





















Artificial intelligence has made cybersecurity awareness more visible across the workforce. Employees increasingly understand that attackers can use AI to make phishing messages more convincing, impersonation more believable, and social engineering harder to detect. Many are also using AI tools to draft content, summarize information, analyze data, write code, review logs, or support daily decisions.
While visibility matters, awareness is not the same as readiness. The operational challenge for security and business leaders is no longer simply whether employees know AI-related cyber risks exist. It is whether they can make the right decisions when those risks appear in real time: when a message looks legitimate, when an AI-generated summary seems plausible, when a tool requests sensitive information, or when an urgent request appears to come from a trusted source.
According to the 2025 Security Awareness and Training Global Research Report, 88% of organizations report that the growing use of AI by bad actors has significantly or somewhat increased employees’ understanding of the importance of security awareness and training. That is encouraging. AI-driven threats are helping employees view cybersecurity as part of everyday work rather than as a responsibility owned only by IT or security teams.
But the same report shows a clear readiness gap. Only 40% of respondents say their employees are highly trained and prepared to identify, avoid, and report AI-based cyberthreats over the next year. Another 58% say employees are only moderately or slightly prepared.
That gap is where security awareness training must evolve. In an AI-driven threat environment, awareness alone does not reduce risk. Organizations need behavior-first training that helps employees apply judgment, follow policy, and respond appropriately when situations are unclear.
Not only has AI created an entirely new category of employee risk, but it also makes existing risks harder to detect. A phishing email may be better written. A fake vendor request may sound more credible. A fraudulent message may be personalized using information from public sources, breached data, or prior interactions. An attacker may use AI to adjust tone, remove obvious grammar mistakes, or imitate the language of a trusted colleague, executive, customer, or partner.
This changes what employees need from cybersecurity training. Traditional warning signs still matter, but they are no longer sufficient. Employees need to understand how AI can alter the cues they have been trained to rely on. They also need practical ways to slow down, verify requests, report suspicious activity, and avoid risky shortcuts.
This is especially important because AI risk is not limited to attacks from outside the organization. Employees are also using AI tools as part of their work. Without clear guidance, they may paste sensitive data into public tools, rely on AI-generated content without review, use unapproved applications, or fail to recognize when AI output introduces business, security, privacy, or compliance risks.
That is why AI security awareness training must focus on behavior. The goal is not just to help employees understand that AI-enabled threats exist. It is to help them act differently when they encounter those threats.
Many organizations are already taking steps to manage AI-related risk. The report found that 53% train employees on the proper use of generative AI tools, and the same percentage use technologies to monitor or prevent the sharing of sensitive data with these tools. Forty-eight percent have established policies governing AI tool use, and 45% maintain lists of authorized applications.
While such controls are important, they only work if employees understand how to apply them. A policy prohibiting the sharing of confidential data with AI tools is necessary. But employees also need to know what qualifies as confidential, which tools are approved, what information can be used safely, and when to seek guidance. An authorized app list helps reduce risk, but only if employees know it exists, understand why it matters, and consult it before adopting a new tool.
The report also found that 96% of organizations have either adopted or are developing security policies for generative AI applications and other AI tools. The same percentage have established or are exploring methods to test and validate the security of deployed AI and large language model systems.
Those findings point to a broader shift toward AI governance. But governance cannot remain confined to policy documents, legal reviews, or technical controls. It must reach the employees who make everyday decisions about tools, data, content, and communication. This is the execution gap that leaders must address. AI governance reduces risk only when employees can translate it into action.
AI-related training should not be treated as a single update to an annual awareness module. Risks are evolving too quickly, and employee use of AI tools is expanding too rapidly. Organizations need practical, frequent training tied to real work.
The report notes that many organizations remain in the early stages of managing AI-related risks. For example, only 42% of respondents report having tools to oversee employee AI use. This makes employee cybersecurity training even more important. When technical visibility is incomplete, employees need clear guidance on recognizing risky situations and responding appropriately.
Behavior-first training should center on the decisions employees actually face. That includes identifying AI-enhanced phishing, verifying unusual requests, protecting sensitive information, using approved AI tools, evaluating AI-generated content, and reporting suspicious activity. Short, scenario-driven modules can help employees connect policy language to real decisions without overwhelming them.
Regular, brief training sessions on recognizing AI phishing can be more effective than broad annual overviews. Short updates on approved AI tools can clarify when employees should seek guidance. Scenario-driven modules can help employees understand how to handle customer information, proprietary data, code, contracts, regulated content, or other sensitive material when AI tools are involved.
This approach also improves retention. Employees are more likely to remember and apply training when it is specific, timely, and relevant to their daily responsibilities. A finance employee may need training on invoice fraud and executive impersonation. A developer may need guidance on AI-assisted coding and code review. A sales employee may need examples involving customer data, meeting summaries, and CRM content. A support engineer may need to understand where AI can help and where sensitive logs or configuration details require extra caution. The more closely training mirrors real-world behavior, the more useful it becomes.
Security awareness has always depended on people recognizing risk. AI raises the bar because it makes risk harder to see and easier to act on too quickly.
That does not mean employees are the weak link. It means employees are often the decision point. They decide whether to click, report, verify, share, approve, download, summarize, paste, or trust. In an AI-enabled workplace, those decisions carry more weight because attackers can move faster, messages can appear more credible, and tools can blur the line between productivity and exposure.
The strongest security awareness programs help employees build habits that hold up under pressure. They teach users to pause before acting, verify before trusting, protect data before sharing, and report concerns before an incident escalates. They also make cybersecurity feel like part of everyday work rather than a separate compliance exercise.
That is where awareness becomes resilience. AI does not reduce the need for human judgment. It increases the need for employees to know where their judgment matters most. As AI-generated content becomes more convincing and AI tools become more embedded in daily workflows, organizations need training programs that help employees consistently make safer decisions.
AI governance reduces risk only when employees understand how to apply policies in their daily work. While organizations can implement approved AI tools, data-handling protocols, and security measures, these are effective only if employees consistently make secure choices.
Fortinet Security Awareness and Training (FortiSAT) helps organizations translate AI governance into actionable workforce behaviors. Employees learn how attackers use AI for phishing, impersonation, and social engineering, and they also gain skills to use AI tools safely, protect sensitive data, verify unusual requests, and report suspicious activity.
By combining role-based training with real-world scenarios, organizations can strengthen secure behaviors among employees, minimize AI-related risks, and promote responsible AI use. This strategy fosters a more resilient workforce, enabling organizations to harness AI’s benefits while maintaining strong security measures.
Explore Fortinet’s security awareness and training programs and read the full 2025 Security Awareness and Training Global Research Report to learn how organizations can help employees recognize today’s threats, use AI tools responsibly, and make safer decisions as risks continue to evolve.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。