Why Reducing Human Risk in the AI Era Demands Shared Accountability
Why Reducing Human Risk in the AI Era Demands Shared Accountability
Publish Date: 2026-05-13 01:32:00
Source Domain: www.cybersecurity-insiders.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
Cyber risk has outgrown the security function.
CISOs are accountable for outcomes they can’t fully control. The behaviors driving human risk happen everywhere: in HR, in finance, in the C-suite. The CISO can build the program, but when a CFO approves a wire transfer without questioning urgency, or a developer pastes proprietary code into an unvetted AI tool, the CISO bears the fallout of decisions they had no seat at the table for.
Accountability structures haven’t caught up to the threat reality.
For years, “human risk” was treated as a training problem centered on phishing clicks and weak passwords. But human risk is neither evenly distributed nor isolated to awareness gaps. According to research, just 10% of users account for 73% of organizational risk. Human-initiated incidents also remain the leading driver of breaches, accounting for 74% of all incidents. And with AI embedded into enterprise workflows, the consequences of a single human error can escalate faster than most organizations are structured to contain.
That shift makes the human element an organizational design problem.
The Human Element Is a Systems Challenge
Human risk exists at the intersection of behavior, identity, access, and threat exposure. The signals that indicate elevated risk are distributed across systems that historically operate in silos, including identity platforms, endpoint tools, HR systems, collaboration environments, and security operations. Most organizations still lack a centralized way to measure and operationalize human risk across those environments.
At the same time, many of the decisions that shape organizational risk happen outside the security team entirely. Managers influence employee behavior and policy adherence. Department leaders approve access and operational exceptions. Employees make daily decisions around data handling, AI usage, and security practices. Yet accountability for those outcomes is rarely shared or measured consistently across the organization.
AI Is Forcing a Workforce-Wide Reckoning
Adversaries are using AI to craft hyper-personalized attacks at scale. Email security has advanced , so adversaries go where the defenses aren’t. SMS and messaging platforms reach employees outside the corporate perimeter, on personal devices, at all hours. The attack surface is now personal and persistent, not just professional.
At the same time, employees are using AI tools across everyday workflows in ways security teams haven’t fully mapped. Most organizations have rolled out a sanctioned AI stack like Microsoft Copilot or a handful of approved tools, but employees are experimenting far beyond that perimeter. The gap isn’t malicious, it’s.operational. People are trying to work faster, solve problems quicker, and keep pace with growing demands. But the data flowing through those unvetted tools — customer records, internal IP, financial projections — doesn’t stop at the approved boundary.
And most companies think they have an AI strategy when they actually have an AI awareness gap.
What Shared Accountability Looks Like
The most mature organizations are building shared accountability models, with concrete ownership across functions:
HR owns behavioral change programs: onboarding, role design, training, and the performance conversations where security expectations live or die.
Legal owns AI governance: clear acceptable use tied to role and data access, and the policy framework employees actually operate within.
The CISO owns risk visibility and measurement: correlating data across SIEM, EDR, and Identity & Access into a single view of human risk, and reporting outcomes to the board.
IT and Engineering own the systems: identity and access provisioning, technical guardrails on AI tools, and the workflows where secure behavior is easy or hard.
Business leaders own the risk appetite: defining where friction is acceptable and where speed wins.
Accountability has to reach individuals. The most effective programs translate correlated risk data into scorecards at three levels — individual, manager, and team. Each employee sees their own risk score and the specific behaviors driving it. Each manager sees their team’s score against company benchmarks and closes the gap. Teams compete with other teams, creating the kind of fun, competitive culture sales and customer support have built around scoreboards for decades, and security has rarely tapped.
Real-time data extends accountability further. When an individual is being actively targeted by a sophisticated phishing campaign, or when behavioral signals indicate elevated risk, the right response is a timely nudge in Slack or Teams, with training and context tailored to the moment. An educated employee who knows their risk and knows they are being targeted is the strongest defense.
AI Governance Has to Be Behavioral, Not Just Policy-Based
Most organizations have written an AI policy – that’s table stakes. The gap is enforcement and culture.
What works is a combination of three things: clear acceptable use definitions tied to role and data access, real-time guidance that meets employees where they work rather than relying on annual training, and continuous measurement so leaders can see risk trends and course-correct. The companies doing this well treat AI governance the way mature security teams treat vulnerability management: as a continuous process, not a one-time document.
If the secure path is also the frictionless path, adoption follows.
What This Means for the Board and the CISO
AI safety is a board-level conversation now, not a security team checkbox. Boards already recognize cyber risk as a business issue. Regulatory scrutiny continues to increase, customers expect demonstrable resilience, and the operational complexity AI introduces touches every business function.
The most effective security leaders are no longer trying to own every aspect of cyber risk directly. Instead, they are building the operating model that enables every function to participate in reducing risk, with shared accountability, measurable outcomes, and a unified view of human risk across the workforce.
This evolution toward measurable, organization-wide human risk reduction is one reason Human Risk Management has become a rapidly maturing category, with Living Security recognized as a leader in the Forrester Wave for Human Risk Management.
Cyber risk has become a business-wide challenge.The operating models organizations build next will determine how effectively they manage it.
Join our LinkedIn group Information Security Community!
