Security awareness training has become one of the most consistent line items in corporate budgets. Most companies run it quarterly and employees click through it, answer the questions and collect their certificates. And yet, the breaches keep coming and the post-incident reports point to the exact same thing: human error. In a recent Forrester’s security survey, 97% of security decision-makers said their companies have a security awareness training programme, but it hasn’t delivered results. And according to Mimecast's ‘State of Human Risk 2025’ report, 87% of organisations now train employees at least once a quarter, yet a third still name employee error as their top concern. Awareness training is definitely happening, but something else is wrong. The usual response is more training – another campaign, another completion rate, another round of certificates. But, as Deryck Mitchelson, global CISO at Check Point Software Technologies, says, the industry has been asking the wrong question entirely. “I don't think humans are the weak link,” he says. “Technology needs to do a much better job of preventing 99.9% of phishing emails from ever reaching the inbox.” The problem is not that employees are failing the training, but that the training and the technology behind it are failing the employees. One of the reasons Mitchelson holds this view relates to how much phishing has evolved. The emails arriving in inboxes today bear almost no resemblance to the poorly worded messages that defined the threat a decade ago. AI has changed all that, with modern phishing campaigns built on the details in profiles from social media and public data. Today’s phishing attacks are personalised, professional and no longer sent by Nigerian princes looking for love.Cybersecurity is not only a technical function. It’s a human one.Aneka Botha, IPT “The AI learns who you are,” Mitchelson says. “It's able to scrape the internet to see who you're connected with, what you've posted, what your hobbies are, and then the attacks become really personalised around things that are of interest to you. They look real.” Researchers from Harvard Kennedy School, using AI agents to automate spear phishing campaigns in 2024, found that personalised AI-crafted emails achieved a click-through rate of 54%, compared to 12% for standard phishing emails. “We've been able to prove that if you use AI-based, personalised phishing emails, one in two emails will be clicked. That's how effective personalisation is and that's what our training and simulations need to match,” says Mitchelson.Aneka Botha, IPT This is why expecting employees to reliably spot and avoid malicious emails is not a reliable training strategy. At best, they may become proficient at spotting simulated phishing mails. When attacks are personalised, clicking on the wrong link is an inevitable outcome. Employees are also more likely to click on a malicious link on their cellphones. “One click is all it takes,” says Mitchelson. When you’re working on your computer, there is space to pause, hover over a link and look more carefully. On a phone, the instinct is to scroll and tap, often in moments of distraction or pressure. A hospital consultant reviewing emails between patients, for example, is not in the right headspace to inspect a domain name. “They don't have time to stop and think,” says Mitchelson. “They need to rely on technology to step up to actually make it safe.”If it's just generic training, it will always be a tick box. I don't