TL;DR: Abnormal says its AI Phishing Coach uses real org-specific threats, user context, and human review to generate personalized phishing simulations and training videos, while also using AI development tools to ship the MVP in weeks. The deeper lesson is that awareness programmes now need stronger identity context, tighter governance, and better oversight to avoid becoming another automated channel for risk.
NHIMG editorial — based on content published by Abnormal AI: Key Insights on AI Phishing Coach and rapid GenAI development
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
Questions worth separating out
Q: How should teams run personalized phishing training without overexposing employee data?
A: Teams should use only the minimum identity and behavioural context needed to make simulations relevant, then restrict who can enrich, view, and export that data.
Q: When does AI-generated awareness content become a governance risk?
A: It becomes a governance risk when models can draft, target, or schedule training without a named reviewer validating the scenario before launch.
Q: What should security teams control in AI-powered phishing simulations?
A: Security teams should control the source of threat intelligence, the identity attributes used for targeting, the template approval step, and the delivery mechanism.
Practitioner guidance
- Map training content to identity context sources Inventory which systems contribute role, manager, location, threat-history, and tenant data to simulation generation.
- Keep AI-generated simulations behind approval gates Require a human reviewer to validate each new template class, spoofed sender pattern, and escalation path before launch.
- Treat training delivery as protected content Use private storage, short-lived signed URLs, and playback restrictions for awareness assets, then monitor for forwarding, reuse, or unauthorized access.
What's in the full article
Abnormal AI’s full post covers the operational detail this post intentionally leaves for the source:
- How the simulation engine turns threat intelligence into user-specific phishing scenarios while stripping PII.
- How the training workflow uses signed delivery links, storage controls, and playback restrictions to limit leakage.
- How the engineering team used AI tooling to generate boilerplate, mockups, and internal project scaffolding quickly.
- How the human review panel validates simulation templates before campaigns are launched.
👉 Read Abnormal AI’s analysis of AI Phishing Coach and hyper-personalized training →
Hyper-personalised phishing training: what IAM teams should notice?
Explore further
Identity-aware training is becoming a governance problem, not just a content problem. The article shows that phishing simulation is no longer a static awareness exercise. Once training content is generated from role, location, prior susceptibility, and live threat context, the programme starts to behave like an identity-driven control surface. That means access to user attributes, threat inputs, and campaign logic deserves the same oversight teams apply to privileged workflows. The practitioner takeaway is that awareness tooling now sits inside the identity governance perimeter.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 44% of organisations have implemented any policies to govern AI agents, even though 92% agree that governance is critical to enterprise security.
A question worth separating out:
Q: How do organisations keep just-in-time coaching from turning into content leakage?
A: Use expiring delivery links, private storage, and role-based access for both the training asset and the coaching response. Then audit who can retrieve, replay, or export the material. If the content reveals internal threat models or user behaviour patterns, treat it as sensitive security data, not a simple awareness video.
👉 Read our full editorial: Hyper-personalised phishing training is changing security awareness