The End of Security Awareness As We Know It

For over twenty years, the security awareness industry has sold organizations the wrong solution to one of cybersecurity’s most critical problems. This is a practitioner’s guide to what driving secure behavior actually requires.

By Flavius PlesuFounder and CEO, OutThink | Former CISO
July 2026Published
18 minRead time
Table of contents
  1. 01Introduction
  2. 02The Question Has Changed
  3. 03Four Forces Converging
  4. 04The HRM Maturity Model
  5. 05Level 1: Reactive
  6. 06Level 2: Self-Adapting
  7. 07The Bridge, HRM L1 → L2: Where to Start
  8. 08Level 3: Proactive
  9. 09Level 4: Predictive
  10. 10The HRM Test
  11. 11What Comes Next
Introduction

Why HRM, Why Now

For over twenty years, the security awareness industry has sold organizations the wrong solution to one of cybersecurity’s most critical problems. With 70–80% of breaches still involving the human element, the industry’s best answer has been: deploy a phishing simulator, track click rates, mandate annual compliance training, and hope for the best.

For years, the industry measured success through training completion rates, phishing click rates trending down, and reporting rates trending up. These metrics did their job. They moved organizations from zero to structured programs.

But the needle has stopped moving, and the metrics themselves have lost meaning. A 10% phishing click rate on a generic simulation tells you almost nothing about how well your people would respond to a targeted, AI-powered phishing attack. And security awareness managers know this. They hear anecdotally that a video was interesting or a newsletter was helpful. But they have no solid evidence that their program is making their organization meaningfully more secure. The honest answer to “is human risk decreasing?” is “we don’t know, because we’ve been measuring the wrong things”.

This isn’t a failure of effort. It’s a failure of approach and tools. The tools were designed to tick compliance boxes, satisfy auditors, and produce dashboards that look reassuring. And they do those things reasonably well. But compliance and risk reduction are not the same thing. They never have been.

70–80%
of breaches still involve the human element
0+
enterprise deployments behind this guide
0B
data points analysed

This document is my latest attempt to articulate what I’ve been trying to say for thirteen years. It’s a practitioner’s guide to what driving secure behavior requires, based on what we’ve learned from over 100 enterprise deployments, 10 billion data points, and years working with security teams figuring out what works and what doesn’t.

A Note From the Founder

I spent years as a CISO and watched talented security awareness managers struggle with tools that were never built for the real job. I saw what they needed and couldn’t get.

I’d been obsessing over the secure behavior management problem since 2013, when I wrote my MSc thesis on human factors in cybersecurity. Thirteen years. When I was in the role myself, I deployed or tested every tool the market offered. I ran the campaigns, tracked the metrics, and reported to the board with charts that looked reassuring. Privately, I knew none of it was working.

That’s the moment OutThink was born. Not from a business plan. From the frustration of knowing the job needed to be done differently and having nothing that could do it.

We’ve spent the years since working with the most talented researchers and security leaders in the world to build something fundamentally different. Not another phishing simulator with a new interface. Not a content library with funny, now AI-generated, videos. A platform that drives secure behavior and reduces human risk - autonomously, at scale. Measurably and demonstrably.

It’s been the most intense work of my life. Pioneering Human Risk Management (HRM) - building it one capability at a time - is excruciatingly hard. Every time a security leader walks away from a conversation thinking “how is that different?” - I feel it personally. Because I know what’s possible.

“70–80% of breaches involve the human element” is not a statistic we should accept when the technology to change it now exists.

I’m looking for security practitioners who believe what we believe. Who see the same gap, feel the same frustration, and refuse to accept that compliance theater is the best we can do. If that’s you, let’s work together to solve the most pertinent problem in cybersecurity right now.

Flavius Plesu
Flavius PlesuFounder and CEO, OutThink

The Question Has Changed

For the past decade, the SANS Security Awareness Maturity Model served as the industry’s primary framework for measuring program maturity. It asked a useful question for its era: how mature is your awareness program? It helped organizations move from non-existent programs to structured ones. It served its purpose well.

But the question that matters now is fundamentally different. Boards are no longer satisfied with evidence that you have an awareness program in place. They’re asking: that breach at our competitor, that started with a compromised employee - how likely is it that it would happen to us? Are our people resilient enough? Are our defenses appropriate for what’s actually hitting us? And if a sophisticated AI-powered attack targets our most prone users tomorrow, will your program protect us?

