Author

• Sean Sosnowski serves as the Research Director for Security Operations and Cloud Security at SACR, where he leads research on SOC strategy and operations and detection engineering. Drawing on a decade of intelligence experience in the U.S. Marine Corps.

Executive Summary

Human Risk Management (HRM) is undergoing a fundamental rewrite as the security environment shifts from periodic threats to continuous, AI-driven exposure. Traditional programs focused on annual training are no longer sufficient against adversaries using AI to increase the scale and plausibility of social engineering. The unit of risk has evolved to include machine-assisted work, where exposure resides at the intersection of human judgment and delegated actions through assistants and automation.

This is the first official coverage of the new category for Human Risk Management (HRM) for SACR. The ecosystem map below illustrates how the market is converging across several previously disconnected domains. Traditional security awareness vendors continue to provide workforce engagement and simulation capabilities, while a newer generation of HRM platforms is building continuous measurement, contextual scoring, and operational response layers on top of those foundations. At the same time, adjacent categories, including email security, insider risk, identity governance, DLP, and non-human identity security, are increasingly intersecting with HRM as organizations attempt to operationalize people-linked exposure reduction.

The market is also beginning to expand rapidly. This shift broadens the definition of human risk beyond employee behaviour alone and moves the category toward managing the combined exposure created by humans and agents working together.

This report examines Human Risk Management as an emerging security category rather than a single product segment. The ecosystem map should therefore be viewed as a framework for understanding the broader market direction, competitive landscape, and capability evolution shaping the future of people-centric cybersecurity operations.

Modern HRM is defined as the continuous practice of identifying, measuring, and reducing cyber risk across both human behavior and supervised workflows. Unlike the legacy model, which relied on calendar-based activity and simple click rates, the modern approach utilizes a capability stack built on contextual measurement and targeted intervention. By pulling telemetry from identity, behavior, and tool usage, organizations can generate precise risk scores that drive automated coaching or control changes. This new model incorporates agent visibility to govern the autonomy granted to AI tools, ensuring security teams can manage people-linked exposure in real-time.

That creates the report’s practical standard: mature HRM programs should be evaluated by the quality of the human-risk model, the governance around intervention, and the ability to show exposure reduction over time. A platform that can generate training content or summarize campaign results is one part of the category. The stronger test is whether the program can connect people, workflows, and delegated action to explainable, proportionate decisions that security teams can defend. We explore Cimento.ai as one example of this market direction, where an awareness and simulation entry point extends toward contextual scoring, multi-turn testing, and governed response.

Disclosure: Cimento sponsored and collaborated on portions of this research paper, including product briefings, market discussions, and access to company perspectives used as part of the analysis. While Cimento provided financial support for the development of this report and served as a case-study participant, the research, market framing, analysis, conclusions, and opinions expressed in this paper are solely those of the authors. The report was designed to provide an independent view of the evolving Human Risk Management market, including broader industry trends, competitive dynamics, and category developments beyond any single vendor.

Why Human Risk Management Is Being Rewritten

Human Risk Management is being rewritten because the human decision point has changed. For years, the category was organized around a relatively bounded model: employees received periodic education, completed simulations, and were measured through training or click-based indicators. That model matched a narrower view of exposure. Today, the risk forms around live decisions made across channels, roles, workflows, and automated systems.

The first pressure is the expansion of social engineering into the normal fabric of work. Attacks now move through email, chat, SMS, voice, collaboration tools, and other channels employees use to make daily decisions. The risk is shaped by timing and context: a finance approval, a help-desk request, an executive instruction, or a workflow exception. This makes periodic simulation a weaker proxy for the conditions employees actually face.

AI intensifies that shift by making deception more plausible and easier to personalize. Attackers can produce messages that fit a person’s role, authority, current responsibilities, and expected communication style. The visible markers that once helped users identify suspicious messages become less reliable. The security question moves closer to judgment under pressure: whether the employee can interpret intent, context, and consequence in the moment.

