Spell-check for privacy
Blog
Safe AI adoption 9 min read

Awareness training makes people aware. It doesn't change their behaviour.

A training on Monday does little when someone pastes a client file into ChatGPT under pressure on Thursday. Not from ignorance, but because the habit is stronger than the knowledge. Awareness only works in the moment, and everywhere: in AI tools, email, and social media.

Team workspace with laptops and browser-based AI work
Quick answer

A training makes people aware, but awareness is not behaviour. People forget most of it within a month, and under pressure they fall back on habit. That is why the AI risk keeps growing while training increases. Awareness only works when it happens in the moment, in the AI tool, the email, and the social post, exactly when someone is about to share something sensitive.

01

People forget up to 67% of new information within 24 hours and up to 79% within a month (Ebbinghaus; Murre & Dros)

02

Awareness training on its own cuts phishing clicks by about 3% (Microsoft Digital Defense Report)

03

84% of programmes aim to change behaviour, but only 43% measure whether it does

04

Only 3 in 10 employees remove sensitive data before using AI, not from ignorance but because of the moment (Newcom)

05

Awareness has to happen in the moment and everywhere: in AI tools, email, and social media

On Monday the team gets an awareness training. Good speakers, clear examples, everyone nods. No client data in free AI tools, mind your attachments, think before you share. The deck goes on the intranet. Box ticked.

On Thursday, at a quarter to five, one more summary has to go out. An employee pastes a client file into ChatGPT to clean it up quickly. He knows what was said on Monday. He just isn't thinking about it. The deadline is closer than the training.

That is not failure. That is how people work under pressure. And it is exactly why training does not fix the AI risk.

Aware does not mean safe

A training makes people aware. But awareness is not behaviour. You can explain perfectly what sensitive data is and why it does not belong in a chatbot, and it still happens, because in the busy moment the habit is stronger than the knowledge from the room. As long as awareness is something that happens in advance, in a session that fades, it changes little about what lands in a prompt field on Thursday afternoon.

Why training never reaches the behaviour

It starts with memory. The Ebbinghaus forgetting curve, later confirmed by Murre and Dros, shows that people forget up to 67% of new information within 24 hours and up to 79% within a month, without reinforcement. So an annual or even quarterly training has largely evaporated by the time it matters.

But even fresh knowledge barely shifts behaviour. The Microsoft Digital Defense Report shows that awareness training on its own reduces phishing clicks by about 3%, unless it is reinforced by broader measures. Three percent. And that while 84% of awareness programmes say behaviour change is their goal, yet only 43% actually measure whether behaviour changes. We train at scale, and we barely check whether it works.

The deeper problem is timing. A training is an event at a distance: a moment of knowledge, far from the moment of action. Between them sits a working week full of pressure, where the fastest route almost always wins. Knowledge you picked up three weeks ago does not announce itself the moment you paste something into a prompt.

The problem is not ignorance, it's the moment

Here is the uncomfortable part: most mistakes do not come from people who do not know. Research by Newcom found that only 3 in 10 workers remove sensitive information before turning AI loose on it. Those are not all people who do not know the rules. They are people who, in the moment, do not act on them.

And that moment looks different everywhere, but the pattern is the same: haste, routine, a fraction of attention too little.

In healthcare, a nurse uses an AI assistant to draft a note, and a patient name or identifier slips in. Not from carelessness, but because it is busy. On support teams, an agent pastes a whole customer email into an AI tool to generate a reply, name, order number and contact details included. Every time. In HR, someone asks an AI tool to "tidy up this offer letter", salary and all. And in finance, an IBAN or card number ends up in a prompt because it was simply part of the transaction. Same haste, different data. You can run a training on it. Thursday afternoon does not change.

And it is not limited to AI. The same behaviour lives in email: autocomplete filling in the wrong recipient, a Reply All on a sensitive thread, an attachment from the wrong folder. And on social media: a screenshot with a client name on it, a case shared "anonymously" that is not. Awareness is not something for the AI tool alone. It is needed everywhere data leaves the organisation. For AI, for email, for social media.

The objection, taken seriously

The fair objection: "So we should stop training?"

No. Training has a place. It builds a shared language, it makes people aware the risk exists, and for many frameworks it is simply required, think of the EU AI Act's AI-literacy obligation since February 2025. Without a base of knowledge, help in the moment also lands less well.

