Notifications
Clear all
Topic starter
27/06/2026 1:49 pm
TL;DR: Traditional security awareness training was built for compliance, not risk reduction, while AI-driven phishing coaching now turns real attacks into personalized simulations and measures behaviour change instead of click rates, according to Abnormal AI. The governance shift is from annual training completion to continuous human risk management, where timely intervention matters more than audit theatre.
NHIMG editorial — based on content published by Abnormal AI: AI phishing coaching and the shift from awareness to action
Questions worth separating out
Q: How should security teams measure whether phishing training is actually working?
A: They should measure whether risky behaviour changes, not whether users completed a module or passed a quiz.
Q: Why do traditional security awareness programmes fail against modern phishing attacks?
A: They fail because they are usually generic, infrequent, and disconnected from the attacks employees actually face.
Q: What should organisations do when users keep clicking on phishing simulations?
A: They should treat repeated clicks as a coaching signal, not a punishment trigger.
Practitioner guidance
- Map training to live attack patterns Use current phishing and social-engineering examples from your environment to drive simulation content, so employees see the same lures attackers are actually using.
- Replace completion metrics with behaviour metrics Track repeat clicks, response quality, and improvement over time, then use those signals to prioritise coaching for the highest-risk populations.
- Add just-in-time coaching to the workflow Deliver immediate feedback at the point of risky action so the user learns why the message was suspicious before the behaviour becomes habitual.
What's in the full article
Abnormal AI's full webinar covers the operational detail this post intentionally leaves for the source:
- Live coaching workflow examples showing how real phishing attempts are neutralised and reused as training content.
- Operational examples of how simulation cadence, content delivery, and progress tracking are automated end to end.
- The specific behaviour signals used to measure risk reduction instead of click-through or completion metrics.
- Speaker commentary from Patricia Titus and Sydney Gangi on how teams can operationalise the model.
👉 Read Abnormal AI's webinar analysis of AI phishing coaching and human risk management →
AI phishing coaching and human risk management: what changes now?
Explore further
27/06/2026 3:17 pm
Check-the-box awareness training is a compliance control, not a resilience control. The article describes a model that satisfies audit demands but does little to change behaviour under real attack pressure. That distinction matters because phishing resilience depends on what users do under stress, not whether they finished a module. The implication is that human identity governance must be evaluated by behavioural effect, not by training administration.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to the 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to the same report.
A question worth separating out:
Q: Who should own human risk management in an identity programme?
A: Ownership should sit with security and identity leaders together, because the problem spans behaviour, access, and incident prevention. If the programme is tied only to awareness teams, it becomes a training exercise. If it is tied only to SOC metrics, it misses the governance side. Human risk management works when it is treated as part of identity governance.
👉 Read our full editorial: AI phishing coaching is replacing check-the-box security training
