insight is that people learn when the simulated threat resembles what they actually face. That is a different model from generic phishing tests and recycled policy slides. The implication is that teams need training content rooted in current attack behaviour, not legacy awareness themes.

AI changes the economics of human security by making personalization scalable. The article shows that automation can handle simulation cadence, content delivery, and progress tracking while security teams focus on strategy. That matters because the old model failed partly due to operational friction, not just weak content. The implication is that human risk programmes now have to compete on relevance and timing, not volume.

The governance gap is not employee ignorance, but the lack of a closed-loop control system. The article frames the problem as continuous improvement, where exposure, reaction, and coaching feed back into the programme. That is a stronger model than compliance training because it converts behaviour into measurable signal. The implication is that identity and security teams should build reviewable human-risk feedback loops, not just awareness calendars.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to the 2024 ESG Report: Managing Non-Human Identities.
• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to the same report.
• That pattern reinforces why teams should pair identity governance with lifecycle discipline, as outlined in the NHI Lifecycle Management Guide.

What this signals

Risk-to-relevance training is the right mental model for teams moving beyond awareness theatre. If the simulation does not resemble the attack, the behavioural lesson is weak, and the programme will keep reporting activity without proving resilience.

Human risk programmes will increasingly be judged by whether they reduce repeat exposure in the highest-risk populations, not by whether they produced clean completion dashboards. That makes coaching design, content freshness, and measurement discipline part of identity governance, not optional security marketing.

For teams already managing non-human identity risk, the lesson is structural: exposure control only works when the control is tied to observed behaviour and lifecycle change. The same governance discipline that reduces NHI sprawl should now be applied to human risk workflows through the NHI Lifecycle Management Guide.

For practitioners

• Map training to live attack patterns Use current phishing and social-engineering examples from your environment to drive simulation content, so employees see the same lures attackers are actually using.
• Replace completion metrics with behaviour metrics Track repeat clicks, response quality, and improvement over time, then use those signals to prioritise coaching for the highest-risk populations.
• Add just-in-time coaching to the workflow Deliver immediate feedback at the point of risky action so the user learns why the message was suspicious before the behaviour becomes habitual.
• Automate campaign operations and reporting Let automation handle simulation cadence, content delivery, and progress tracking so the team can spend more time on strategy and risk analysis.

Key takeaways

• Static security awareness training is a compliance control, but it is not enough to change the human behaviour that phishing attacks exploit.
• AI enables personalised phishing coaching that measures risk reduction instead of vanity metrics like completion rates and click counts.
• Identity teams should treat human risk management as a continuous governance loop with feedback, coaching, and behaviour-based measurement.

Key terms

• Security Awareness Training: Security awareness training is the formal effort to teach users how to recognise and avoid common attack patterns. In practice, it often measures attendance more than behaviour change, which is why many programmes look healthy on paper while user risk remains unchanged.
• Human Risk Management: Human risk management is the discipline of identifying, measuring, and reducing security risk created by user behaviour. Unlike traditional awareness programmes, it focuses on repeated exposure, response quality, and measurable improvement over time rather than one-time training completion.
• Just-in-Time Coaching: Just-in-time coaching is immediate guidance delivered at the moment a risky action occurs. It works best when the feedback is specific to the lure, behaviour, or mistake just observed, because the lesson is fresh and directly tied to the decision that needs to change.
• Behaviour Metrics: Behaviour metrics are measures that show how people actually respond to risk, such as repeat clicks, follow-up susceptibility, or improvement after coaching. They are more useful than vanity metrics because they indicate whether the programme is reducing exposure instead of merely documenting activity.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: AI phishing coaching and the shift from awareness to action. Read the original.