At the same time, daily work is becoming more delegated. Employees increasingly rely on copilots, inbox assistants, workflow automation, and other tools that summarize information, draft responses, route decisions, or trigger actions. Human risk now extends into the systems acting around the user. Exposure depends on what the person can access, what the tool can do, and how much trust the employee places in the output or recommended action.

This is the catalyst for redefining the category. Human Risk Management has to account for people, permissions, workflows, channels, and delegated action as one connected risk surface. The category is moving toward continuous analysis of where exposure concentrates, how behavior changes under realistic conditions, and what interventions reduce risk before a human-linked decision becomes an operational failure.

Defining Human Risk Management in the AI Era

Human Risk Management is the continuous practice of identifying, measuring, and reducing cyber risk arising from human behavior, susceptibility, judgment, and decision-making across the workforce. In an AI-shaped environment, this scope includes the machine-assisted and delegated actions employees initiate, configure, or supervise. The category provides security teams with a framework to make people-linked exposure measurable, comparable, and manageable over time.

Agent risk belongs inside Human Risk Management when the exposure traces back to employee sponsorship, granted permissions, supervision, or risky delegated behavior. A user who connects an assistant to sensitive data, authorizes a workflow, or relies on automated output during a high-impact decision is creating human-linked exposure through delegated action. Adjacent domains still own model controls, application security, data governance, identity lifecycle, and infrastructure policy. HRM supplies the behavioral and workflow context that shows where human judgment activates or amplifies those risks.

Its core capability set combines learning, simulation, contextual measurement, and remediation into a continuous loop. Signals from user behavior and operating context feed a risk model, which in turn informs coaching, realistic testing, or light friction. These resulting actions reduce exposure and generate new evidence about behavioral changes, with training remaining a foundational element of the cycle.

This definition provides usable boundaries by distinguishing it from adjacent disciplines. While insider risk management focuses on harmful activity by trusted users and workforce identity supplies access context, Human Risk Management serves a specific operating purpose: the continuous reduction of cyber exposure created or activated by people during everyday work.

Ultimately, a platform belongs in this category when its primary purpose is to continuously measure and reduce risk arising from people and their supervised workflows. This includes social engineering defense and agent risk, where human judgment leads to machine action. By participating in a broader measurement-to-intervention loop, the category creates a clear center of gravity for managing modern people-linked exposure.

The Legacy Model

The legacy model of human risk management emerged from a practical enterprise need to educate large populations consistently, document program activity, and raise the baseline level of security awareness across the workforce. Awareness training, policy reinforcement, and phishing simulations gave security teams a repeatable program structure. Leaders could report coverage, show evidence of participation, and demonstrate that the human layer was receiving attention. In many organizations, that model created the first durable operating system for people-focused security.

Its operating logic was built around a calendar. Training arrived on an annual or quarterly cadence. Simulations were launched as discrete campaigns. Measurement centered on completions, click rates, and reporting rates. That structure made the program easy to administer and easy to explain. It also meant that activity was measured more precisely than exposure. A team could identify who finished a module or failed a test. It had a thinner view into which users were becoming riskier, which roles were more exposed, or which workflows carried the greatest leverage for an attacker.

The model also reflected the threat assumptions of its time. Email sat at the center of the attack surface, and the risky event was usually framed as a single moment: a click, a credential submission, or a failure to report. Users were often grouped into broad segments, with limited adaptation to role, privilege, or current operating context. When someone failed, the default response was another training assignment or another simulation. That approach supported broad coverage, but it produced limited insight into changing conditions around the user.

Those limits are more visible now because the environment around employees has changed. Communication happens across several channels. Work increasingly moves through collaboration tools, SaaS workflows, and AI-mediated tasks. High-risk behavior often becomes clear only when multiple signals are considered together. The legacy model still contributes value as a foundation for awareness and reinforcement. Its center of gravity sits in periodic program management, while the category itself is moving toward continuous risk management.

