How AI Can Strengthen and Scale Compliance Training Effectiveness

The reality of cybersecurity is that compliance breaches rarely happen because someone intends to break the rules. Instead, they occur because someone did not understand them, forgot them, or was simply overwhelmed. As Partosh Bansel, co-founder and CTO of ThreadC, noted, even the most advanced security stack can fail due to a single convincing message. This realization has shifted the focus toward human risk management, using AI to move beyond simple awareness toward behavioral assessments across email, messaging, calls, and emerging channels.

Proving Behavioral Change, Not Just Course Completion

Traditionally, compliance training has focused on completion rates and quiz scores, often involving tedious manual tracking via Excel files. According to Chandan Kochhar, CEO of the City of Plano, AI allows organizations to move toward continuous measurement rather than an annual snapshot.

AI helps connect training to real-world outcomes by:

• Tracking Real-World Signals: Monitoring lower phishing click rates, fewer policy exceptions, and a higher rate of incident reporting.
• Predictive Risk Indicators: Flagging spikes in data uploads to external AI tools, increased override requests, or delays in policy acknowledgments.
• Demonstrable ROI: Tying improved behavior to reduced incident response costs and fewer negative audit findings.

Chandan emphasized that the goal is to prove behavioral change. AI further enables role-specific training, ensuring that a librarian and a police investigator receive customized, risk-based training relevant to their specific threat surfaces.

Precision Training: Meeting Employees Where They Are

Alexander Oddo, founder and CEO of Freedom Secur IT, highlighted that a “one-size-fits-all” approach often fails because it is too difficult for entry-level employees and too easy for senior security staff. AI can tailor training based on an individual’s role, department, tenure, and past failure rates.

To avoid training fatigue and disengagement, Alexander suggested several practical strategies:

• Bite-Sized Micro Training: Respecting employees’ time by providing 30-to-60-second “training moments” rather than mandatory 30-minute sessions that people often click through without learning.
• Relevant Content: Sending fake invoice simulations to finance departments or fake inbound leads to sales teams.
• Frequency Over Length: Conducting these brief exercises two or three times a month to keep security top-of-mind without being overwhelming.

As Alexander summarized, the focus should be on precision training—less noise and more signal.

Personalized and Embedded Compliance

Laura Sawka, founder and GRC executive at SOA Advisory Group, explained that effective AI-driven compliance must be personalized to the user and the specific risks they face in their job function.

She advocated for embedding training into existing workflows. Rather than a once-a-year event, training should be an ongoing activity that lives within the applications and tools people use daily. This creates a real-time, closed-loop cycle where behavior can be measured immediately to show if the training was effective. Laura noted that training must be memorable and relevant so that employees remember the “anecdote” or lesson when they face a real-world situation.

Measuring Impact and Building a Risk-Aware Culture

During the panel discussion, the speakers agreed that measuring activity is not the same as measuring impact. To make AI-driven training credible, organizations must collect telemetry from various signals and use it to proactively assign training.

Key insights for a successful program included:

• Leadership Tone: The “tone at the top” is critical in communicating the importance of training.
• Incentivizing Good Behavior: Laura suggested that success should be measured not just by who didn’t click a link, but by who reported the phishing attempt.
• Accountability: Alexander warned against judging security teams solely on failure rates, as this can lead to teams sending “easy” simulations to meet bonuses rather than actually reducing risk.
• Positive Reinforcement: Chandan suggested using certificates, “coffee with the CISO,” or lunches to recognize employees who demonstrate secure behavior.

Conclusion

Ultimately, the goal is to create a risk-aware culture where employees think logically through risks rather than acting on emotion. By embedding controls into business processes and utilizing continuous monitoring, organizations can move from a reactive “checkbox” exercise to a proactive, strategic enabler of business success.