The SANS model measured program inputs - do you have a plan? Do you deliver training? The questions security leaders need to answer today are about outcomes - is human behavior actually changing, and is that change reducing our exposure to real-world, AI-powered threats?

Most security teams have no credible way to answer. This shift - from measuring security awareness program maturity to measuring risk reduction - is what drove us to develop the HRM Maturity Model.

Four Forces Converging

1

AI-enabled attacks have raised the stakes.

Adversaries now operate at machine speed, using AI to generate hyper-personalized attacks at scale. This is no longer mass phishing with bad grammar. It’s precision targeting - every employee profiled and attacked individually, based on their role, their digital footprint, their behaviors. And the attacks are landing on people whose attention has fragmented. Decisions that used to be protracted now happen in seconds, between (or in the middle of!) meetings. A convincing email. A plausible Teams message. A deepfake video or voice note that sounds exactly like the CEO. Each one asks for a split-second judgment from someone who doesn’t have the bandwidth to give it a second thought. When the attack is continuous and individualized, the defense must be continuous and individualized too. Completion certificates and phishing leaderboards were never adequate protection. Now they’re not even relevant.

2

The tools have hit their limits.

Security awareness managers have tried. They bought the gamified phishing tools with leaderboards and badges. They ran training campaigns, issued certificates, produced newsletters. And they got results - for a while. Completion rates went up. Click rates went down. Then the numbers plateaued. Not because the work got harder. Because those tools were never designed to manage human risk. They were designed to test whether someone clicked on a template phishing email in a controlled environment. That’s not the same as building real resilience against a targeted, AI-powered attack. And it’s one behavior out of dozens. Data handling, secure browsing, credential hygiene, use of AI tools, OT security, physical security - the behaviors that actually drive human risk across the enterprise - were left to annual training modules and hope. The programs kept running. The effort kept mounting. But the underlying risk stopped responding. Many carry the private burden of knowing their program is not moving the needle anymore - and not knowing how to make it better.

3

AI has changed what’s possible on defense.

What was previously impossible - personalizing every interaction with every individual, adapting content in real-time based on behavior, running a continuous program across an entire enterprise without a team of five working around the clock - is now within reach. But only for platforms purpose-built to harness AI for this specific problem. Bolting AI onto a phishing simulator doesn’t create an HRM platform any more than putting a touchscreen on a typewriter creates a computer.

4

The board is asking harder questions.

CISOs are being asked: are our people actually secure - and if something does go wrong, will they spot it and respond? Completion rates and click rates don’t answer that question. The gap between the assurance boards need and what security teams can evidence is widening.

The HRM Maturity Model

The HRM Maturity Model describes four distinct levels of human risk management capability - specifically Reactive (Level 1), Self-Adapting (Level 2), Proactive (Level 3) and Predictive (Level 4). It is designed to enable and support security leaders to pragmatically assess where their organization stands today and what it would take to move to the next level.

Time / investment →Human-risk maturity →L1ReactiveL2Self-AdaptingL3ProactiveL4Predictive
L1
Reactive
Meet compliance requirements. Training completion. Phishing simulations.

L1 programs are compliance-driven. They exist because regulators, auditors, and security standards require evidence that employees receive security training. And they satisfy that requirement. The compliance box is ticked. The dashboards look reassuring. The auditors are happy.

Generic trainingCompletion dashboardsGamified phishingCompliance-driven

Click a level to explore it

According to Gartner research, 72% of organizations are at Level 1 (L1). The remaining 28% are not at Level 2 (L2). Most are somewhere between L1 and L2, trying to progress but unable to break through because the tools they’ve invested in were never architected to get them there. They are spinning their wheels, doing more of the same, with incrementally better phishing simulators and training modules, and getting incrementally similar results. Phishing click rates plateau at 7–8% and stop improving, while actual incidents driven by human error keep rising.

0%
of organizations are at Level 1, according to Gartner research. The remaining 28% are not at Level 2 - most are spinning their wheels somewhere in between.

The needle that stopped moving

Phishing click rate Human-error incidents
0%10%20%30%40%Yr 1Yr 2Yr 3Yr 4Yr 5Plateau: 7–8%the needle stops moving

The path from L1 to L2 is not about trying harder with the same approach. It’s about recognizing what L2 requires and equipping yourself accordingly.