The practical migration path starts by preserving what the legacy model already does well: compliance evidence, baseline education, reporting culture, and a repeatable program cadence. The next layer adds role-aware simulation, continuous signal collection, dynamic risk grouping, and handoffs into the controls that already govern access, messaging, data movement, and workflow execution. Success metrics should also move from activity alone toward repeat-risk reduction, reporting speed, high-risk workflow coverage, and evidence that intervention is reducing exposure without adding broad friction.

How AI Changes Human Risk Management

AI changes human risk management in two connected ways. It improves attacker economics, and it changes how employees make decisions. Attackers can generate convincing language quickly, imitate tone with greater accuracy, and tailor lures with far less manual effort. Social engineering can now move across email, chat, and voice with a higher level of consistency. The underlying threats remain phishing, impersonation, coercion, and misuse: AI changes their scale, speed, and realism.

At the same time, employees increasingly work through systems that summarize messages, draft responses, retrieve information, and initiate actions. That changes the shape of the decision itself. A suspicious request may be interpreted first by an assistant. A response may be drafted before a user slows down to verify context. A workflow may execute with only light supervision once the user decides to trust the tool. The security-relevant event therefore extends beyond a single human act and begins to include the software layer that mediates attention, judgment, and execution.

This shift changes the unit of analysis for the category. Security teams now need to understand the person, the workflow, and the delegated action as one system of exposure. A periodic awareness cadence does not provide a current view of that system in motion. Risk now depends on role, access, recent behavior, tool usage, and the quality of oversight around automated tasks. Those variables change continuously. Continuous measurement and targeted intervention become more important because the conditions of risk are moving every day.

An HRM system becomes useful when it can interpret a small set of events in context. A finance approver receiving a late-stage payment request during a reporting window, a help-desk operator facing account recovery pressure, and an employee connecting an assistant to sensitive data all create different risk patterns. The common requirement is to combine behavior, role, access, and workflow context before deciding whether the right response is coaching, simulation, approval review, or a control change.

Agent risk enters here as an extension of human risk, especially when delegated action carries real authority. Employees choose which assistants to use, connect them to internal data, grant permissions, define tasks, and decide how much autonomy to allow. The agent acts with the context and authority provided by its human sponsor. That relationship keeps human judgment at the center of the problem. Some of the new exposure comes from approved copilots. Some comes from improvised shadow automation launched by employees trying to move faster. In both cases, the delegated behavior inherits human choices about trust, access, and supervision.

AI expands the category into new workflows while preserving its core logic. The central question is still how people create, amplify, or reduce enterprise exposure. The difference is that those outcomes now unfold through a blended system of human decisions and machine-assisted action. Human Risk Management has to account for that blended system if it is going to remain operationally useful.

The Modern Capability Stack of Human Risk Management

The modern capability stack begins with awareness and training, though their role is now more specific. Training remains essential because organizations still need shared language, secure habits, and reinforcement at scale. In the modern model, training becomes one intervention layer inside a broader operating system. The goal is to improve decisions at the moment of risk and measure whether exposure is actually falling over time. Simulation evolves with that goal. Single-message phishing tests give way to role-aware, multi-turn scenarios that better reflect how real attacks build credibility and pressure across several touches.

A stronger operating model also requires a richer signal base. Useful platforms pull selective telemetry from training outcomes, reporting behavior, identity context, endpoint or MDM data, and related workflow signals. The goal is to assemble enough context to explain why a person or group is exposed. A finance leader during a sensitive reporting window, a new engineer with fresh access, and an employee using ungoverned automation tools each present a different risk profile even when surface behavior appears similar. The quality of the model depends on how well those contextual differences are captured.

Contextual risk scoring becomes the operating center of the stack. A useful score needs to reflect the company, the role, the environment, and the moment. The same behavior can indicate elevated risk in one organization and routine work in another. That makes generic scoring less useful than a model grounded in company-specific context and first-party outcomes. In practice, the score becomes the mechanism that turns fragmented signals into a living picture of who is most exposed, who is becoming riskier, and which delegated workflows need closer supervision.

