As we speak, bad actors are using AI agents to do their dirty work.
Our own research tells us 85.8% of phishing attacks were AI-driven in the past 12 months. Agentic power is helping social engineering and malware get smarter, faster and harder to detect.
But enough of what you probably already know. Let’s talk about how we can address these risks.
Our CISO Advisor Dr. Martin Kraemer wrote recently about AI agents being used for good. Agentic AI has the ability to address technical and strictly infosec-based organizational roadblocks (SOC alert fatigue, out-dated email security, etc.).
But AI agents are not just for the IT side of the house. Those responsible for security awareness training (SAT), admittedly sometimes one and the same, should get to play with these toys too.
This is where AI Orchestration comes in.
What Is AI Orchestration in Security Awareness Training?
KnowBe4’s AIDA (Artificial Intelligence Defense Agents) Orchestration transforms security awareness from a manual process into an always-on system designed to keep pace with modern threats.
AIDA Orchestration acts as the “Moderator Agent” for SAT programs, coordinating how other agents work together as a single system. Admins maintain control by defining guardrails called "Plans" that set boundaries such as testing frequency, training limits and user group policies. Within those boundaries, AIDA Orchestration executes autonomously.
By coordinating multiple KnowBe4 AI agents around the single goal of reducing human risk, it delivers smarter training, stronger defenses and real operational relief. This technology monitors behavior, detects risk signals and responds automatically with targeted interventions at the moment they're most likely to drive behavior change.
Two Gaps AIDA Orchestration Can Help Close
The Velocity Mismatch
Adversaries operate in real time. Even the best SAT programs can operate on a batch schedule. When an employee fails a phishing simulation, any remedial training that has to be manually assigned could take days to deliver. Organizations could be asking employees to learn from mistakes they've already forgotten making.
The Administrative Gap
For large security teams, the hidden cost of SAT isn't the license fee; it's hours spent on manual triage, list management and campaign scheduling. Every hour an SAT admin spends managing training logistics is an hour not spent on researching emerging risks and improving the security posture and culture.
AIDA Orchestration vs. Manual SAT: By the Numbers
Some of the smartest folks at KnowBe4 have spent most of 2026 tracking AIDA Orchestration usage across a select number of KnowBe4 customers. Here’s what they’ve found so far:
| Metric | No Orchestration | With AIDA Orchestration |
|---|---|---|
| Remedial training assignment rate after phishing failure | <1% | 26% |
| Total training coverage | 20%-30% | 50%-60% |
| Risk score reduction speed | Baseline | 4x faster |
| Users trained | Baseline | 2x more users |
| Phishing emails reported | 20% | 36% |
How AI Orchestration Closes the Gap
For overworked, overstressed SAT admins, here’s what these numbers mean:1. Closing the Remedial Loop
By automating the response to a phishing simulation failure, AIDA Orchestration-driven environments see remedial training rates jump from less than 1% to 26%. The difference isn't just frequency—it's proximity. A targeted, relevant nudge delivered at the moment of failure drives behavior change in a way that a delayed generic module never can.
2. Data-Driven Risk Reduction
Organizations using AIDA Orchestration experience a 4x faster reduction in risk scores compared to those using traditional methods. By identifying training gaps across multiple risk dimensions and intelligently doubling the number of actively trained users, AIDA Orchestration transforms a passive training program into a dynamic defense layer.
3. From Passive User to Active Sensor
When training is relevant and timely rather than repetitive and delayed, employees stop being passive targets and start behaving as active participants in the organization's defense. AIDA Orchestration's personalized reach drove a 79% increase in phishing email reporting rates, turning the workforce into a distributed early-warning system.
Which Organizations Need AI Orchestration?
AIDA Orchestration is the right fit if:
- The organization has experienced repeated phishing failures despite existing training
- Security admin bandwidth is a bottleneck
- Leadership needs measurable, reportable evidence of behavior change; not just completion rates
- The goal is to reduce human risk scores at scale, faster than manual programs allow
For organizations with 500+ employees, distributed workforces or high-frequency phishing exposure, the ROI case for AIDA Orchestration is clear: administrative savings alone often justify the investment before factoring in risk reduction.
Key Takeaways: AIDA Orchestration in Security Awareness Training
- AIDA Orchestration is the always-on moderator agent that coordinates AI agents across a SAT program — autonomously executing training, remediation and risk response within admin-defined guardrails called "Plans”
- AIDA Orchestration closes the gap between manual training and automated assignments, raising remedial training assignment rates from less than 1% to 26%
- Total training coverage doubles, from 20–30% of users under manual programs to 50–60% with AI Orchestration active
- Risk scores drop 4x faster in organizations using AIDA Orchestration vs. those relying on traditional methods, with 2x more users actively trained.
- Phishing reporting rates increase from 20% to 36%, a 79% lift, when training is timely and relevant, turning employees from passive targets into active threat sensors
The Result: AIDA Orchestration Means Risk Reduction
The ultimate goal of a culture-embedded security awareness strategy is more sensors, not just fewer clicks.
In 2026, the question for the CISO isn't whether the organization has an SAT program. The question is: Does the program move as fast as the attackers do?