Each level represents a different operating model for how an organization manages human risk. The platform requirements, the data requirements, the processes and the organizational maturity required are different at each level.

Level 1: Reactive

Meet compliance requirements. Training completion. Phishing simulations.

HRM Maturity Level 1 is where most of the industry sits today. Generic security awareness training - typically annual or quarterly - delivered to the entire workforce. Off-the-shelf content libraries with optional logo customization. Completion dashboards that track who finished and who didn’t. Phishing simulations, increasingly gamified, with leaderboards, badges, and clicked/reported scoring.

L1 programs are compliance-driven. They exist because regulators, auditors, and security standards require evidence that employees receive security training. And they satisfy that requirement. The compliance box is ticked. The dashboards look reassuring. The auditors are happy.

What L1 platforms do not do - and have never done - is produce demonstrable, sustainable change in secure behaviors and human risk reduction. These tools measure activity (who completed training) rather than outcome (who changed their behavior) - they cannot tell you that 42 users in your Finance department stopped using unapproved file sharing services this month, because they do not know. They treat all employees identically rather than adapting to individual risk portraits. They operate in isolation from the broader security infrastructure - disconnected from the systems that would reveal real behavioral change. That’s the difference between measuring compliance and measuring change.

Every legacy security awareness training platform, every gamified phishing simulator - regardless of how they position themselves - is designed to help you achieve L1. Some do L1 exceptionally well. Some do L1 with a genuinely impressive product. But L1 is L1. It is table stakes. It is not where human risk gets reduced. It’s where the real work has yet to start.

L1

You are at HRM Maturity L1 if…

Tick the statements that describe your program.

Tick the statements that match your program to gauge your fit for L1.

Many organizations at HRM L1 do some things that sound like HRM L2. A few role-specific courses for developers or Finance, the occasional targeted campaign after a phishing incident. These are good instincts - but isolated efforts don’t change your level. L2 is not about doing one or two things differently. It’s about the four critical HRM L2 jobs (read on) running continuously and autonomously across your entire workforce.

Level 2: Self-Adapting

Automate attention. Motivate. Educate. Activate. Correct.

HRM Maturity Level 2 is where real behavior change begins. Across more than 100 enterprise deployments, we identified the four critical jobs that every successful program shares - and the gaps that every failing program has. 1. Motivate. 2. Educate. 3. Activate. 4. Correct. All four, running continuously and autonomously across the entire workforce. When all four are working, training adapts to each individual, interventions land at the moment of risk, the program runs itself, and human risk decreases visibly and demonstrably. Fast.

The four jobs are not a menu. They are a system.

Motivating without targeted education and people forget the training content three weeks later. Educating without correcting at the moment of risk and knowledge never becomes secure behavior. Correcting without understanding the person and the intervention feels like surveillance. Each job depends on the other three. A program that executes two of four is not running at 50% effectiveness - it is running a broken system, and the missing pieces undermine the ones you have. This is why all four jobs are equally critical. And each one is impossible to execute at the required scale manually, hence the need for a purpose-built HRM platform.

Job 1

Motivate

Before you can train anyone, you need to understand what will make them care about security. Different people are motivated by different things.

Motivating without targeted education and people forget the training content three weeks later.
Job 2

Educate

Generic training doesn't work. A finance manager handling sensitive transactions and a factory floor supervisor managing operational technology face completely different threats, use completely different systems, and need completely different knowledge.

Educating without correcting at the moment of risk and knowledge never becomes secure behavior.
Job 3

Activate

Knowledge without practice doesn't change behavior. You can teach someone the theory of deepfake detection, but until they've practiced it in a realistic scenario - made decisions, faced consequences, built muscle memory - the knowledge doesn't stick.

If your practice stops at phishing simulations, the other 80% of security behaviors remain untested and untrained.
Job 4

Correct

When someone makes a security error, the correction must come as close to the mistake as possible. A correction delivered three months later in a quarterly training module is not a correction. It's an afterthought, a missed opportunity.

Correcting without understanding the person and the intervention feels like surveillance.

Hover each job to see what breaks without it.