A human-risk score becomes operationally useful when it can be explained, calibrated, and challenged. Security teams need to understand which signals contribute to the score, how role and privilege change the interpretation, how false positives are reviewed, and how privacy-sensitive inputs are governed. The score also needs evidence of outcome value: users or groups placed into an intervention path should show measurable improvement, reduced repeat exposure, or a clearer control decision than the organization could have made from campaign metrics alone.

Once that picture exists, the stack has to drive action. Risk insight should determine who gets targeted coaching, who enters a more realistic simulation path, and which cases move into operational review. Some outcomes remain inside the platform as guidance, nudges, or reporting prompts. Others should flow into identity, IT, or data protection systems as suggested control changes, approval steps, or restricted workflow paths. Human review remains important for higher-impact responses such as access changes or workflow restrictions, because operational trust matters alongside automation speed.

Agent visibility extends the same stack into delegated execution. As assistants and agents become ordinary parts of work, the platform needs to map which employees are using them, what permissions those tools hold, and which workflows carry meaningful business impact. That visibility supports an agent-aware risk model grounded in the sponsoring human, the delegated task, and the authority behind that task. The result is a modern human risk management function that continuously measures behavioral exposure, adapts intervention to context, and governs delegated action before it turns into incident response.

Automated Remediation & Adaptive Control

Automated remediation is the point where the modern human risk model becomes operational. The value of a risk score increases when it places a person, group, or workflow into the right response path using current evidence, business context, and the potential impact of the action. The goal is to reduce exposure while keeping everyday work usable for employees and teams without evidence of elevated risk.

The first remediation layer is behavioral correction. When a user repeatedly clicks on simulated or real phishing attempts, misses training expectations, mishandles malware warnings, or creates a data-handling concern, the response should be timely and specific. A short nudge, targeted training assignment, reporting prompt, or scenario-specific explanation is more useful when it arrives close to the event that created the signal. These interventions should be adjustable by channel and behavior so the program can reinforce the relevant decision and preserve a lower-friction baseline for the rest of the workforce.

The stronger pattern is dynamic risk grouping. Security teams can define criteria using risk scores, repeated events, role sensitivity, privilege, current attack exposure, or other context that matters in their environment. Users then move into or out of groups as new evidence arrives. This makes remediation adaptive and reversible. A user whose behavior improves can return to a lower-friction path, while a user whose risk increases can receive more coaching, additional review, or stronger control treatment. The operating benefit is that the response state follows current behavior, reducing reliance on static lists or repeated manual updates.

Those dynamic groups can also drive downstream controls. A higher-risk group may receive stricter email inspection, more prominent prompts, additional data-movement restrictions, identity-driven step-up requirements, or closer review in related security tools. The important shift is that the human-risk model becomes a policy signal for systems that already govern messages, access, data movement, endpoints, and workflow execution. This allows the organization to use existing controls more selectively. Heavy friction can be concentrated where current evidence supports it, while lower-risk users continue to work under a normal control posture.

Automated remediation needs governance because the response can affect employee trust, business continuity, and legal or privacy boundaries. Low-impact actions such as nudges, short training, or reminders can usually run automatically once the rule is approved. Medium-impact actions may require predefined policy paths, such as adding a user to a temporary group or increasing inspection for a limited period. Higher-impact actions, including access restriction, workflow blocking, or data-movement enforcement, should preserve human review, auditability, and a clear rollback path. The platform should explain which evidence triggered the response, who owns the decision, and what condition returns the user or workflow to a lower-friction state.

Governance should also define decision rights by response impact. Low-impact actions such as nudges, short coaching, or reminders can run automatically once the policy has been approved. Medium-impact actions such as temporary group movement, increased inspection, or additional review should have an owner, an expiration condition, and an audit trail. High-impact actions such as access restriction, workflow blocking, or data-movement enforcement should require security, identity, HR or legal, and business-owner review because those decisions affect trust, continuity, and accountability.

The same logic extends into AI-assisted and delegated work. If an employee launches an unsanctioned assistant, grants broad permissions to a workflow tool, or connects automation to sensitive data, the response can begin with guidance and registration requirements before moving into approval steps or permission changes. In this setting, remediation governs the relationship between the person, the delegated task, and the authority behind that task. It gives the organization a way to act before human risk turns into incident response.

