Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Agentic AI and human risk: what is changing for security teams?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Agentic AI is widening the human-risk problem as 68% of breaches still involve people, 82.6% of phishing emails now use some form of AI, and 43% of workers admit sharing sensitive information with AI tools without permission, according to Drata and its cited research. Static awareness training is no longer enough when both humans and AI agents influence access, behaviour, and audit evidence.

NHIMG editorial — based on content published by Drata: Partner POV on agentic AI, human risk, and audit readiness

By the numbers:

Questions worth separating out

Q: How should security teams govern AI use alongside human behaviour risk?

A: Treat AI usage, user behaviour, and access governance as one control problem.

Q: Why do AI-driven phishing and deepfakes change identity risk management?

A: They increase the speed and credibility of trust exploitation, which means standard awareness campaigns are no longer enough on their own.

Q: How do organisations know whether a risk-based awareness programme is working?

A: Look for changes in risky behaviour, not just course completion.

Practitioner guidance

  • Build a combined human-and-AI risk register Track phishing susceptibility, AI tool usage, policy bypass, and sensitive-data exposure in one programme so identity, security awareness, and GRC teams work from the same risk picture.
  • Use behavioural scores to drive access decisions Feed high-risk signals into conditional access, targeted review queues, and escalations so the riskiest users and AI-enabled workflows receive the fastest intervention.
  • Automate evidence capture for audit readiness Connect training completion, policy attestation, and control mappings to your compliance platform so evidence is continuously collected instead of reconstructed at audit time.

What's in the full article

Drata's full article covers the operational detail this post intentionally leaves for the source:

  • How the KnowBe4 and Drata integration maps training evidence into compliance controls and audit workflows
  • The specific way Drata is used to keep evidence continuously updated across 16+ compliance frameworks
  • Customer examples showing reductions in audit meetings, auditor requests, and internal GRC workload
  • The partner’s discussion of how its agentic AI and human risk model is operationalised across the platform

👉 Read Drata's partner perspective on agentic AI, human risk, and audit readiness →

Agentic AI and human risk: what is changing for security teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Human risk and agentic AI now belong in the same governance conversation: the article captures a real shift in control scope, because both humans and AI-enabled workflows can now drive risk from the same operational layer. Behavioural training alone cannot contain that risk if organisations cannot measure what people and agents actually do. Practitioners should treat human behaviour, AI usage, and access governance as one programme boundary.

A question worth separating out:

Q: Who is accountable when AI tools expose sensitive information or weaken audit evidence?

A: Accountability should sit with the control owner for the workflow, not with the tool itself. Security, IAM, and GRC leaders should define ownership for data-handling rules, approval paths, evidence capture, and exception handling before AI use expands, so responsibility is clear when something goes wrong.

👉 Read our full editorial: Agentic AI and human risk are converging in security programmes



   
ReplyQuote
Share: