Recognizing that legacy security awareness & training (SA&T) solutions weren’t effectively changing behavior or instilling a security culture, Forrester announced its vision for human risk management (HRM) as a new approach to override SA&T’s shortcomings in 2022. We changed the market name in 2024, formally defining HRM, and evaluated vendor solutions for HRM, encouraging organizations to leave SA&T behind and adopt a new way of doing things. It caught on.

Eighteen months after publishing that vision blog, HRM has blossomed into a distinct, expanding market, attracting the interest and budget of many organizations. This blog unpacks the evolution of HRM in the 18 months since that bold, yet necessary, move.

A Primer: What Is HRM Again?

In a nutshell, HRM is a profound change of mindset, strategy, process, and technology that approaches human-related breaches in a new way. HRM quantifies human risk based on a set of inputs about a person: identity data, security behaviors and events, digital footprint and exposure, and security awareness. Understanding an individual’s risk context allows you to manage risk by providing personalized guidance at the right time, updating policies or issuing workflows to security and other teams.

HRM Has Moved From Concept To Reality

The thought leadership calling for a disruption to SA&T, combined with shiny new HRM solutions and programs that look and feel nothing like the SA&T of the past, has driven HRM from the sole domain of innovative organizations and is fast approaching adoption by the early majority. At Forrester, we have experienced a seismic shift not only in the volume but also in the types of HRM requests for guidance from our clients, as per the table below. While the market is still in the domain of early adopters, this phase won’t last for long. I expect the majority of organizations to adopt HRM by late 2026.

 

How Are Vendors Approaching This Transition?

In the early days, it felt like Forrester received daily briefings from new startups that were approaching the SA&T market in line with Forrester’s vision of the future of SA&T. Many of these vendors raised funding in 2022 and 2023. Our first evaluation of the space, The Forrester Wave™: Human Risk Management Solutions, Q3 2024, uncovered legacy vendors with varied approaches to this disruption. They resisted the change due to their broad misunderstanding of HRM’s true definition or were clinging to the familiar and easy-to-sell status quo of SA&T.

In 2025, however, resistance is fading, disruption and innovation have happened, and HRM capabilities are now on most vendors’ roadmaps, with vendors focusing on executing their product roadmaps and enabling HRM adoption. The last 18 months have seen a more stable and pragmatic market that features the following dynamics:

  • Funding activity waned in 2024, with very few vendors raising new funding and one new vendor, Fable Security, launching in July 2025.
  • Vendors expanded capabilities to combine HRM with other solutions through M&A. For example, legacy secure email gateway vendors acquired HRM startups and legacy SA&T vendors acquired cloud-native, API-enabled email security vendors.
  • Legacy SA&T vendors continue to define HRM to suit their strengths and roadmaps, resulting in murky messaging to would-be customers.
  • HRM now appears in most SA&T vendors’ branding, and most of them possess true HRM capabilities but focus sales efforts on legacy SA&T capabilities.
  • Many vendors are working on training and enabling their sales and customer teams to drive adoption.
  • CybSafe recently announced the version 4.0 release of SebDB (security behavior database), its open-source research initiative that now maps security behaviors to risk outcomes, threat actor tactics, intervention strategies, and security frameworks such as MITRE ATT&CK and NIST’s Cybersecurity Framework.

Where Is AI In All Of This?

While AI has the potential to dramatically change the way organizations manage risk caused by (and directed at) humans, and while all vendors are “AI-enabled” in one shape or form, not all AI use cases are created equal. We’ve observed the following about how HRM vendors (especially HRM tools) are using AI:

  • Many vendors’ AI use cases focus on creating more and better content. More, however, is not always better.
  • The most important and disruptive — yet underutilized — use case for AI in HRM is to enable capabilities such as measuring behavior and risk and creating interventions that adapt to meet users where they are.
  • Many generative AI implementations cater to chatbot features, which seem more like novelties rather than valuable tools for customers.
  • Some vendors such as Living Security, CultureAI, and Proofpoint are providing real-time visibility into how humans interact with genAI tools.

To date, however, Forrester clients are still not asking many meaningful questions about the use of AI in HRM tools.

It’s Time To Move From Talk To Adoption

HRM is no longer a buzzword. The market and the hype have stabilized. Debates about whether or not HRM is just rebranded SA&T or a necessary step forward have faded. Now, all this talk has been replaced with the desperate need for practical action.

To help you on your way to action, I’ll be presenting a session at the upcoming Security & Risk Summit in Austin in November, entitled “Shift From Talk To Action: Chart Your Human Risk Management Roadmap.” In the session, I will share guidance on how to build an HRM roadmap, the technologies needed, building a business case for and resourcing these programs, and demonstrating true value beyond training completion. This session is part of the broader strategy and leadership track at the event; to learn more, check out the agenda.