Automated remediation is, therefore, a test of whether Human Risk Management can convert visibility into measurable reduction. The mature program needs a feedback loop that shows whether nudges changed behavior, whether risk groups shrank or stabilized, whether downstream controls reduced exposure, and whether friction stayed proportional to the risk. That evidence keeps remediation tied to outcomes and gives security leaders a practical way to manage human-linked exposure as a live operating variable.

Automated remediation is a test of whether Human Risk Management can convert visibility into measurable reduction. Mature programs should track whether high-risk groups shrink or stabilize, whether repeated risky behavior falls by role or workflow, whether users report suspicious activity faster, and whether downstream actions are reversed because the original signal was weak. They should also measure business friction and employee-impacting errors. That evidence keeps remediation tied to outcomes and gives security leaders a practical way to manage human-linked exposure as a live operating variable.

Human Risk Market Landscape

The Human Risk Management market is forming around a broader operating problem than whether employees complete training or click simulated phish. Security teams increasingly need to translate evidence about people, workflows, permissions, and delegated actions into decisions that reduce exposure. The accompanying market map should therefore be read less as a vendor directory and more as a maturity model: engagement creates behavioral surface area, measurement makes it visible, realistic testing improves signal quality, control linkage turns signal into intervention, and delegated action extends the model to agents, service accounts, automations, and workflows acting on a user’s behalf.

1. The first layer is engagement and awareness. This remains the most familiar entry point because it gives security teams reach across the workforce through training, nudges, reporting behavior, microlearning, and phishing education. KnowBe4 represents the established scale of the category, while vendors such as Hoxhunt, SoSafe, and CybSafe show the shift toward adaptive engagement and behavior-aware learning. The limitation is that engagement alone can overstate progress when completion rates or click metrics become the main proxy for exposure reduction.
2. The second layer is human risk intelligence. This layer converts behavioral, organizational, and security telemetry into a risk model that can explain where exposure is concentrated and why it is changing. OutThink, Living Security, Mimecast, Proofpoint, Frame Security, and Cimento illustrate different paths toward quantified human-risk posture, from behavior analytics and real threat exposure to contextual scoring and remediation. The value is prioritization across users, teams, and workflows. The limitation is that measurement remains descriptive unless it can drive intervention.
3. The third layer is realistic testing and simulation. Social engineering increasingly depends on timing, repetition, impersonation, channel movement, and workflow pressure, so simulation has to move closer to business-process realism. Cofense, Proofpoint, Hoxhunt, Frame Security, and Cimento represent different approaches to testing human exposure through phishing, reporting workflows, role-aware scenarios, deepfake-style pressure, or multi-channel simulation. The goal is to understand how people respond when an attack looks like normal work.
4. The fourth layer is control linkage and response. HRM becomes operational when a risk signal can inform coaching, access review, escalation, policy adjustment, email-security action, data-security response, identity governance, or another proportionate control. Mimecast and Proofpoint are important examples because their human-risk offerings can connect awareness, email security, real phishing exposure, and insider-risk signals. Microsoft, Okta, SailPoint, and CyberArk sit at the edge of this layer as control-plane adjacencies. They supply enforcement paths when human-risk evidence needs to affect permissions, conditional access, privileged access, or workflow controls.
5. The fifth layer is delegated action and agent governance. As employees use copilots, assistants, service accounts, AI agents, and workflow automation, human risk extends into systems acting around or on behalf of the user. This layer is relevant where automated action can be traced back to a human owner, sponsor, approval, or delegated authority. Microsoft Entra Agent ID and SailPoint show how major identity platforms are beginning to treat agents as governable identities, while specialists such as Astrix, Oasis, Entro, and Clutch illustrate the emerging non-human identity control surface. The specific boundary boundary is relevant to the map only where automated action connects to human accountability and exposure reduction.

