The End of Security Awareness As We Know It

For the past decade, the SANS Security Awareness Maturity Model served as the industry’s primary framework for measuring program maturity. It asked a useful question for its era: how mature is your awareness program? It helped organizations move from non-existent programs to structured ones. It served its purpose well.

But the question that matters now is fundamentally different. Boards are no longer satisfied with evidence that you have an awareness program in place. They’re asking: that breach at our competitor, that started with a compromised employee - how likely is it that it would happen to us? Are our people resilient enough? Are our defenses appropriate for what’s actually hitting us? And if a sophisticated AI-powered attack targets our most at-risk users tomorrow, will your program protect us?

Most security teams have no credible way to answer. This shift - from measuring security awareness program maturity to measuring risk reduction - is what drove us to develop the HRM Maturity Model.

The HRM Maturity Model describes four distinct levels of human risk management capability: Reactive (Level 1), Adaptive (Level 2), Proactive (Level 3), and Predictive (Level 4). It is designed to enable and support security leaders to pragmatically assess where their organization stands today and what it would take to move to the next level.

According to Gartner research, 72% of organizations are at Level 1 (L1). The remaining 28% are not at Level 2 (L2). Most are somewhere between L1 and L2, trying to progress but unable to break through because the tools they’ve invested in were never architected to get them there. They are spinning their wheels, doing more of the same, with incrementally better phishing simulators and training modules, and getting incrementally similar results. Phishing click rates plateau at 7–8% and stop improving, while actual incidents driven by human error keep rising.

The path from L1 to L2 is not about trying harder with the same approach. It’s about recognizing what L2 requires and equipping yourself accordingly.

Each level represents a fundamentally different operating model for how an organization manages human risk. The platform requirements, the data requirements, the process requirements, and the organizational maturity required are qualitatively different at each level.

HRM Maturity Level 1 is where most of the industry sits today. Generic security awareness training - typically annual or quarterly - delivered to the entire workforce. Off-the-shelf content libraries with optional logo customization. Completion dashboards that track who finished and who didn’t. Phishing simulations, increasingly gamified, with leaderboards, badges, and clicked/reported scoring.

L1 programs are compliance-driven. They exist because regulators, auditors, and security standards require evidence that employees receive security training. The compliance box is ticked. The dashboards look reassuring. The auditors are happy.

What L1 platforms do not do - and have never done - is produce demonstrable, sustainable change in secure behaviors and human risk reduction. These tools measure activity (who completed training) rather than outcome (who changed their behavior). They cannot tell you that 42 users in your Finance department stopped using unapproved file sharing services this month, because they do not know. They treat all employees identically rather than adapting to individual risk portraits. They operate in isolation from the broader security infrastructure - disconnected from the systems that would reveal real behavioral change. That’s the difference between measuring compliance and measuring change.

Every legacy security awareness training platform, every gamified phishing simulator - regardless of how they position themselves - is designed to help you achieve L1. Some do L1 exceptionally well. Some do L1 with a genuinely impressive product. But L1 is L1. It is table stakes. It is not where human risk gets reduced. It’s where the real work has yet to start.

Many organizations at HRM L1 do some things that sound like HRM L2: a few role-specific courses for developers or Finance, the occasional targeted campaign after a phishing incident. These are good instincts - but isolated efforts don’t change your level. L2 is not about doing one or two things differently. It’s about the four critical HRM L2 jobs running continuously and autonomously across your entire workforce.

HRM Maturity Level 2 is where real behavior change begins. Across more than 100 enterprise deployments, we identified the four critical jobs that every successful program shares - and the gaps that every failing program has. 1. Motivate. 2. Educate. 3. Activate. 4. Correct. All four, running continuously and autonomously across the entire workforce. When all four are working, training adapts to each individual, interventions land at the moment of risk, the program runs itself, and human risk decreases visibly and demonstrably. Fast.

Not difficult. Not time-consuming. Impossible. No security awareness manager, regardless of skill or dedication, can execute any of these four jobs at the required scale - not manually, not with spreadsheets, not with any of the L1 products in the market. The jobs require a specific combination of applied psychology, AI, integrations, behavioral data, and automation that only exists in a purpose-built HRM platform.