Not difficult. Not time-consuming. Impossible. No security awareness manager, regardless of skill or dedication, can execute any of these four jobs at the required scale - not manually, not with spreadsheets, not with any of the L1 products in the market. The jobs require a specific combination of applied psychology, AI, integrations, behavioral data, and automation that only exists in a purpose-built HRM platform. Which is the point: the platform does it for you.

Job 1: Motivate - Give Every Person a Reason to Care

Before you can train anyone, you need to understand what will make them care about security. Different people are motivated by different things. Some respond to personal relevance - understanding that the same attack techniques targeting their company are also targeting their personal email and their family’s devices. Some respond to professional identity, security competence framed as a career skill alongside financial literacy, AI mastery or leadership capability. Some have developed learned helplessness and need their confidence rebuilt. Some are already paying attention and could be your champions if identified early and engaged correctly.

Motivating 20,000 individuals requires understanding each person’s attitudes toward security and their motivational drivers. No human can do this. No spreadsheet can do this. An HRM platform does it through baseline assessment, nudges and continuous interaction - learning what resonates with each individual and increasing their motivation through every subsequent communication.

Motivation needs a measure to stick. This is what OutThink’s CyberQ (CQ) add-on makes possible. CQ measures actual security competence across all relevant cybersecurity behaviors - a holistic, defensible cybersecurity quotient, unique to the individual. Every person can see their CQ, understand what moves it, and improve it. Security stops being abstract. It becomes something each person owns and improves, the same way they own and improve other professional skills.

There is a longer-horizon possibility too. Cybersecurity is now a business risk, not just an IT issue. The SEC disclosure rules, DORA, and NIS2 have made it a board-level concern, reported to shareholders, scrutinized by regulators, discussed in earnings calls. Business risks get managed through the processes that shape behavior at scale - performance reviews, accountability, incentives. For organizations that are ready to take that step and have worked through the appropriate governance with HR, Legal, the DPO, and employee representatives where applicable, CyberQ can feed into HR performance management: appraisals, bonus criteria, recognition programs, alongside financial targets or customer satisfaction metrics. The best performers earn real recognition. Security stops being “everyone’s responsibility”, a slogan nobody acts on, and starts being something the organization visibly values, measures, and rewards.

That bigger HR integration is an aspiration. The foundation is not. Deploy CyberQ today to give every person a score they can see and improve over time. Motivation becomes measurable. Behavior change becomes trackable. From that foundation, everything else becomes possible - at the pace and with the governance that suits each organization.

Job 2: Educate - Deliver Training Uniquely Adapted to Each User

Generic training doesn’t work. A finance manager handling sensitive transactions and a factory floor supervisor managing operational technology face completely different threats, use completely different systems, and need completely different knowledge. Training that’s too easy is boring and ignored. Training that’s too advanced is frustrating and forgotten.

Delivering truly adaptive training across the entire enterprise starts with understanding each user across three dimensions: their role, their motivational drivers, and their actual behavior - the last captured through integrations with your security systems. Set against the organization’s context (industry, policies, threat landscape), these three signals are what let an HRM platform generate the hundreds of thousands of content variations that meet each person where they are. Each user needs training calibrated to be challenging enough to learn from, but not so far ahead that they tune out. And that training needs to reflect the specific language, regulations, and threat realities of their industry.

Only a platform purpose-built for HRM generates this at the required scale, dynamically, based on real behavioral and contextual data. No security awareness team can create or maintain these variations manually.

Job 3: Activate - Give People Practice Beyond Phishing

Knowledge without practice doesn’t change behavior. You can teach someone the theory of deepfake detection, but until they’ve practiced it in a realistic scenario - made decisions, faced consequences, built muscle memory - the knowledge doesn’t stick.

The industry has been giving people “practice” with one thing: phishing simulations. Today’s attack simulation capabilities are technically impressive - AI-generated deepfake videos or voices that sound exactly like the CEO, with startling fidelity. They get attention. People walk away saying “wow, I had no idea AI could do that.” That moment of awareness has real value, and any modern program needs scenarios that grab people’s attention and match what attackers are actually doing today.

This is what OutThink’s Cyber Ranges activate at L2 - and much more. We give people the opportunity to practice the security behaviors that matter most, so they are prepared to respond to AI-powered threats when they land for real. Scenarios cover:

  • Phishing
  • Deepfakes
  • Vishing
  • Smishing
  • Data sharing and handling
  • Secure web browsing
  • Endpoint security
  • Secure social media usage
  • Physical security and clean desk

If your practice stops at phishing simulations, the other 80% of security behaviors remain untested and untrained.