 

The existing vendor landscape reflects different starting points into the same control problem. Awareness vendors begin with behavior change. Email-security and phishing-response vendors begin with the threat path where human exposure most often materializes. Identity, access, and non-human identity vendors begin with what a person, account, service, or delegated workflow is allowed to do. The strategic center of HRM is the connection between these views. A mature program should be able to explain which human-linked exposures matter, test them realistically, and trigger responses that are proportional to the risk.

This makes operating depth the practical market question. Basic offerings administer content, run simulations, and report outcomes. More advanced offerings combine behavioral context, risk scoring, realistic simulation, workflow-aware intervention, and control handoffs. The category direction is a capability model that connects evidence about people, workflows, permissions, and delegated action to decisions that reduce exposure over time.

Cimento should be read against that map as an emerging connective-layer example. Its entry point is the familiar awareness and phishing workflow, but its category relevance comes from using those workflows as signal sources for contextual scoring, multi-channel simulation, and governed response. In the market map, Cimento sits between engagement, human risk intelligence, realistic testing, and control linkage, with delegated-action and agent-risk governance as the forward edge of the thesis. The opportunity is the operating loop that turns human, workflow, permission, and delegated-action context into exposure reduction.

Case Study Vendor: Cimento

The following profile should be read as one example of this broader category direction. It illustrates how a vendor can start from a familiar awareness and phishing budget line, then move toward risk intelligence, contextual scoring, realistic simulation, and governed response. The profile frames one emerging path through a fragmented landscape where buyers are trying to connect human behavior, workflow context, and delegated action into an operating model for exposure reduction.

Overview

This report’s core argument is that Human Risk Management is becoming a continuous security function centered on measurement, contextual scoring, realistic simulation, and operational response. Cimento is relevant to that thesis because it starts in a familiar security awareness and phishing budget line, then uses that wedge to build a broader human risk intelligence layer.

Cimento’s positioning centers on multi-channel phishing tests, behavior-based risk measurement, and personalized training that adapts to employee behavior. Training is the entry point, while the strategic product is a unified human risk score that can absorb first-party outcomes, role context, security tool signals, and company-specific risk conditions, including AI agent and human behavior. In that model, the platform becomes a continuously updated view of which employees, teams, workflows, and Agents carry elevated exposure.

The company is especially useful as a profile in this report because it shows how the category can expand while preserving its practical buyer entry point. Security teams still need training, phishing simulations, compliance evidence, and user reporting. Cimento’s bet is that those workflows can become the data foundation for a more operational system: targeted simulation, adaptive coaching, risk-based review, permission and access remediation, and eventually agent-aware human risk governance.

Product & Architecture

Cimento’s operating model can be summarized as a loop: integrate, test, train, and translate risk into action. The platform connects to HRIS, SIEM, MDM, identity, and related security systems to understand employee context. It then runs phishing simulations across email, SMS, voice, and related channels, measures behavior in those interactions, and adapts short training or coaching to the user and scenario.

The risk score is the center of the architecture. Real-time scoring that goes beyond clicks by tracking decisions, response times, reporting behavior, role context, and access level. The score is open, company-contextual, and grounded in both first-party simulation outcomes and embedded security integrations. A finance executive during an earnings period, a departing employee with sensitive access, and an engineer adopting AI tools can carry different risks even when their surface behavior appears similar.

Cimento’s most distinctive near-term product idea is multi-turn simulation. Traditional phishing programs usually test a single message or a single action. Cimento is building simulations that unfold across several user touch points and channels, with the campaign adapting based on whether a user reports, ignores, engages, or escalates. That makes the test closer to modern social engineering, where attackers build credibility over time and use multiple channels to increase pressure.

The next layer is response orchestration. Cimento’s narrative positions the platform as a governable recommendation layer: surface the risky user or workflow, recommend a configuration change, and let the security team approve the next step. That could include suggested changes in identity, ITSM, DLP/CASB, remote access, or similar downstream controls. The important architectural move is the handoff from user-risk evidence to operational control, with human review preserved for consequential action.