Before you can train anyone, you need to understand what will make them care about security. Different people are motivated by different things. Some respond to personal relevance - understanding that the same attack techniques targeting their company are also targeting their personal email and their family’s devices. Some respond to professional identity, security competence framed as a career skill alongside financial literacy, AI mastery, or leadership capability. Some have developed learned helplessness and need their confidence rebuilt. Some are already paying attention and could be your champions if identified early and engaged correctly.

Motivating 20,000 individuals requires understanding each person’s attitudes toward security and their motivational drivers. No human can do this. No spreadsheet can do this. An HRM platform does it through baseline assessment, nudges, and continuous interaction - learning what resonates with each individual and increasing their motivation through every subsequent communication.

Motivation needs a measure to stick. This is what OutThink’s CyberSecurity Quotient (CSQ) add-on makes possible. CSQ measures actual security competence across all relevant cybersecurity behaviors - a holistic, defensible score, unique to the individual. Every person can see their CSQ, understand what moves it, and improve it. Security stops being abstract. It becomes something each person owns and improves, the same way they own and improve other professional skills.

There is a longer-horizon possibility too. Cybersecurity is now a business risk, not just an IT issue. The SEC disclosure rules, DORA, and NIS2 have made it a board-level concern, reported to shareholders, scrutinized by regulators, discussed in earnings calls. Business risks get managed through the processes that shape behavior at scale - performance reviews, accountability, incentives. For organizations that are ready to take that step and have worked through the appropriate governance with HR, Legal, the DPO, and employee representatives where applicable, CSQ can feed into HR performance management: appraisals, bonus criteria, recognition programs, alongside financial targets or customer satisfaction metrics. The best performers earn real recognition. Security stops being “everyone’s responsibility” - a slogan nobody acts on - and starts being something the organization visibly values, measures, and rewards.

That bigger HR integration is an aspiration. The foundation is not. Deploy CSQ today to give every person a score they can see and improve over time. Motivation becomes measurable. Behavior change becomes trackable. From that foundation, everything else becomes possible - at the pace and with the governance that suits each organization.

Generic training doesn’t work. A finance manager handling sensitive transactions and a factory floor supervisor managing operational technology face completely different threats, use completely different systems, and need completely different knowledge. Training that’s too easy is boring and ignored. Training that’s too advanced is frustrating and forgotten.

Delivering truly adaptive training across the entire enterprise starts with understanding each user - their role, their motivations, their actual behavior (via integrations with security systems), and the organization’s context (industry, policies, threat landscape). Only then can an HRM platform generate the hundreds of thousands of content variations that meet each person where they are. Each user needs training calibrated to be challenging enough to learn from, but not so far ahead that they tune out. And that training needs to reflect the specific language, regulations, and threat realities of their industry.

Only a platform purpose-built for HRM generates this at the required scale, dynamically based on real behavioral and contextual data. No security awareness team can create or maintain these variations manually.

Knowledge without practice doesn’t change behavior. You can teach someone the theory of deepfake detection, but until they’ve practiced it in a realistic scenario - made decisions, faced consequences, built muscle memory - the knowledge doesn’t stick.

The industry has been giving people “practice” with one thing: phishing simulations. Today’s attack simulation capabilities are technically impressive - AI-generated deepfake videos or voices that sound exactly like the CEO, with startling fidelity. They get attention. People walk away saying “wow, I had no idea AI could do that.” That moment of awareness has real value, and any modern program needs scenarios that grab people’s attention and match what attackers are actually doing today.

This is what OutThink’s Cyber Ranges activate at L2 - and much more. Scenarios cover:

If your practice stops at phishing simulations, the other 80% of security behaviors remain untested and untrained.