But training cannot be the control. It is a foundation, not a safety net. The problem starts when organisations tick the training off and assume the risk is now covered. That is hope, not control. The answer is not more or less training, but pairing it with something that is actually present at the moment of action.

And it has to feel like help, not surveillance. Nobody changes behaviour because they were named after the fact. People change behaviour when they get a nudge at the right moment, without it feeling like an accusation.

What actually works

Four shifts that turn awareness into behaviour.

  1. Move awareness to the moment of action. Not in advance in a room, but while someone types: in the AI tool, the email, the message.
  2. Make it contextual. Show what is sensitive in this text right now, not a general rule to recall three weeks later.
  3. Cover every channel. AI, email, and social media. The behaviour is the same everywhere, so the help has to be everywhere.
  4. Measure behaviour, not tick boxes. Not how many people completed the training, but whether the number of risk signals falls, in aggregate and without tracking anyone individually.

That last shift makes awareness measurable for the first time. This is what that looks like:

Detections over timeLast 30 days
12,438+18% vs last month
Top sources
ChatGPT
8,124
Gmail
3,210
Gemini
812
BeeSensible dashboard: aggregated detections and top sources, without monitoring individuals.

No scoreboard per employee, but a trend: is it happening less, in which channels, and is what you changed working? That is the proof a completed training never gives you.

Where BeeSensible fits

You can help people at exactly the moment that matters, instead of hoping they recall a training. BeeSensible recognises sensitive information as someone types, not only in AI tools but also in email and other web apps. Through the desktop app, detection runs entirely on the device; for browser-only use it runs in working memory on a BeeSensible EU server. Either way the text is discarded after analysis and nothing is stored. What is in there, a name paired with an account number, an IBAN, a national ID, is marked before it is sent. The employee decides.

Note: this is an email, not an AI tool. Same risk, same moment.

Gmail
New message
Todr.smith@clinic.co.uk
SubjectClient file: Laura Bennett
Hi Tom, forwarding the file for client Laura Bennett ahead of tomorrow's review. IBAN GB29NWBK60161331926819, mobile 07700 900123. Full notes attached.
BeeSensible highlights sensitive details before send.

A good training is valuable. But a training is a moment, and the risk is a habit. You do not close that gap by telling people more often what they already know. You close it by being present the moment it goes wrong, in every channel where data leaves, and helping before a quick action becomes an incident. Awareness is valuable. But you do not change behaviour on Monday in the room. You change it on Thursday, in the prompt field, in the email, in the message.

FAQ

Common questions

Does security awareness training actually work?

Training is useful for building knowledge and culture, but as a standalone control it barely changes behaviour. The Microsoft Digital Defense Report found that awareness training on its own reduces phishing clicks by around 3%. Knowledge is not a guarantee of behaviour, especially under workload.

Why do employees forget what they learned in training?

It is not defiance, it is how memory works. The Ebbinghaus forgetting curve, confirmed by Murre and Dros, shows people forget up to 67% of new information within 24 hours and up to 79% within a month without reinforcement. An annual or quarterly training has largely faded by the moment it matters.

So should we stop training?

No. Training builds a foundation and is required by many frameworks, including the EU AI Act's AI-literacy obligation. But training cannot be the control. Pair it with help in the moment, so the knowledge becomes behaviour at the point where the risk appears.

What is in-the-moment awareness?

Instead of transferring knowledge in advance, you signal the risk at the moment someone acts: while they type in an AI tool, an email, or a message. The employee sees what is sensitive before it is sent and decides. Nobody has to recall a training from weeks ago.

Does this only apply to AI tools?

No. The same behaviour, sharing quickly under pressure, lives in email (autocomplete, Reply All, the wrong attachment) and on social media (a screenshot, a client name in a post). Awareness has to work everywhere data leaves the organisation, not only in the AI tool.

How do you measure whether awareness works?

Not by the number of completed trainings, but by behaviour: how many risk signals there are, in which channels, and whether that line falls after you change something. In aggregate, without tracking individuals. That is the difference between a tick box and demonstrable effect.

See how BeeSensible works

Detect sensitive data before it leaves your team, in any app, in real time.