Cimento’s agent-risk story extends the same model into delegated execution. In the company’s framing, agents inherit risk from the human who launches, connects, supervises, and authorizes them. The roadmap includes an agent registry that maps tools back to employee sponsors, agent permissions, and the composite risk profile created by the human, plus the agent’s access surface. Agent-to-agent social engineering simulation remains earlier-stage, while the human-sponsored model fits the report’s broader view that agent exposure often starts as a human risk problem.

Human Risk Narrative

Cimento maps to the report’s argument in three ways.

First, it treats training and phishing as a data acquisition layer. The company can enter through a known budget category, then use every training assignment, simulation result, report, and risky interaction as evidence for a more useful risk model. That is the category shift in miniature: the campaign becomes a signal source, while the persistent risk state becomes the operating object.

Second, it makes simulation more realistic. AI has improved attacker economics, and social engineering increasingly works through timing, context, and multiple touches. Cimento’s multi-turn model aligns testing with that reality by measuring behavior across a sequence and treating susceptibility as a pattern that forms over time. This matters because the modern HRM stack needs to evaluate decision-making under pressure, across channels, and over time.

Third, it links human risk to downstream control decisions. A high-risk score has limited operational value if the next action is another generic training assignment. Cimento’s roadmap points toward risk-based recommendations that can flow into identity, data protection, access, and security operations workflows. That is where the category begins to extend from program administration into continuous risk management.

The agent extension is strategically important because it keeps the human sponsor visible. Microsoft and other platform providers are moving toward explicit agent identity, lifecycle, access, and sponsorship models. Cimento’s version approaches the problem from the employee side: understand the human, map the tools they use, classify the agent’s permission surface, and apply simulation or review where the combined exposure is highest.

Product and Technical Notes

The current product appears closest to next-generation security awareness and phishing simulation, with a broader risk intelligence roadmap layered on top. That matters for calibration. Cimento’s near-term credibility will come from making training, simulation, reporting, and measurement meaningfully better than incumbent workflows. Its long-term differentiation depends on whether the unified risk score becomes trusted enough to drive security operations decisions.

The score itself needs careful validation. The company describes a forward-looking, contextual model that uses company-specific context, first-party outcomes, and security integrations. Buyers will need to understand which signals are used, how they are weighted, how the model handles false positives, and how a security team can explain the score to HR, legal, compliance, and business owners.

The multi-channel and multi-turn model also creates practical constraints. Email simulation is familiar. SMS, voice, deepfake calls, and employee-owned devices introduce legal, privacy, and change-management questions. Cimento appears aware of that boundary and has discussed voice and mobile as powerful, deployment-sensitive channels. The strongest near-term use cases may be high-risk populations, regulated workflows, and environments already experiencing real external pressure across channels such as Telegram, WhatsApp, or SMS.

The agent registry roadmap is promising, though still early. The clearest near-term path is visibility through MDM, endpoint, identity, and tool-usage signals, then tying that usage back to the sponsoring employee. The harder questions are how Cimento will detect short-lived agents, classify permissions consistently, and distinguish risky agent behavior from risky human intent. Those questions should remain open product validation points.

Competition and Positioning

Cimento sits between several market layers. It overlaps with incumbent awareness and phishing-security vendors. It also overlaps with broader human risk platforms and related vendors that emphasize continuous scoring, adaptive training, behavioral signals, and control response. These layers include vendors such as KnowBe4, Proofpoint, and Mimecast, as well as CybSafe, Hoxhunt, and SoSafe.

The Competitive dynamic is different across these groups. KnowBe4 has scale, content depth, and market familiarity in awareness and phishing simulation. Mimecast and Proofpoint bring email security, insider risk, DLP, and policy control adjacency that can connect human risk scores to enforcement workflows. Hoxhunt, SoSafe, and Frame Security compete closer to the HRM thesis through behavior change, measurable risk, and targeted intervention and simulation. Cimento’s pressure is showing that their multi-channel testing, contextual score, and follow-on actions produce a stronger outcome compared to existing market alternatives.

The differentiation Cimento is pursuing is the combination of a low-friction SAT/phishing entry point, a company-contextual risk score, multi-turn social engineering simulation, and a human-plus-agent roadmap. Its strongest positioning centers on turning training and simulation into a risk intelligence layer that becomes more valuable as more employees and workflows pass through the platform.