Cyber Ranges deliver these scenarios in a fundamentally different way: targeted, adaptive, immersive - not pass-or-fail modules. Each scenario adapts on the same three signals that drive training - the user’s role, their motivational drivers, and their actual behavior gathered through integrations with your security systems. A high-risk user in finance who struggles with data sharing gets a data handling scenario. An executive frequently targeted gets a deepfake CEO scenario calibrated to the kinds of fraud aimed at them. As the user progresses, the scenario adapts in real-time - branching, escalating, or simplifying depending on how they respond. Every decision point is a learning moment calibrated to that individual.

For example: an employee receives a Teams nudge inviting them into a Cyber Range scenario. In the browser, they hear what appears to be an urgent voice note from their CEO - asking them to approve a wire transfer to a new vendor. The voice sounds exactly like the CEO. It is AI generated, for the vishing Cyber Range. The experience unfolds based on the user’s choices. A contained, immersive experience that teaches through decisions.

No L1 tool does this. Cyber Ranges build genuine muscle memory across every security behavior that matters - using modern, attention-grabbing technologies deployed within an integrated HRM platform that targets the right people, adapts based on what they do, and connects to the broader behavioral and human risk picture.

Job 4: Correct - Intervene at the Moment of Risk

When someone makes a security error, the correction must come as close to the mistake as possible. A correction delivered three months later in a quarterly training module is not a correction. It’s an afterthought, a missed opportunity.

Real-time correction requires three things working together: (1) live behavioral data feeds from the organization’s security systems (EDR, DLP, web filtering, SIEM), (2) an AI engine that understands the context of each event and generates contextual nudges, and (3) a nudge delivery mechanism that reaches the right person with the right message at the right moment. And like training and Cyber Ranges, each nudge is shaped by the same three signals - the person’s role, their motivational drivers, and their behavior - so the same security event produces a different, personally relevant nudge for different people. The person is nudged at the exact moment learning is most effective - not weeks later in a scheduled training campaign.

And Something Else Changes at L2

At HRM L2, something else that’s fundamental also shifts. An HRM platform is no longer just pushing information at users. It’s gathering intelligence from them. Every interaction - every free-text response, every question asked, every reaction to a nudge - flows through the platform’s AI engine. Across an enterprise, this means millions of data points from your workforce - the people closest to the risks.

When the marketing team in one office reports that they don’t have access to a password manager, no phishing test would surface that. When field engineers report they’re sharing files through personal devices and Dropbox because the company tool is clunky, no vulnerability scan would reveal it. But the people doing the work know. And an HRM platform that systematically listens and surfaces those insights turns a training program into intelligence gathering, via a network of thousands of human sensors with a collective understanding of risks and gaps that’s deeper than the security team’s.

L2

You are at HRM Maturity L2 if…

Tick the statements that describe your program.

Tick the statements that match your program to gauge your fit for L2.

The Bridge, HRM L1 → L2: Where to Start

Five steps you cannot afford not to take.

If you have been running an L1 program for years, the metrics may look fine. But you have watched AI-powered attacks land on peers in your industry, and you wonder whether your people would even notice. You sense there is something better, fit for the AI era. You want to level up. These are the first five steps - specific, contained actions, each one creating immediate value on its own.

L1 · ReactiveL2 · Self-Adapting
Step 1 of 5

Initial Assessment

Before you can tailor anything, you need to know who you are tailoring it for. Run a baseline assessment as part of your first training campaign - a short set of questions that surfaces each person’s attitudes toward security and what motivates them to care. Within days, you’ll know which individuals respond to personal relevance (“this protects your family too”), which respond to professional reputation (“your security competence is a career skill”), which have developed learned helplessness and need their confidence rebuilt, and which are already paying attention and could be your champions. An HRM platform uses this to tailor every subsequent interaction - every training module, every nudge, every communication - to what will land with each person.

Why this matters

Without this baseline, every decision an HRM platform makes on your behalf is either a guess or a generic default. With it, every interaction is calibrated to what motivates the individual. That’s the difference between a program people ignore and a program that captures their attention.

