A new industry report by KnowBe4 suggests that organisations are facing a sharply escalating human-centred risk landscape as artificial intelligence becomes embedded in everyday work. The State of Human Risk 2025: The New Paradigm of Securing People in the AI Era, based on survey responses from 700 cybersecurity leaders and 3,500 employees who experienced an employee-involved incident in the past year, highlights a 90% surge in incidents linked to the human element.
The findings point to a widening attack surface driven by social engineering, unsafe employee behaviour and simple mistakes. According to the report, 93% of surveyed leaders experienced incidents in which cybercriminals exploited employees directly. Email continues to dominate as the primary battleground, with a 57% rise in email-related incidents and 64% of organisations reporting external attacks delivered through email. Human error remains a major weak point, with 90% of organisations facing incidents caused by employee mistakes, while malicious insiders accounted for issues at 36% of organisations.
Budget pressures are mounting too, as nearly all (97%) of the cybersecurity leaders asked said they need increased investment to strengthen the human-security layer.
AI’s rapid infiltration into workplace tools is introducing a new tier of risk. AI-related security incidents climbed 43% in the past 12 months—the second-largest increase across all channels surveyed. Despite 98% of organisations taking steps to address AI-related threats, security leaders ranked AI-powered attacks as their top concern, with 45% citing the constant evolution of AI-driven threats as their biggest challenge in managing behavioural risk. Deepfake-related incidents are also rising, affecting 32% of organisations.
Tensions around workplace AI use appear to be contributing to emerging “shadow AI” behaviours. While most organisations have implemented AI-risk measures, 56% of employees expressed dissatisfaction with their employer’s approach to AI tools, potentially driving them towards unsanctioned platforms.
The report suggests email will remain the highest-risk channel for several years, but warns that attackers are increasingly shifting to multi-channel campaigns, including messaging apps and voice phishing. The growing use of AI by threat actors to craft convincing, scalable attacks is expected to accelerate this trend.
Javvad Malik, lead CISO advisor at KnowBe4, said: “The productivity gains from AI are too great to ignore, so the future of work requires seamless collaboration between humans and AI. Employees and AI agents will need to work in harmony, supported by a security programme that proactively manages the risk of both. Human risk management must evolve to cover the AI layer before critical business activity migrates onto unmonitored, high-risk platforms.”