Cyber Ranges deliver these scenarios in a fundamentally different way: targeted, adaptive, immersive - not pass-or-fail modules. Each scenario adapts based on what the platform understands about that user - their risk portrait, their role, the psychology and attitudes captured at L2 baseline, and the behavioral data gathered through integrations. A high-risk user in finance who struggles with data sharing gets a data handling scenario. An executive frequently targeted gets a deepfake CEO scenario calibrated to the kinds of fraud aimed at them. As the user progresses, the scenario adapts in real-time - branching, escalating, or simplifying depending on how they respond. Every decision point is a learning moment calibrated to that individual.

For example: an employee receives a Teams nudge inviting them into a Cyber Range scenario. In the browser, they hear what appears to be an urgent voice note from their CEO - asking them to approve a wire transfer to a new vendor. The voice sounds exactly like the CEO. It is AI-generated, for the vishing Cyber Range. The experience unfolds based on the user’s choices. A contained, immersive experience that teaches through decisions.

Cyber Ranges build genuine muscle memory across every security behavior that matters - using modern, attention-grabbing technologies deployed within an integrated HRM platform that targets the right people, adapts based on what they do, and connects to the broader behavioral and human risk picture.

When someone makes a security error, the correction must come as close to the mistake as possible. A correction delivered three months later in a quarterly training module is not a correction. It’s an afterthought - a missed opportunity.

Real-time correction requires three things working together: (1) live behavioral data feeds from the organization’s security systems (EDR, DLP, web filtering, SIEM), (2) an AI engine that understands the context of each event and generates contextual nudges, and (3) a nudge delivery mechanism that reaches the right person with the right message at the right moment. The person is nudged at the exact moment learning is most effective - not weeks later in a scheduled training campaign.

At HRM L2, something else that’s fundamental also shifts. An HRM platform is no longer just pushing information at users. It’s gathering intelligence from them. Every interaction - every free-text response, every question asked, every reaction to a nudge - flows through the platform’s AI engine. Across an enterprise, this means millions of data points from your workforce - the people closest to the risks.

When the marketing team in one office reports that they don’t have access to a password manager, no phishing test would surface that. When field engineers report they’re sharing files through personal devices and Dropbox because the company tool is clunky, no vulnerability scan would reveal it. But the people doing the work know. And an HRM platform that systematically listens and surfaces those insights turns a training program into intelligence gathering - via a network of thousands of human sensors with a collective understanding of risks and gaps that’s deeper than the security team’s.

If you have been running an L1 program for years, the metrics may look fine. But you have watched AI-powered attacks land on peers in your industry, and you wonder whether your people would even notice. You sense there is something better, fit for the AI era. You want to level up. These are the first five steps - specific, tangible actions, each one creating immediate value.

HRM Maturity Level 3 is where human risk becomes quantified, visible, and actionable. The platform brings together everything it has learned at L2 - behavioral, attitudinal, and contextual signals - into a unified human risk intelligence layer.

Every HRM vendor claims a risk score. The question is what data feeds it. Most vendors’ scores are built from data their own product generates - phishing test results, training completion, reporter rates, plus one or two inputs like role or whether their email has appeared in a data breach. Two problems follow.

First, it’s a closed loop. People are largely being risk-scored based on how they performed on the tests delivered via the vendor’s platform. It measures performance in artificial scenarios and calls it risk. That’s like measuring driving ability by how well someone plays a racing video game.

Second, it’s thin. It captures almost none of what actually determines whether someone is at risk - their real-world behavior, the attitudes driving it, their level of access, how heavily they’re attacked, and the workplace conditions around them. A score built on a narrow slice of artificial data is indefensible - and security teams know it. CISOs, SOCs, IAM teams, and GRC functions will not even consider using a light “human risk” score for conditional access, incident prioritization, or risk assessments. So it gets ignored. The security awareness manager’s hard-earned metric becomes a dashboard nobody acts on.

True HRM L3 quantification is different. The engine ingests the full picture of what actually drives risk:

Real behavior. Real conditions. Real risk. A score robust enough for the security team to trust, rely on, and act on. That’s how human risk stops being a training metric and becomes an operational one.

