Traditional phishing training is failing against AI-crafted attacks

At a glance

What this is: This is Abnormal AI's case for replacing predictable security awareness training with behavioral, just-in-time coaching that responds to simulated clicks and missed indicators.

Why it matters: It matters because IAM and security teams need to manage human risk as an identity problem, not just a training-completion problem, alongside NHI and autonomous access controls.

By the numbers:

• 99% of respondents have experienced a security incident due to avoidable user actions.
• 83% say their current training program takes too much effort to maintain.
• more than 300 security leaders and practitioners

👉 Read Abnormal AI's analysis of why security awareness training is broken

Context

Traditional security awareness training often treats human identity risk as a compliance exercise, but the article argues that completion rates do not measure whether people behave safely under pressure. The gap is wider now because attackers can use AI to craft personalised phishing that looks far more credible than the static simulations many programmes still rely on.

For IAM and security leaders, the real issue is not whether users can pass a drill. It is whether the organisation can change risky behaviour at the moment of exposure, in the same way NHI and autonomous governance focus on runtime conditions rather than box-ticking after the fact.

Key questions

Q: How should security teams measure whether phishing training is actually working?

A: They should measure behaviour change, not just course completion. Useful signals include reduced repeat clicks, better reporting rates, and improved performance on realistic simulations that match a user's role and threat exposure. If training only shows attendance and no change in risky actions, it is producing compliance evidence, not resilience.

Q: Why do predictable phishing drills fail against modern attacks?

A: Predictable drills fail because employees quickly learn the pattern of the exercise and stop treating it as a real threat. That creates a false pass rate. AI-crafted phishing is more personalised, so the training environment must be harder to recognise and more relevant to the user's actual working context.

Q: When should organisations use just-in-time coaching instead of periodic awareness content?

A: They should use just-in-time coaching when the goal is to change behaviour at the moment of exposure. Immediate feedback after a simulated click links the mistake to the missed signal, which is far more effective than asking users to remember advice from a training session weeks earlier.

Q: What should security leaders do when training takes too much effort to maintain?

A: They should simplify the programme around automation, targeting, and measurable outcomes. If maintenance effort is consuming the team, the process is probably too static. Move toward automated simulation generation, role-based content, and reporting that ties effort to reduced risky behaviour.

Technical breakdown

Why predictable phishing simulations fail

Static phishing simulations are easy to recognise because they repeat the same patterns, cadence, and warning signs. That predictability teaches employees how to pass the exercise, not how to recognise a live attack. The deeper problem is that modern phishing is no longer generic: AI-generated lures can be personalised by role, context, and timing, which means training that relies on obvious templates creates a false sense of resilience. In governance terms, the control measures the training vendor reports are completion and click rates, while the real control objective is behavioural change under realistic attack conditions.

Practical implication: measure training against real behaviour change, not against whether people completed a module.

How just-in-time coaching changes the control model

Just-in-time coaching shifts awareness from a periodic programme to an event-driven intervention. Instead of relying on memory from a quarterly module, the user receives immediate feedback after a simulated click, linked to the specific indicator they missed. That changes training from abstract instruction into contextual reinforcement. It also creates more meaningful evidence for security teams, because the moment of error becomes the moment of learning. This is closer to runtime governance than to annual awareness training, and it works because it captures attention while the threat pattern is still fresh.

Practical implication: build feedback loops that fire immediately after risky behaviour, not weeks later in a recap report.

Behavioral intelligence is now the core of human risk management

Behavioral intelligence in this context means using observed user interactions to tailor simulation difficulty, content, and coaching. The article's model uses prior threat exposure and role context to generate more relevant scenarios, which matters because one-size-fits-all content cannot keep pace with personalised attacks. The operational lesson is that human risk management is becoming a data problem as much as a content problem. Teams need to know which users are exposed, which indicators they miss, and which messages actually change future behaviour.

Practical implication: segment training by exposure and role so the programme reflects how people are actually targeted.

NHI Mgmt Group analysis

Traditional awareness training fails because it optimises for completion, not resilience. The article's data point that 99% of leaders still see incidents from avoidable user actions shows the control objective is wrong, not just the delivery method. Security awareness that measures attendance and video completion but not behaviour under attack cannot be relied on as a governance control. Practitioners should treat awareness outcomes as a resilience problem, not a learning-management metric.

