Human-initiated cybersecurity incidents are now the leading cause of breaches, with 74% of all incidents involving the human element. This reflects a fundamental shift: cybersecurity is no longer just about protecting systems—it’s about understanding how people are targeted in everyday work.
Traditional security awareness programs were built on the assumption that risk could be meaningfully reduced through training. In reality, human risk has never been evenly distributed or easily mitigated through blanket one-size fits all training. A small percentage of users consistently drive a disproportionate share of risk, shaped by their access, the systems they interact with, and the context in which they work, not just what they learned in a training module. Reducing that risk requires more than blanket training and phishing simulations; it requires targeted, contextual interventions that address the specific behaviors and exposures that matter most. As enterprise environments evolved, this gap became more visible and more consequential.
Now that complexity has grown significantly. AI is now embedded in day to day work, employees relying on it to draft communications, analyze data, write code, automate tasks, and support decision-making. And in many cases, these AI systems operate with real credentials and access to enterprise systems.
This shift fundamentally changes how organizations should approach human and workforce risk.
It also marks the beginning of a new era for Human Risk Management. One where it must extend beyond employees to address the risks introduced by AI systems acting on their behalf.
It also marks the beginning of a new era: Unified Workforce Risk Management ie. Managing risk in a hybrid, Human – AI workforce.
Why Security Awareness Training is Not Enough
Traditional security awareness training programs have measured success through completion rates or phishing simulation results.
Many real-world security incidents do not occur because an employee failed a phishing test. Instead, they happen through operational mistakes in complex environments, including:
- Sharing sensitive data with the wrong audience through collaboration tools or cloud platforms
- Granting excessive access or permissions to applications or users
- Misconfiguring systems or integrations that expose data
- Automating workflows without proper oversight
- Using AI tools in ways that unintentionally expose sensitive information
Security awareness training programs were designed for a static threat landscape and a human-only workforce. They were never built for a world where technology and automation shape everyday work.
The Rise of Human Risk Management
Over the past several years, it became clear that workforce-driven cyber risk is not evenly distributed across organizations.
As organizations adopted Human Risk Management, they gained the ability to analyze risk across behavior, identity and access, and threat exposure. This made a previously hidden pattern visible. According to Cyentia research, roughly 10% of employees account for nearly three-quarters of organizational risk.
Human Risk Management shifted cybersecurity programs beyond broad, one-size-fits-all training toward a more precise, risk-based approach. Instead of treating all employees the same, HRM enables organizations to identify where risk actually exists and apply targeted interventions to reduce it.
For the first time, organizations could move beyond training completion metrics to measurable risk reduction. This marked a fundamental shift in how cybersecurity programs address human risk.
The progression looked like this:
Security Awareness Training: Programs focused primarily on education, compliance, and training completion metrics.
Human Risk Management: Organizations gained visibility into risk across behavior, access, and threat exposure, enabling targeted action to reduce that risk.
AI-Native Human Risk Management: Advances in generative and agentic AI now allow organizations to apply predictive risk intelligence and automate security actions across large, dynamic workforces.
Now, that evolution is continuing.
Human Risk Management must expand to account for AI systems operating alongside employees, shaping how work gets done and how risk is introduced across the enterprise.
The Workforce Now Includes AI Agents
AI is no longer just a productivity tool. It is becoming an operational participant inside enterprise environments.
Employees increasingly rely on AI systems to perform tasks that once required human effort – specifically, the proportion of employees using AI daily at their job has increased from 10% to 12%. These systems draft documents, analyze data, orchestrate workflows, and automate decision-making processes.
AI agents can take actions within enterprise environments without the contextual judgment humans apply to security decisions. They can misinterpret data, execute flawed automation, or introduce risk through incorrect outputs – creating a new challenge for security leaders.
As AI adoption accelerates, organizations must now consider a broader question: how do you secure a workforce that includes both humans and AI agents?
Expanding Human Risk Manage ment to an AI-Driven Workforce
The answer is the continued evolution of Human Risk Management to account for both human and AI-driven risk across the workforce.
Humans and AI agents now share access, data, and decision-making authority across organizations. Both can introduce risk, require governance and must be monitored within a unified security framework.
Today’s security leaders must answer new questions:
- Which employees are granting AI tools access to sensitive enterprise environments?
- What permissions and credentials are AI agents operating with?
- How are automated systems making decisions within enterprise workflows?
- Where could AI-driven actions introduce operational or security risk?
These are not simply awareness challenges; they reflect the need for Human Risk Management to account for systems operating alongside, and on behalf of, employees.
Securing the Future Workforce
As AI becomes embedded in everyday enterprise operations, the boundary between human activity and automated decision-making will continue to blur.
Security teams must move beyond traditional awareness metrics and adopt strategies that account for the full operational workforce. That means securing not only human behavior, but also the systems and agents that increasingly act on behalf of employees.
Cybersecurity has always evolved alongside technological change. Cloud computing, remote work, and digital transformation each reshaped how organizations approached risk.
AI is now driving the next transformation.
The organizations that succeed in this new era will be those that recognize a simple reality: the workforce is no longer just human and security must evolve accordingly.
About the Author
Ashley Rose is the CEO of Living Security. Ashley has a Bachelors of Business Administration from the University of Michigan and is a serial entrepreneur with experience designing and managing product lines. After launching her career in the tech industry, she became intrigued by cybersecurity and its accelerating impact on organizations, individuals, families and communities. Ashley co-founded Living Security based on a philosophy that empowering people is the best approach to lasting security awareness and breach prevention.
Ashley can be reached online at LinkedIn and at our company website AI-Native Human Risk Management Platform to Prevent Breaches | Living Security.