Level 3: Proactive

Risk-based, data-driven. Quantify and understand risk. Execute improvement actions. Align access and controls.

HRM Maturity Level 3 is where human risk becomes quantified, visible, and actionable. The platform brings together everything it has learned at L2 - behavioral, attitudinal, and contextual signals - into a unified human risk intelligence layer.

Human Risk Intelligence

Every HRM vendor claims a risk score. The question is what data feeds it. Most vendors’ scores are built from data their own product generates - phishing test results, training completion, reporter rates, plus one or two inputs like role or whether their email has appeared in a data breach. Two problems follow.

First, it’s a closed loop. People are largely being risk-scored based on how they performed on the tests delivered via the vendor’s platform. It measures performance in artificial scenarios and calls it risk. That’s like measuring driving ability by how well someone plays a racing video game.

Second, it’s thin. It captures almost none of what actually determines whether someone is at risk - their real-world behavior, the attitudes driving it, their level of access, how heavily they’re attacked, and the workplace conditions around them. A score built on a narrow slice of artificial data is indefensible - and security teams know it. CISOs, SOCs, IAM teams, and GRC functions will not even consider using a light “human risk” score for conditional access, incident prioritization, or risk assessments. So it gets ignored. The security awareness manager’s hard-earned metric becomes a dashboard nobody acts on.

True HRM L3 quantification is different. The engine ingests the full picture of what actually drives risk:

  • Real behavior from your security systems - EDR, DLP, web filter, authentication, IAM
  • The attitudes driving that behavior, captured through continuous user interaction
  • Role and level of access - how much damage the person could cause
  • How targeted they are by real-world attacks
  • Device security
  • Workplace factors - email fatigue, frequent travel, trust and collaboration networks

Real behavior. Real conditions. Real risk. A score robust enough for the security team to trust, rely on, and act on. That’s how human risk stops being a training metric and becomes an operational one.

Crucially, this saves the security team thousands of hours. By automating the analysis of millions of signals across every security system and every user, the platform surfaces the critical human risk gaps and directs attention where it matters most - where the ROI, impact and risk mitigation are highest. Finite security team resources can then effectively prioritize focus.

Execute Improvement Actions

An HRM platform generates prioritized, specific recommendations across three levers - people, process, and technology. Actionable items tied to evidence. For example:

“Engineering department, London office - 18% of users in the high-risk segment for data sharing behaviors. Contributing factors: no DLP policy exceptions reviewed in 12 months, 34 users sharing files via unapproved channels. Recommended: deploy targeted data handling training, review DLP exceptions, enable approved file sharing for flagged users.”

The security team’s role shifts from figuring out what to do, to reviewing and actioning what the platform recommends. Some actions are executed automatically by the platform (targeted training, nudges). Some require manual decision-making (policy changes, access reviews). The organization decides the level of autonomy based on their confidence and governance requirements.

Align Access and Controls

At L3, the platform begins feeding human risk intelligence into broader security processes. Risk scores help security analysts approve access or triage incidents, by giving them human risk context they’ve never had before. When a security analyst reviews an access request, they can see that the requesting user is in the high-risk group with low intention to comply and low phishing resilience. That context changes the decision.

The platform also identifies patterns across the organization. For example, areas of the business with a high percentage of line managers showing low engagement with security correlate with higher numbers of security incidents. That’s where enhanced monitoring and stricter controls should be prioritized first. This insight - validated across our customer base - is the kind of operational intelligence that transforms how security teams allocate their resources, driving both effectiveness and efficiency.

At L3 organizations begin establishing the processes and confidence that will eventually make L4’s autonomous operation possible. Every recommendation, every approved improvement action, every validated insight builds the organizational trust that underpins future, full HRM automation.

L3

You are at HRM Maturity L3 if…

Tick the statements that describe your program.

Tick the statements that match your program to gauge your fit for L3.

Level 4: Predictive

On auto-pilot. Conditional access and security control automation. User self-remediation. Secure AI agent behavior.

HRM Maturity Level 4 is where an HRM platform operates with full autonomy. Fewer than 0.1% of organizations are experimenting here today. But this is where the industry is heading - and understanding L4 now matters because the architectural decisions organizations make at L2 and L3 determine whether L4 is achievable or structurally impossible.