Crucially, this saves the security team thousands of hours. By automating the analysis of millions of signals across every security system and every user, the platform surfaces the critical human risk gaps and directs attention where it matters most - where the ROI, impact, and risk mitigation are highest. Finite security team resources can then effectively prioritize focus.

An HRM platform generates prioritized, specific recommendations across three levers - people, process, and technology. Actionable items tied to evidence. For example:

The security team’s role shifts from figuring out what to do, to reviewing and actioning what the platform recommends. Some actions are executed automatically by the platform (targeted training, nudges). Some require manual decision-making (policy changes, access reviews). The organization decides the level of autonomy based on their confidence and governance requirements.

At L3, the platform begins feeding human risk intelligence into broader security processes. Risk scores help security analysts approve access or triage incidents, by giving them human risk context they’ve never had before. When a security analyst reviews an access request, they can see that the requesting user is in the high-risk group with low intention to comply and low phishing resilience. That context changes the decision.

The platform also identifies patterns across the organization. For example, areas of the business with a high percentage of line managers showing low engagement with security correlate with higher numbers of security incidents. That’s where enhanced monitoring and stricter controls should be prioritized first. This insight - validated across our customer base - is the kind of operational intelligence that transforms how security teams allocate their resources, driving both effectiveness and efficiency.

At L3, organizations begin establishing the processes and confidence that will eventually make L4’s autonomous operation possible. Every recommendation, every approved improvement action, every validated insight builds the organizational trust that underpins future, full HRM automation.

HRM Maturity Level 4 is where an HRM platform operates with full autonomy. Fewer than 0.1% of organizations are experimenting here today. But this is where the industry is heading - and understanding L4 now matters because the architectural decisions organizations make at L2 and L3 determine whether L4 is achievable or structurally impossible.

At L4, human risk intelligence feeds directly into the organization’s identity provider. Users are automatically assigned to risk-based policy groups - low, medium, high - that trigger corresponding conditional access policies. A high-risk user doesn’t just receive more training. Their access changes. Mandatory phishing-resistant, multi-factor authentication everywhere. Access only from trusted locations. Compliant device requirements. For the most critical applications, access may be restricted entirely until their risk posture improves.

An HRM platform integrates with identity providers (Entra ID, Okta), DLP tools (Microsoft Purview), email security (Proofpoint, Mimecast), endpoint management (Jamf), and web gateways (Zscaler) to enforce adaptive controls across the entire security stack. When a user’s risk crosses a defined threshold, policy changes propagate automatically. No SOC ticket. No manual group assignment. No delay between risk detection and control adjustment.

This closes a gap that exists across the entire security industry. Current tools - whether email security, DLP, web gateways, or endpoint solutions - rarely take human risk into account when enforcing controls. Security controls and human risk have operated in separate universes. L4 unifies them - and the downstream effects compound. Fewer access-related tickets. Faster help desk response times. Reduced administrative overhead for the SOC. The security team stops spending hours on manual group assignments and user chasing, and starts governing posture at scale.

HRM L4 capability and HRM L4 readiness are different things. Conditional access touches employment policy, legal frameworks, executive workflows, and operational continuity - none of which belong to the security team alone. CISOs who try to deploy automated access controls without prior alignment with HR, legal, and senior leadership face the predictable backlash: the VP of Sales blocked mid-quarter, the board member locked out of a critical application, the executive whose deal slips because a risk score crossed a threshold. These are not edge cases. They are the cases that determine whether L4 succeeds or gets rolled back within weeks.

This is why the HRM Maturity Model is sequential. L2 builds the relationship with users and the behavioral data that makes the platform trusted. L3 establishes the risk quantification that makes thresholds meaningful and defensible. Only then does L4 become politically viable - not just technically possible.

In practice, L4 is a spectrum of autonomy the organization controls. Most organizations begin in advisory mode - the platform recommends access changes, flags high-risk users, and surfaces self-remediation workflows, but a human approves enforcement. Over time, as confidence in the risk quantification grows and the false-positive rate proves manageable, organizations selectively automate - starting with lower-impact controls like mandatory MFA and device compliance before progressing to access restrictions on critical systems.

