For years, cyber awareness was treated as a training exercise. Staff attended an annual session, completed a short quiz and moved on. For many organisations, that was enough to demonstrate intent.
Now in 2026, that approach no longer satisfies regulators.
Across regulated environments, human risk is now assessed through evidence of behaviour, not evidence of participation. FINMA, DFSA, FSRA and comparable regulators are increasingly clear on this point: awareness programmes must demonstrate that people act differently as a result, especially where access to sensitive systems and data is involved.
Awareness is no longer the control
Training still matters, but it is no longer considered a control in its own right. Regulators recognise that well-informed people can still make poor decisions under pressure, fatigue or urgency.
As a result, audit attention has shifted from whether training exists, to whether risky behaviour is identified, tested and addressed.
This applies most strongly to roles with elevated access, decision-making authority or exposure to sensitive information. Generic awareness programmes, applied uniformly, are increasingly seen as misaligned with actual risk.
What evidence looks like in practice
Human risk evidence tends to fall into three broad areas.
First, testing. Regulators expect organisations to test how staff respond to realistic scenarios. Phishing simulations, access misuse drills and incident escalation exercises provide insight into behaviour under stress, not just theoretical knowledge.
Second, segmentation. Not all users carry the same risk. Evidence should show that training, testing and controls are adapted for administrators, executives, finance staff and third parties with access.
Third, follow-through. When risky behaviour is identified, regulators look for proof that it is addressed. That may include targeted retraining, access restriction or changes to process design. Ignoring repeat patterns is increasingly difficult to justify.
Why this matters for senior management
Human risk is no longer viewed as an IT or security issue alone. It sits at the intersection of governance, culture and operational resilience.
Boards and executives are expected to understand:
- where human behaviour presents the greatest exposure,
- how that exposure is monitored,
- and whether management can demonstrate improvement over time.
This does not require deep technical knowledge. It requires clarity on accountability and confidence that controls extend beyond policy statements.
Moving from intention to assurance
The transition from awareness to evidence reflects a broader regulatory trend. Intent is no longer enough. Regulators want assurance that controls work in real conditions.
Organisations that adapt early tend to find the conversation with regulators becomes more constructive. Those that rely on training records alone often struggle to explain gaps exposed during incidents or audits.
By 2026, human risk will be judged by outcomes, not effort. Firms that can evidence how people behave, not just what they are told, will be better placed to meet that expectation.