That positioning also creates pressure. Incumbents can add AI-generated training, risk dashboards, threat-informed templates, and adaptive grouping into existing suites. Modern HRM vendors are already emphasizing live scoring and automated control response. Cimento will need to prove that its score is more contextual, that its simulations produce better signal, and that its downstream recommendations reduce exposure while limiting operational friction.

Implications for The Modern HRM Stack

If Cimento works as intended, it becomes a useful example of where Human Risk Management is heading. Completion metrics remain background evidence, while the operating layer centers on a living model of employee-linked exposure. The value would come from knowing which users and workflows are becoming riskier, which simulations reflect realistic attack behavior, and which interventions should move into review, coaching, or downstream control adjustment.

For buyers, the evaluation should focus on evidence quality. The key questions are whether the risk score is explainable, whether the integrations provide enough context, whether multi-turn simulation changes behavior, and whether recommended control actions are governable. Agent-risk capabilities should be evaluated as an emerging extension of the same human-risk model, especially in AI-native companies where employee-launched tools already create visibility and accountability gaps.

Cimento is therefore best positioned in the report as one emerging category example within the broader market. It shows how the market can start from security awareness, move into behavior-based risk intelligence, and extend into agent-aware governance as employees delegate more work to AI systems. The strategic importance is the direction of travel: Human Risk Management becomes a continuous operational layer for the person, the workflow, and the delegated action.

Practitioner Takeaways

Practitioners should treat Human Risk Management as a continuous operating model for exposure reduction, with training and simulation serving as signal inputs inside a broader risk loop. The first step is ownership. Security leaders should decide how awareness, security operations, identity, privacy, legal, and business owners participate in the program before automation is expanded. That ownership model should define which teams provide signals, which teams approve interventions, and which teams are accountable for employee-impacting decisions.

The next step is evidence quality. Buyers should inventory the signals they already have, identify two or three high-risk workflows, and test whether a platform can explain risk in those specific contexts. A useful pilot should show how the human-risk model handles role sensitivity, access level, reporting behavior, simulation outcomes, and workflow context. The evaluation should also require vendors to show score explanations, integration evidence, false-positive handling, and outcome tracking.

Practitioners should also define response thresholds before connecting HRM to downstream controls. Low-impact coaching can move quickly, while higher-impact actions need clear approval paths, auditability, and rollback. Agent-risk capabilities should be evaluated through the same lens: the immediate need is visibility into employee sponsorship, granted permissions, and delegated workflows, followed by proportional intervention when the combined human and machine exposure becomes material.

Conclusion

Human Risk Management is becoming a continuous security discipline because people-linked exposure now changes with the pace of work. AI increases the scale and realism of social engineering, while also changing how employees review information, trust systems, and delegate action. The category therefore has to account for behavior, context, workflow, and machine-assisted execution as connected parts of the same risk surface.

The strongest HRM programs will preserve the useful foundation of awareness and simulation while expanding their operating depth. The center of the program should be a contextual model that explains where exposure is concentrated, why it is changing, and which interventions are likely to reduce it. That model becomes more valuable when it draws from first-party evidence and feeds decisions across coaching, review, and downstream control systems.

This shift also raises the standard for governance. Measuring human risk touches employee trust, privacy, legal boundaries, and business accountability. Mature programs will need transparent scoring, clear ownership, careful approval paths, and a feedback loop that proves whether interventions improve outcomes. In that form, Human Risk Management becomes a practical layer for managing the person, the workflow, and the delegated action as one system of enterprise exposure.

The maturity test for Human Risk Management is whether the program can connect people, workflows, and delegated action to governed decisions that reduce exposure. Transparent scoring, clear ownership, privacy-aware controls, proportional intervention, and measurable outcomes are the operating requirements. In that form, HRM becomes a practical layer for managing human-linked exposure as a live enterprise variable, with governance strong enough to preserve trust while intervention becomes more precise.