Notifications
Clear all
Topic starter
27/06/2026 2:00 pm
TL;DR: 99% of security leaders report incidents from avoidable user actions, while 83% say their current training program is too hard to maintain, highlighting the limits of predictable phishing drills and completion-rate metrics, according to Abnormal AI. Passive awareness training assumes people will learn from static simulations, but real attacks now arrive as personalised, AI-crafted messages that defeat that model.
NHIMG editorial — based on content published by Abnormal AI: Key insights on why traditional security training is broken and how AI phishing coaching changes the model
By the numbers:
- 99% of respondents have experienced a security incident due to avoidable user actions.
- 83% say their current training program takes too much effort to maintain.
- more than 300 security leaders and practitioners
Questions worth separating out
Q: How should security teams measure whether phishing training is actually working?
A: They should measure behaviour change, not just course completion.
Q: Why do predictable phishing drills fail against modern attacks?
A: Predictable drills fail because employees quickly learn the pattern of the exercise and stop treating it as a real threat.
Q: When should organisations use just-in-time coaching instead of periodic awareness content?
A: They should use just-in-time coaching when the goal is to change behaviour at the moment of exposure.
Practitioner guidance
- Replace completion metrics with behaviour metrics Track whether users miss the same indicators repeatedly, whether click rates fall after coaching, and whether high-risk teams improve under realistic simulations.
- Use role-based simulation targeting Tailor phishing scenarios to the messages, workflows, and external contact patterns each team actually sees so the exercise resembles a real attack path.
- Deliver feedback immediately after simulated clicks Show the missed clue, explain the likely attacker tactic, and reinforce the correct response while the scenario is still fresh.
What's in the full article
Abnormal AI's full article covers the operational detail this post intentionally leaves for the source:
- How the AI Phishing Coach generates role-specific simulations and why that changes maintenance overhead
- The mechanics of just-in-time coaching after a simulated click and how the feedback loop is delivered
- What the platform says about autonomously running awareness content at scale
- The survey framing and behaviour-change logic behind the product positioning
👉 Read Abnormal AI's analysis of why security awareness training is broken →
AI phishing coaching: can security awareness actually change behavior?
Explore further
27/06/2026 3:34 pm
Traditional awareness training fails because it optimises for completion, not resilience. The article's data point that 99% of leaders still see incidents from avoidable user actions shows the control objective is wrong, not just the delivery method. Security awareness that measures attendance and video completion but not behaviour under attack cannot be relied on as a governance control. Practitioners should treat awareness outcomes as a resilience problem, not a learning-management metric.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities, according to the same report.
A question worth separating out:
Q: What should security leaders do when training takes too much effort to maintain?
A: They should simplify the programme around automation, targeting, and measurable outcomes. If maintenance effort is consuming the team, the process is probably too static. Move toward automated simulation generation, role-based content, and reporting that ties effort to reduced risky behaviour.
👉 Read our full editorial: Traditional phishing training is failing against AI-crafted attacks
