# #

July 13, 2026

Human Risk Management Mythbusters: Where We Agree, and What Comes Next

Every fast-moving category collects myths, and Human Risk Management (HRM) is no exception. Recently, Forrester — a leading global research and continuous guidance firm — took on six of the most persistent beliefs about HRM, sorting them into what’s true, what’s false, and what’s still evolving now that agentic AI has begun to reshape our very definition of “the workforce.”

Source: “Human Risk Management MythBusters: What’s True, What’s False, And What’s Evolving,” Forrester blog, July 9, 2026, by Jinan Budge, VP, Research Director. Read the original here.

As the company that helped pioneer this category, we found ourselves agreeing with each verdict. So rather than restate the analysis, we’ll do something more useful: take the same six myths in order, add our point of view, and put hard numbers behind the claims — drawn from Risky Business, a study the Cyentia Institute conducted on real HRM program data from 100+ organizations and 300+ risk signals.

If you want the ground-floor definition first, start with our complete guide to Human Risk Management. This post picks up where that leaves off.

Myth #1: Human Risk Management is just security awareness training with a new name

Forrester’s verdict: “BUSTED.” In the post, the firm describes HRM as “a profound change of mindset, strategy, process, and technology” (Forrester blog, July 9, 2026) — not a rebrand of security awareness and training.

We agree, and we’d add why the rename myth is so costly: if you treat HRM as awareness with a new logo, you inherit awareness-era blind spots. The data shows how big those are. Organizations relying on security awareness training (SAT) alone can see only about 12% of the human risk that actually exists in their workforce, while mature HRM programs achieve visibility roughly 5x greater by integrating the signals already in their stack. You can’t manage what you can’t see — and SAT lets you see a sliver.

Our takeaway: The shift isn’t better training. It’s treating human risk like every other measurable cyber risk your board already tracks.

(For a side-by-side, see Security Awareness Training vs. Human Risk Management.)

Myth #2: Human Risk Management isn’t actually working

Forrester’s verdict: “BUSTED.” In the firm’s words, HRM is “a significant improvement over traditional SA&T programs” (Forrester blog, July 9, 2026) — human-related breaches continuing doesn’t mean the discipline has failed; no discipline eliminates risk entirely.

This is the myth we’re most eager to put numbers against, because “I feel like it’s improving” was never good enough. The Cyentia data shows HRM programs measurably move risk:

  • The population of risky users fell by roughly half in a single year — from 43% to 21% — as organizations ran targeted action plans.
  • Users who completed those plans spent about 60% less time in a risky state, with the effect even stronger for data-loss risk specifically.
  • The share of vigilant users — people who reduce exposure more than they add to it — rose in step, because the model surfaces and reinforces good behavior, not just bad.

The reason “it’s not working” lingers is that many programs stop at a dashboard, and a dashboard doesn’t reduce risk. Programs that show results run a closed loop — know, prioritize, act, measure — and prove the reduction against a number set up front. Closing that loop is what turns real-time insight into measurable outcomes.

Our takeaway: HRM works when you measure reduction, not activity — Human Risk Index trend, time at risk, remediation rate, and the incident the business actually named.

Myth #3: The whole point of HRM is to manage employee behavior

Forrester’s verdict: “BUSTED.” As the firm puts it, the goal is “to reduce risk posed by and to people” (Forrester blog, July 9, 2026) — detecting cybersafe behavior is a genuine advance, but it’s only one part of the equation alongside exposure, access, context, and culture.

We’d sharpen that with the finding that reframes the entire problem: across 100+ organizations, 10% of users account for 73% of all risky behavior. Risk is radically concentrated, not evenly spread — so a behavior-only, train-everyone reflex spends most of its energy on the roughly 78% of users who already reduce exposure more than they add to it.

Reducing risk to and by people means matching the driver to the lever, not defaulting to a course:

  • Human Risk Index & scoring — a dynamic score (Living Security’s runs 1–1,000) that ranks people and populations on live signals so you act on the few who matter most.
  • Access and identity workflows — reviews, deprovisioning, enforced MFA where access is the real exposure.
  • Targeted coaching and nudges — training when behavior is genuinely the driver.
  • Orchestrated controls and policy enforcement — triggered the moment risk spikes.

That’s the difference between a behavior program and a risk program. (More in our human risk scoring guide.)

Our takeaway: Prioritize your highest-risk populations and reduce risk through the right lever — behavior is one input, not the whole objective.

