WHY SECURITY MUST EVOLVE FOR THE HYBRID HUMAN-AI WORKFORCE

By Javvad Malik, Lead CISO Advisor at KnowBe4

There is a specific moment in every security professional’s career when they realise the traditional rulebook hasn’t just been ignored—it’s been torn to pieces. Mine arrived last week while watching a colleague engage in a debate with an AI agent over expense policy, while simultaneously being phished by what was almost certainly another AI posing as IT support.

For decades, the cybersecurity industry has clung to a comfortable, binary premise: humans work inside the walls, threats exist outside, and our job is to keep the two apart. It was a tidy worldview that made for excellent spreadsheets, even if we knew it was fiction.

Then, AI walked into the office without knocking. It’s a reboot of the classic 2010 iPad launch, where executives demanded connection to the corporate network, heralding the age of “Bring Your Own Disaster”.

The Multi-Species Workforce

The most uncomfortable truth facing modern organizations is that they no longer employ just humans.

Your current headcount includes Peter from Accounts Payable, his three AI assistants (two sanctioned, one very much ‘shadow’), a recruitment algorithm, and whatever experimental automation Marketing has hooked up to Slack to bypass a slow internal process.

They are all making decisions. And they are all sharing data.

When Peter’s AI hallucinates a rogue clause into a vendor agreement, or a chatbot leaks PII because a prompt-engineer asked nicely, where does the buck stop? Traditional security loves clean lines—User vs. Admin, Internal vs. External. But we are now operating in a world that has gone full analogue. We have created a workforce that is part human and part silicon, yet the risk remains entirely ours to manage.

The Futility of Punitive Security

Historically, we have managed security like a digital Alcatraz. If a user clicks a phishing link, we chastise them. If they use unapproved software, we discipline them.

But punishing people for being human is like shouting at water for being wet. It provides a few seconds of emotional release for the security team, but it doesn’t change the outcome. You cannot discipline your way to a secure culture, and you certainly cannot punish an AI agent into making safer choices.

So, what happens when your workforce is 60% human, 40% AI, and rising?

Navigating the Shadow AI Explosion

Shadow AI isn’t born from malice; it’s born from friction. Employees use unsanctioned tools because the approved versions are often slow, restrictive, and designed by people who think ‘user-friendly’ as a type of malware.

If your IT ticket for an AI request won’t be resolved until Q3 2027 but the free version of ChatGPT is open in a browser tab right now, the choice for a busy employee is a foregone conclusion.

To manage this hybrid reality, we need to view the workforce as a single, unified, complex adaptive system. Here is the framework for securing the blur:

• Govern the Decision, Not the Entity: We need governance frameworks that apply to the action, regardless of whether the actor is carbon-based or cloud-hosted. If a human isn’t allowed to export customer data to a personal drive, their AI assistant shouldn’t be able to either.
• Design for Invisible Perimeters: Assume you will never have 100% visibility again. Security must shift toward real-time behavioral monitoring and anomaly detection that tracks patterns across both human and machine activity.
• Build Intuitive Culture, Not Just Compliance: You teach a child to cross the road by explaining traffic lights, not by screaming at them every time a car passes. The same applies here. You cannot train culture into an AI model, but you can design systems where humans and AI operate within a framework that makes security intuitive.
• Treat Shadow AI as a Signal: If half your workforce is using unsanctioned AI, that isn’t a compliance failure—it’s a sign your current tools are failing your people.

The question is no longer if your workforce will become a hybrid of human and machine. It already is.

The real question is whether our security models will evolve to meet this reality, or if we will keep building expensive walls around a perimeter that vanished years ago. The workplace has changed; our job is to design security that works with human nature, rather than against it.