Conditional Access and Security Control Automation

At L4, human risk intelligence feeds directly into the organization’s identity provider. Users are automatically assigned to risk-based policy groups - low, medium, high - that trigger corresponding conditional access policies. A high-risk user doesn’t just receive more training. Their access changes. Mandatory phishing-resistant, multi-factor authentication everywhere. Access only from trusted locations. Compliant device requirements. For the most critical applications, access may be restricted entirely until their risk posture improves.

An HRM platform integrates with identity providers (Entra ID, Okta), DLP tools (Microsoft Purview), email security (Proofpoint, Mimecast), endpoint management (Jamf), and web gateways (Zscaler) to enforce adaptive controls across the entire security stack. When a user’s risk crosses a defined threshold, policy changes propagate automatically. No SOC ticket. No manual group assignment. No delay between risk detection and control adjustment.

This closes a gap that exists across the entire security industry. Current tools - whether email security, DLP, web gateways or endpoint solutions - rarely take human risk into account when enforcing controls. Security controls and human risk have operated in separate universes. L4 unifies them - and the downstream effects compound. Fewer access-related tickets. Faster help desk response times. Reduced administrative overhead for the SOC. The security team stops spending hours on manual group assignments and user chasing, and starts governing posture at scale.

An HRM platform can enforce a control change in milliseconds. The organizational agreement that makes that change defensible takes months to build.

HRM L4 capability and HRM L4 readiness are different things.

Conditional access touches employment policy, legal frameworks, executive workflows, and operational continuity - none of which belong to the security team alone. CISOs who try to deploy automated access controls without prior alignment with HR, legal, and senior leadership face the predictable backlash: the VP of Sales blocked mid-quarter, the board member locked out of a critical application, the executive whose deal slips because a risk score crossed a threshold. These are not edge cases. They are the cases that determine whether L4 succeeds or gets rolled back within weeks.

This is why the HRM Maturity Model is sequential. L2 builds the relationship with users and the behavioral data that makes the platform trusted. L3 establishes the risk quantification that makes thresholds meaningful and defensible. Only then does L4 become politically viable, not just technically possible.

In practice, L4 is a spectrum of autonomy the organization controls. Most organizations begin in advisory mode - the platform recommends access changes, flags high-risk users, and surfaces self-remediation workflows, but a human approves enforcement. Over time, as confidence in the risk quantification grows and the false-positive rate proves manageable, organizations selectively automate - starting with lower-impact controls like mandatory MFA and device compliance before progressing to access restrictions on critical systems.

User Self-Remediation

This is the capability that makes L4 operationally viable at scale. Rather than the SOC team manually chasing every high-risk user, the platform shifts responsibility to the user themselves.

When a user’s risk score crosses a threshold, they receive a notification explaining what changed and what specific actions will bring their risk score back down - complete training, update device, reset password, complete a cyber range exercise. They receive a configurable grace period. If they remediate, their risk score drops and access is automatically restored to its previous level. If they don’t, stricter controls are enforced automatically. This reduces the noise to the SOC.

This model transforms the relationship between security teams and the workforce. The security team is no longer the enforcer chasing non-compliant users. The platform provides the structure, the user takes responsibility, and the SOC team is freed to focus on genuine threats. It is the only approach that scales in enterprise organizations with thousands of people. And it is only possible because L2 built the relationship with users, brought the integrations with security systems and L3 established the risk quantification that makes the thresholds meaningful and defensible.

Secure AI Agent Behavior

This is the frontier. And it may be the most consequential capability in this entire maturity model.

As organizations deploy agentic AI systems that plan, reason, and act semi-autonomously across workflows - these digital agents become a new class of insider risk. They can access sensitive data, invoke tools, escalate privileges through chains of delegated authority, and influence human decisions in ways that are difficult to audit. Gartner estimates that 40% of enterprise applications will integrate AI agents by the end of 2027. Every one of those agents can act on behalf of a human user. Every one of them needs to be governed with the same rigor applied to humans.

0%
of enterprise applications will integrate AI agents by the end of 2027 (Gartner). Every one of those agents can act on behalf of a human user.

The existing approaches to AI agent security - runtime firewalls, identity governance for non-human identities, agent discovery platforms - address the infrastructure layer. They can tell you an agent accessed a database at 3am. What they cannot do is contextualize whether that access, given the human principal’s risk portrait, the organization’s behavioral norms, and the broader pattern of interactions, represents a genuine anomaly worth acting on.

