Why Human Risk Management is vital in the age of Artificial Intelligence

The rapid evolution of AI has inaugurated a new era of productivity and efficiency across industries. From autonomous workflows that drastically cut down on the time human beings must spend on backend operations to accelerating improvements in capabilities like programming, AI is already revolutionizing how many companies do business. However, the explosion of AI has also created an unprecedented proliferation of increasingly sophisticated cyberattacks. This is one of the top threats businesses face today.

Bad actors are becoming increasingly reliant on AI to conduct surveillance and identify vulnerabilities, evade security software, and launch ultra-realistic social engineering attacks. For example, AI has turbocharged phishing when large language models can write convincing copy  and deepfake generators let attackers impersonate executives. By enabling the creation of hyper-targeted, error-free, and emotionally compelling phishing messages at scale, AI has shattered the barrier to entry for attackers. Meanwhile, deepfakes allow attackers to create advanced multi-level attacks by hooking victims with a phishing message and following up with a fraudulent phone call or even video.

Cyberattacks have long been among the most urgent risks for enterprises across industries and sectors, and these risks are only becoming more pronounced in the AI era. Because many of the most effective AI-powered cyberattacks target employees, robust human risk management (HRM) has never been more crucial. By strengthening the human layer of your cyber defenses, your security platform will become more adaptable and effective across the board. 

The dark side of AI adoption

The introduction of OpenAI’s ChatGPT stunned the world, and the progress and adoption of AI have only gained momentum since then. McKinsey estimates that companies will spend nearly $7 trillion on data centers alone by 2030 to keep pace with the surging demand for compute power. Microsoft reports that three-quarters of global knowledge workers are already using AI. Ninety percent say it allows them to save time, while 84 percent say it allows them to be more creative.

However, Microsoft also reports that “threat actors are using AI to boost their attacks by automating phishing” and “scaling social engineering.” According to IBM, phishing is the most common initial attack vector, and bad actors have been especially reliant on AI to launch more effective phishing attacks. IBM found that generative AI “reduced the time needed to craft a convincing phishing email from 16 hours down to only five minutes,” while the top cybercriminal uses of AI are phishing and deepfake impersonation attacks. This means traditional forms of human threat detection—such as the identification of errors and other red flags in messages—have become obsolete.

As bad actors increasingly use AI to exploit human vulnerabilities, it’s critical for security leaders to focus on the cognitive and emotional attack vectors that can put the company at risk. This means prioritizing comprehensive human risk management with engaging and personalized cybersecurity awareness training, continuous threat assessments, and ultimately the establishment of a culture of cybersecurity at every level of the organization.

How bad actors hack employees’ minds

While cybercriminals use AI to probe and infiltrate digital defenses, they also use it to break into another valuable piece of hardware: the human brain. According to the 2025 Verizon Data Breach Investigations Report, 60 percent of all breaches involve a human element. A 2025 survey of executives, academics, and cybersecurity leaders found that over three-quarters believe the threat posed by “cyber-enabled fraud and phishing” increased over the preceding year. This tracks with IBM’s finding that phishing is the most common initial attack vector.

Bad actors exploit several emotional vulnerabilities to deceive and manipulate employees: obedience, curiosity, fear, opportunity, greed, urgency, and sociableness. These vulnerabilities vary from employee to employee, which is why attackers use surveillance (often augmented by AI) to determine who they will target. For example, if attackers determine that obedience and urgency are the most promising emotional attack vectors, they may send a phishing email from the boss demanding immediate action—such as account access or a financial transfer. Such attacks are even more effective when they’re combined with business email compromise, in which cybercriminals actually seize control of email accounts to impersonate company leaders.

AI enables bad actors to launch spearphishing campaigns and other attacks that leverage specific emotional susceptibilities, making them far more difficult to detect. This is why security leaders must identify the most significant human vulnerabilities at their organizations and implement behavioral interventions accordingly. Comprehensive human risk management requires the continuous monitoring of human security gaps, personalized security awareness training that addresses these gaps directly, and robust forms of ongoing assessment.

It’s time to build up the human layer of cyber defense

For the fifth year in a row, the Allianz Risk Barometer found that cyber incidents are the top global business risk—and by a greater margin than ever before. Allianz reports that cyber incidents are “ahead of the closely linked peril of artificial intelligence (AI),” which includes issues like “implementation challenges” and “liability exposures.” Eighty-seven percent of executives, academics, and cybersecurity leaders surveyed by the World Economic Forum and Accenture say AI vulnerabilities have increased over the past year.

One of the main reasons AI poses such a threat is that millions of employees don’t yet have the cognitive equipment to resist AI-powered cyberattacks. The only way to overturn this dangerous status quo is by establishing a comprehensive human risk management platform that gives people the tools they need for today’s threat landscape.

There are several core elements of such a platform. First, security leaders must proactively address evolving cyberthreats such as AI phishing, which means highlighting employees’ biggest vulnerabilities on a case-by-case basis and providing personalized instruction. Second, comprehensive human risk management requires accountability—security leaders must continuously assess employees to expose security gaps and develop behavioral interventions that target the most urgent emotional susceptibilities. Third, it’s vital to capture and hold employees’ attention with engaging and relevant awareness training content—and ensure successful learning outcomes with evaluations like phishing tests. Fourth, security leaders must reduce friction by making it easy for employees to report suspicious activity (with one-click phish reporting, for instance), assuring them that they will not be punished for mistakes, and avoiding cumbersome check-the-box security training that fails to secure sustainable behavioral change.

The evolution of AI-powered cyberattacks will continue to accelerate, but companies can protect themselves with proactive and adaptive human risk management. By focusing on the human layer of their cyber defenses, security leaders will ensure that they’re in a much stronger position to address the most common AI attack vectors.