Myth #4: HRM needs a new name now that the workforce includes AI agents

Forrester’s verdict: “EVOLVING.” In the firm’s words, “HRM doesn’t need a panic rename; it needs a scope expansion…” (Forrester blog, July 9, 2026) — HRM still protects humans while now accounting for the agents, systems, and relationships around them.

Here’s why that scope expansion is natural rather than disruptive: the thing that made HRM different for humans is exactly what’s missing for agents too. AI agents are non-human identities acting on enterprise credentials at machine speed — and the detect-and-respond stack can tell you what an agent can access, but not how it’s behaving over time. That behavioral layer is the through-line that lets one discipline cover both, which is why we frame it as a single risk picture for the whole workforce — humans and agents — rather than a new acronym every time the workforce changes shape.

We’ll also be candid: agent coverage is early, and we’re building it with design partners. That honesty has built trust with buyers, not cost us deals.

Our takeaway: Don’t rename the category — expand its scope. The behavioral layer is what carries HRM from humans to agents.

Myth #5: Human-related breaches matter less in the age of AI-driven threats

Forrester’s verdict: “BUSTED.” As the firm notes, AI is “…increasing the speed and impact of human-related breaches” (Forrester blog, July 9, 2026) rather than replacing them.

The historical baseline already argues against writing off human risk. Verizon’s Data Breach Investigations Report has consistently found the human element in roughly three-quarters of breaches, well beyond phishing alone (social engineering contributed to about 17% of breaches in the 2025 DBIR). AI is now pouring fuel on that fire — deepfakes make social engineering more convincing, and machine-speed campaigns raise both the frequency and the cost of a single human mistake.

Our point of view: this is the strongest “why now” for HRM, not a reason to deprioritize it. As threats accelerate, the ability to predict which people and agents are trending toward an incident — and intervene before impact — becomes more valuable, not less. That’s precisely what AI-native HRM is built to do.

Our takeaway: AI raises the speed and stakes of human-related breaches. It makes HRM more urgent, not obsolete.

Myth #6: HRM has no role in managing how AI agents behave

Forrester’s verdict: “EVOLVING.” The firm’s position is that HRM’s role is “…to connect human, agent, and AI system activity to risk” (Forrester blog, July 9, 2026) — not to replace AI governance or agent-observability tools.

We think that correlation role is exactly where HRM earns its place in the AI era. Governance tools set the rules; observability tools watch the agent. HRM connects human risk, agent activity, AI-system usage, and the human-agent relationship into one view — and, crucially, ties that activity back to risk the business can act on. It’s the same connected-signal engine that made HRM work for humans, now pointed at a workforce that includes agents, with intelligence that predicts, explains, and recommends the next action under human oversight.

It’s early, and the market will keep evolving here for a while. But the direction is clear: HRM’s job isn’t to govern agents directly — it’s to make human, agent, and AI-system activity legible as risk.

Our takeaway: HRM’s role with agents is correlation, not governance — connecting human, agent, and AI-system signals to risk.

Human Risk Management has entered its next phase

Forrester has helped the market retire the myths that clouded HRM’s early days, and this round of mythbusting is a genuine service to every security leader still fielding these questions internally. With a Forrester Wave™ evaluation of HRM anticipated, the category will keep maturing for years yet.

Our read on what comes next: the winning programs won’t stop at identifying human risk. They’ll continuously predict it, explain it, reduce it, and prove the business outcome — across every human and every agent in the workforce. That’s the operating model, not a slogan, and it’s the one we built Living Security to run: predict with precision, guide with explainable AI, and act autonomously with human oversight, validated by the Cyentia Institute.

Because in the end, the point both Forrester and our own data keep returning to is the same: the technology keeps changing, but the challenge stays fundamentally human. Wherever you are on the HRM maturity curve, that’s the work.

See Human Risk Management in action

See how leading enterprises are using AI to:

  • Predict human risk before an incident occurs
  • Prioritize the people — and agents — who matter most
  • Automate remediation across the tools you already run
  • Measure outcomes with the Human Risk Index

Explore the Living Security platform → Read the 2025 Human Risk Report →

Source citation: “Human Risk Management MythBusters: What’s True, What’s False, And What’s Evolving,” Forrester blog, July 9, 2026, by Jinan Budge, VP, Research Director. Additional data: Living Security × Cyentia Institute, “Risky Business: The R.O.I. of Managing Human Risk” (2025); Verizon 2025 Data Breach Investigations Report (as cited in Risky Business).

You may also like

Blog May 12, 2026

6 Features Your Human Risk Management Software Needs

link

Blog October 20, 2023

What is Human Risk Management? A Complete Guide for Security Leaders

link
# # # # # # # # # # # #