In less than 12 months, wars escalated and re-escalated, markets swung wildly, trade tensions intensified, and even rice prices elevated, causing chaos. The pace of change has been relentless, and that’s before considering the volatility facing security leaders from AI or cybersecurity threats.
Also, less than a year ago, I published the blog on Human Risk Management’s (HRM) evolution following Forrester’s renaming of this market in 2024, arguing that the HRM market had moved from talk to adoption. The blog sparked thoughtful questions about HRM, alongside some predictable confusion as the category gained traction. Then agentic AI burst on the scenes, challenging the traditional definition of the workforce. As organizations increasingly view AI agents as co-workers, vendors and CISOs alike started asking a new set of questions about how HRM evolves.
This blog unpacks some of those questions, separates what’s true, what’s false and what’s still evolving as the world also evolves from one technological, economical, geopolitical, and general chaotic event to the next.
Myth #1: Human Risk Management Is Just Renamed Security Awareness And Training (SA&T)
The Question: Is HRM simply SA&T rebranded?
The Reality: Training remains important, but HRM goes much further. HRM quantifies human risk based on a set of inputs: identity, security behaviors and events, digital footprint and exposure, and security awareness. This understanding allows us to manage risk by providing personalized intervention at the right time, updating policies or issuing workflows. Its correct definition clearly outlines this reality. When we evaluate HRM vendors, we hold them to account to evaluation criteria aligned with this definition, not their own definitions.
Verdict: BUSTED. HRM is a profound change of mindset, strategy, process, and technology.
Myth #2: Human Risk Management Is Not Working
The Question: Can we admit HRM is not working, because human-related breaches continue to increase?
The Reality: No security discipline eliminates risk entirely. Organizations adopting HRM are gaining better visibility into human-related risk and using that insight to drive more targeted interventions and measurable outcomes than ever before.
Verdict: BUSTED. HRM is not perfect, but it is a significant improvement over traditional SA&T programs. Time and time again, I continue to observe meaningful impacts of HRM such as risk reduction, productivity gains, and cybersafe behavioral change.
Myth #3: HRM’s Main Purpose Is To Manage Behaviors
The Question: Shouldn’t the primary purpose of HRM be to manage employee behavior?
The Reality: One of the most important advances in the move from SA&T to HRM is HRM’s ability to detect and quantify cybersafe behaviors. However, that is only one part of the equation. Human risk is also shaped by exposure, access, context, and culture.
Verdict: BUSTED. The ultimate goal was never to only manage people’s behavior; it is to reduce risk posed by and to people.
Myth #4: Human Risk Management Needs A New Name Immediately To Account For A Workforce That Includes AI Agents
The Question: If the workforce now includes AI agents, does HRM become obsolete?
The Reality: Not yet. HRM still protects humans from the risks they create and face, although it must now account for the agents, systems, and relationships around them.
Verdict: EVOLVING. HRM doesn’t need a panic rename, it needs a scope expansion, and the time to see how HRM solutions evolve.
Myth #5: Human-Related Breaches Are Less Relevant Because Of AI-Driven Threats
The Question: As AI-driven threats grow, are human-related breaches becoming less important?
The Reality: AI does not erase existing human-related breaches: it intensifies them. Human-related breaches are exacerbated by attackers’ use of AI, extended to agents, and expanded through unmanaged AI use.
Verdict: BUSTED. AI isn’t replacing, it’s increasing the speed and impact of human-related breaches.
Myth #6: HRM Has No Role In Managing Agentic Cybersafety Behaviors
The Question: What business does HRM have in managing agents’ cybersafety behaviors?
The Reality: HRM does not replace AI governance or agent observability tools. But it can continue to do what it does best: correlate and interpret signals about what people are doing and experiencing (human risk), what agents are doing (agent activity risk), how AI systems are being used (AI system usage risk), and how humans and agents are interacting (agent relationship risk).
Verdict: EVOLVING. HRM’s role is not to govern agents directly, but to connect human, agent, and AI system activity to risk.
Other Noteworthy Market Questions
I want to tackle other market concerns that still frequently come up. First, HRM’s growth has largely followed the trajectory we expected when introducing HRM in 2022. HRM was designed as a medium-term evolution beyond SA&T, with the expectation that the market would continue evolving for 5-8 years before settling into a more mature state. Second, while some vendors inevitably adjust messaging to align with Forrester’s market category names, category washing rarely survives our scrutiny. We require all vendors in our evaluations to demonstrate real capability, customer outcomes, and alignment with our evaluation criteria – a difficult task for any vendor.
A Personal Note On The Future Of HRM Research
As I continue my broader leadership role at Forrester, I’m fortunate to be joined by my colleague Madelein van der Hout in shaping the future of our human-centered security research. Madelein has built a strong body of research on security leadership, organizational effectiveness, resilience, and European trends. Going forward, we’ll be collaborating closely across HRM and human-centered cybersecurity research, with Madelein taking an increasingly prominent role in the coverage including the upcoming Forrester HRM Wave™ Q3 2026. For our clients, this means continuity, fresh perspectives, and an even stronger research agenda as HRM enters its next phase.
Connect With Us
To everyone building, questioning, and evolving this space: thank you. Keep going. Keep asking us hard questions. And always remember that the technology may be changing, but the challenge remains fundamentally human.
If you’re a Forrester client, request an inquiry or guidance session with us to discuss.











-1024x683.jpg)







