On Monday the team gets an awareness training. Good speakers, clear examples, everyone nods. No client data in free AI tools, mind your attachments, think before you share. The deck goes on the intranet. Box ticked.
On Thursday, at a quarter to five, one more summary has to go out. An employee pastes a client file into ChatGPT to clean it up quickly. He knows what was said on Monday. He just isn't thinking about it. The deadline is closer than the training.
That is not failure. That is how people work under pressure. And it is exactly why training does not fix the AI risk.
Aware does not mean safe
A training makes people aware. But awareness is not behaviour. You can explain perfectly what sensitive data is and why it does not belong in a chatbot, and it still happens, because in the busy moment the habit is stronger than the knowledge from the room. As long as awareness is something that happens in advance, in a session that fades, it changes little about what lands in a prompt field on Thursday afternoon.
Why training never reaches the behaviour
It starts with memory. The Ebbinghaus forgetting curve, later confirmed by Murre and Dros, shows that people forget up to 67% of new information within 24 hours and up to 79% within a month, without reinforcement. So an annual or even quarterly training has largely evaporated by the time it matters.
But even fresh knowledge barely shifts behaviour. The Microsoft Digital Defense Report shows that awareness training on its own reduces phishing clicks by about 3%, unless it is reinforced by broader measures. Three percent. And that while 84% of awareness programmes say behaviour change is their goal, yet only 43% actually measure whether behaviour changes. We train at scale, and we barely check whether it works.
The deeper problem is timing. A training is an event at a distance: a moment of knowledge, far from the moment of action. Between them sits a working week full of pressure, where the fastest route almost always wins. Knowledge you picked up three weeks ago does not announce itself the moment you paste something into a prompt.
The problem is not ignorance, it's the moment
Here is the uncomfortable part: most mistakes do not come from people who do not know. Research by Newcom found that only 3 in 10 workers remove sensitive information before turning AI loose on it. Those are not all people who do not know the rules. They are people who, in the moment, do not act on them.
And that moment looks different everywhere, but the pattern is the same: haste, routine, a fraction of attention too little.
In healthcare, a nurse uses an AI assistant to draft a note, and a patient name or identifier slips in. Not from carelessness, but because it is busy. On support teams, an agent pastes a whole customer email into an AI tool to generate a reply, name, order number and contact details included. Every time. In HR, someone asks an AI tool to "tidy up this offer letter", salary and all. And in finance, an IBAN or card number ends up in a prompt because it was simply part of the transaction. Same haste, different data. You can run a training on it. Thursday afternoon does not change.
And it is not limited to AI. The same behaviour lives in email: autocomplete filling in the wrong recipient, a Reply All on a sensitive thread, an attachment from the wrong folder. And on social media: a screenshot with a client name on it, a case shared "anonymously" that is not. Awareness is not something for the AI tool alone. It is needed everywhere data leaves the organisation. For AI, for email, for social media.
The objection, taken seriously
The fair objection: "So we should stop training?"
No. Training has a place. It builds a shared language, it makes people aware the risk exists, and for many frameworks it is simply required, think of the EU AI Act's AI-literacy obligation since February 2025. Without a base of knowledge, help in the moment also lands less well.
But training cannot be the control. It is a foundation, not a safety net. The problem starts when organisations tick the training off and assume the risk is now covered. That is hope, not control. The answer is not more or less training, but pairing it with something that is actually present at the moment of action.
And it has to feel like help, not surveillance. Nobody changes behaviour because they were named after the fact. People change behaviour when they get a nudge at the right moment, without it feeling like an accusation.
What actually works
Four shifts that turn awareness into behaviour.
- Move awareness to the moment of action. Not in advance in a room, but while someone types: in the AI tool, the email, the message.
- Make it contextual. Show what is sensitive in this text right now, not a general rule to recall three weeks later.
- Cover every channel. AI, email, and social media. The behaviour is the same everywhere, so the help has to be everywhere.
- Measure behaviour, not tick boxes. Not how many people completed the training, but whether the number of risk signals falls, in aggregate and without tracking anyone individually.
That last shift makes awareness measurable for the first time. This is what that looks like:
Gmail