OutThink’s technology extends the same behavioral observation and intervention framework that governs human users to AI agents. The platform watches how agents behave in the same way it watches how humans behave. It builds portraits. It segments. It detects drift. It scores risk. It intervenes when an agent’s actions fall outside the boundaries the organization has defined. Same platform. Same logic.

Today, your organization has thousands of human users. By 2027, you will also have thousands of AI agents integrated into a significant proportion of your enterprise processes. Each one can access data, invoke tools, and take actions on behalf of your people. You will need to manage their behavior with the same rigor you manage human behavior. OutThink is the only platform designed to do both.

L4

You are approaching HRM Maturity L4 when…

Tick the statements that describe your program.

Tick the statements that match your program to gauge your fit for L4.

Our Approach

OutThink was founded in 2019 by CISOs who lived this problem. We spent years researching applied psychology, behavioral science, and learning theory before we wrote a line of code. We sat with security teams, watched how they worked, learned what broke, and designed an architecture specifically to solve the problems no other platform was attempting. In 2020, we started building. We have not stopped since. That depth cannot be compressed. You cannot bolt HRM onto a phishing, deepfake or vishing simulator any more than you can bolt a cockpit onto a car and call it an airplane.

A Note On Adoption

The HRM Maturity Model describes what is possible, not what every organization must do. The value arrives at every stage, and the pace is yours to set. Some of the capabilities described - feeding CyberQ into HR performance management, conditional access and security control automation, AI agent behavioral governance - go well beyond the security team’s remit. They touch employment policy, data protection, regulatory obligations, and (in many jurisdictions) may require works council consultation. These are not reasons to avoid the capabilities. They are reasons to adopt them properly: through cross-functional governance - CISO, HR, Legal, DPO, and employee representatives where applicable - with the risk-reward weighed and the decision made on the organization’s own terms.

This is also why the maturity model is sequential. HRM L2 earns the workforce’s trust. HRM L3 establishes the human risk quantification that makes any subsequent automation defensible. Only then does HRM L4 become politically viable, not just technically possible. The chosen HRM platform should support adoption at every pace - from advisory-only deployment, through selective automation, to full autonomy. The choice is the organization’s, not the HRM vendor’s.

The HRM Test

HRM is being adopted as a label across the market - by email security vendors, security awareness training platforms, and simulation-first tools alike. The label matters less than the capability behind it.

When evaluating any HRM claim, the questions worth asking depend on the maturity level:

The L1 Test

There isn’t one. If your program is built around phishing simulations, generic training campaigns, newsletters, posters and cybersecurity awareness month activities, you’re at L1. That’s where most security teams are today. And as this document has set out, it’s where human risk management begins - and where the real work has yet to start.

The L2 Test

Can the platform execute all four HRM L2 critical jobs - Motivate, Educate, Activate and Correct - autonomously, across the entire organization, and the full spectrum of security behaviors?

The L3 Test

Is the platform’s risk quantification built on actual behavioral data from security systems - or just simulation results and training completion? Does the platform surface actionable intelligence from user interactions? Does it generate specific, prioritized improvement actions across people, process, and technology? Does it feed human risk intelligence into SOC, GRC, ticketing, and identity systems?

The L4 Test

Can the platform automatically adjust access controls based on human risk scores, integrating directly with identity providers? Can it enable a user self-remediation workflow that shifts responsibility from the SOC to the individual? Is it architected to extend behavioral governance to AI agents, not just human users?

If the answer to the L2, L3 and L4 questions is yes, you’ve found a genuine HRM platform. If not, you’re looking at an L1 platform with better marketing.

The HRM test

Take the HRM Maturity Assessment

Find out where your program really stands - and what it would take to reach the next level.

What Comes Next

If you’ve read this far, you probably recognize your organization somewhere in these pages. The gap between what you’re delivering and what you know is needed is something you carry privately.

This document is our attempt to name that gap honestly, describe what closing it requires, and show what’s possible when you deploy an HRM platform built for the purpose. The real thing.

The question isn’t whether your organization needs HRM. It’s whether you’re ready to move beyond the tools that are failing you. Start with a single step - you’ll feel the difference from the first one. If you are, let’s talk.

Reach me directly at flavius@outthink.io or on LinkedIn.