Behavioral feedback closes the gap between simulated error and real-world learning. Just-in-time coaching works because it turns the exact mistake into the lesson, while the simulation is still cognitively present. That is a better fit for modern phishing than generic pre-briefing or delayed follow-up. The discipline should move toward event-based reinforcement that records what users missed and how they respond next time. Practitioners should prioritise feedback loops that are tied to actual risky actions.

Human identity risk now behaves more like an adaptive attack surface than a static training audience. AI-crafted phishing reduces the value of memorised indicators and increases the importance of contextual judgement. This is where IAM and security awareness meet: identity governance for people must now account for runtime behaviour, not just enrolment and access rights. Practitioners should align human-risk programmes with live detection and response, not with content calendars.

AI-generated coaching creates a new governance layer for human identity programmes. The promise is not that AI training solves phishing, but that it can make human-risk controls responsive enough to matter. That changes how security leaders think about programme ownership, evidence, and accountability across IAM, SOC, and awareness functions. Practitioners should use behaviour change as the primary signal of control effectiveness.

Behavioral intelligence is the named concept this article makes operational. It describes the use of observed user actions, prior exposure, and role context to tailor simulations and coaching. The implication is that awareness can finally be managed with the same precision as other identity controls, provided teams stop treating all users as if they respond to the same threat pattern. Practitioners should segment and tune human-risk interventions by context, not by calendar.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities, according to the same report.
• Human-risk programmes and NHI governance are converging around visibility, context, and runtime evidence, which makes Top 10 NHI Issues the right next read for teams building identity controls across people and machines.

What this signals

Behavioral intelligence: security teams should treat human-risk telemetry as a live control signal, not a training report. If click behaviour, reporting rates, and repeat mistakes are not feeding back into IAM and SOC decision-making, the programme is not governing risk, only documenting it.

The wider signal is that identity programmes are moving from static enrolment and periodic review toward runtime evidence. That shift is happening across human identity, NHI, and autonomous access, and the teams that can correlate behaviour with exposure will have a clearer view of where controls actually fail.

As AI makes phishing more personalised, human-risk controls need the same context sensitivity that NHI teams already demand from access governance. The practical question is whether your programme can adapt messages and interventions fast enough to matter, or whether it still depends on predictable training artefacts.

For practitioners

• Replace completion metrics with behaviour metrics Track whether users miss the same indicators repeatedly, whether click rates fall after coaching, and whether high-risk teams improve under realistic simulations.
• Use role-based simulation targeting Tailor phishing scenarios to the messages, workflows, and external contact patterns each team actually sees so the exercise resembles a real attack path.
• Deliver feedback immediately after simulated clicks Show the missed clue, explain the likely attacker tactic, and reinforce the correct response while the scenario is still fresh.
• Treat human-risk data as identity telemetry Feed simulation outcomes into IAM, SOC, and awareness reporting so the organisation can see where risky behaviour clusters and which control gaps persist.

Key takeaways

• Traditional security awareness training is failing because it rewards completion rather than measurable behaviour change under realistic attack conditions.
• The article's own survey data shows the scale of the problem, with 99% reporting incidents from avoidable user actions and 83% saying training is too costly to maintain.
• Security teams should move toward contextual, just-in-time coaching and human-risk telemetry if they want awareness to function as a real control.

Key terms

• Just-in-time coaching: Just-in-time coaching is immediate feedback delivered at the moment a risky action occurs, usually after a simulated or real security event. It works by pairing the user's mistake with the specific signal they missed, turning the moment of failure into a relevant learning point.
• Behavioral intelligence: Behavioral intelligence is the use of observed user actions, context, and prior exposure to tailor security interventions. In identity programmes, it shifts the focus from static awareness content to evidence about how people actually respond to threats and whether that response improves over time.
• Human-risk management: Human-risk management is the discipline of identifying, measuring, and reducing security risk created by user behaviour. It connects awareness, IAM, SOC, and governance so that risky actions are treated as operational signals rather than isolated training failures.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: Key insights on why traditional security training is broken and how AI phishing coaching changes the model. Read the original.