This is the capability that makes L4 operationally viable at scale. Rather than the SOC team manually chasing every high-risk user, the platform shifts responsibility to the user themselves.

When a user’s risk score crosses a threshold, they receive a notification explaining what changed and what specific actions will bring their risk score back down - complete training, update device, reset password, complete a Cyber Range exercise. They receive a configurable grace period. If they remediate, their risk score drops and access is automatically restored to its previous level. If they don’t, stricter controls are enforced automatically. This reduces the noise to the SOC.

This model transforms the relationship between security teams and the workforce. The security team is no longer the enforcer chasing non-compliant users. The platform provides the structure, the user takes responsibility, and the SOC team is freed to focus on genuine threats. It is the only approach that scales in enterprise organizations with thousands of people. And it is only possible because L2 built the relationship with users, brought the integrations with security systems, and L3 established the risk quantification that makes the thresholds meaningful and defensible.

This is the frontier. And it may be the most consequential capability in this entire maturity model.

As organizations deploy agentic AI systems that plan, reason, and act semi-autonomously across workflows - these digital agents become a new class of insider risk. They can access sensitive data, invoke tools, escalate privileges through chains of delegated authority, and influence human decisions in ways that are difficult to audit. Gartner estimates that 40% of enterprise applications will integrate AI agents by the end of 2027. Every one of those agents can act on behalf of a human user. Every one of them needs to be governed with the same rigor applied to humans.

The existing approaches to AI agent security - runtime firewalls, identity governance for non-human identities, agent discovery platforms - address the infrastructure layer. They can tell you an agent accessed a database at 3am. What they cannot do is contextualize whether that access, given the human principal’s risk portrait, the organization’s behavioral norms, and the broader pattern of interactions, represents a genuine anomaly worth acting on.

OutThink’s technology extends the same behavioral observation and intervention framework that governs human users to AI agents. The platform watches how agents behave in the same way it watches how humans behave. It builds portraits. It segments. It detects drift. It scores risk. It intervenes when an agent’s actions fall outside the boundaries the organization has defined. Same platform. Same logic.

Today, your organization has thousands of human users. By 2027, you will also have thousands of AI agents integrated into a significant proportion of your enterprise processes. Each one can access data, invoke tools, and take actions on behalf of your people. You will need to manage their behavior with the same rigor you manage human behavior. OutThink is the only platform designed to do both.

OutThink was founded in 2019 by CISOs who lived this problem. We spent years researching applied psychology, behavioral science, and learning theory before we wrote a line of code. We sat with security teams, watched how they worked, learned what broke, and designed an architecture specifically to solve the problems no other platform was attempting. In 2020, we started building. We have not stopped since. That depth cannot be compressed. You cannot bolt HRM onto a phishing, deepfake or vishing simulator any more than you can bolt a cockpit onto a car and call it an airplane.

The HRM Maturity Model describes what is possible, not what every organization must do. Some of the capabilities described - feeding CSQ into HR performance management, conditional access and security control automation, AI agent behavioral governance - go well beyond the security team’s remit. They touch employment policy, data protection, regulatory obligations, and in many jurisdictions may require works council consultation. These are not reasons to avoid the capabilities. They are reasons to adopt them properly: through cross-functional governance - CISO, HR, Legal, DPO, and employee representatives where applicable - with the risk-reward weighed and the decision made on the organization’s own terms.

This is also why the maturity model is sequential. HRM L2 earns the workforce’s trust. HRM L3 establishes the human risk quantification that makes any subsequent automation defensible. Only then does HRM L4 become politically viable, not just technically possible. The chosen HRM platform should support adoption at every pace - from advisory-only deployment, through selective automation, to full autonomy. The choice is the organization’s, not the HRM vendor’s.

HRM is being adopted as a label across the market - by email security vendors, security awareness training platforms, and simulation-first tools alike. The label matters less than the capability behind it.

We’ve put together a set of diagnostic questions to help you evaluate any HRM claim against the maturity level it’s meant to address. Take the HRM Test to find out where your program really stands.