The Moment That Doesn’t Look Like Risk
A message comes through on Teams. It appears to be from someone senior: short, direct, and straightforward. They need something sorted quickly. There is a sense of urgency, but nothing that feels unusual or out of character. Requests like this happen all the time, particularly when work is busy and decisions are being made quickly.
The message feels familiar because it fits the normal pattern of workplace communication. It is brief, efficient, and easy to act on. There is no long explanation, no obvious inconsistency, and no reason, on the surface, to stop and question it. In that moment, the person reading it is not weighing up cyber risk. They are responding to what looks like a routine workplace request.
That is what makes the decision significant. It is not experienced as a cybersecurity decision at all. It is experienced as a human one, shaped by the pressure to be helpful, responsive, and efficient. When a request appears to come from someone with authority, acting quickly feels reasonable. Slowing things down can feel unnecessary, or even obstructive, especially when speed and responsiveness are already part of how work gets done.
Nothing in the moment actively interrupts that instinct. There are no dramatic warning signs, no obvious contradiction, and no clear reason to assume that the request is unsafe. The message sits comfortably inside the normal flow of work, where trust, pace, and familiarity all reinforce the sense that responding quickly is the right thing to do.
This is where risk often begins. Not in situations that feel overtly dangerous, but in situations that feel routine enough to move through without hesitation.
Why This Matters More Than Detection
This matters more than detection because detection and decision-making do not happen at the same point in the process.
Detection operates at system level. It is designed to identify anomalies, surface suspicious behaviour, and recognise patterns that may indicate compromise or misuse. In many organisations, that capability is significantly stronger than it once was. Systems can now identify unusual login behaviour, suspicious file movement, unexpected communications, and other signals that suggest something may be wrong.
But cyber incidents are rarely decided at system level. They are decided at human level.
They take shape at the point where someone chooses to trust a message, approve a request, share information, bypass a step, or continue with an action that feels normal enough to justify. That decision is made inside a live working environment, not in the controlled conditions that detection tools are built around. It is shaped by urgency, routine, workload, responsibility, and the pressure to keep things moving.
That distinction matters because detection can highlight that something is unusual, but it cannot remove the conditions that make an action feel reasonable in the first place. It cannot fully account for the fact that the person involved may be in the middle of another task, trying to help, working quickly, or operating in a culture where responsiveness is valued more highly than hesitation. A warning may appear, but the meaning of that warning is still interpreted within the context of the moment.
And that context is where most decisions are made.
This is why organisations can improve detection and still experience the same kinds of incidents. The technical signal may be present, but the human meaning of the situation may remain unchanged. If the request still feels familiar, if the action still feels efficient, and if the risk still does not feel visible in the moment, then the decision can still go the wrong way.
That does not mean detection lacks value. It means detection addresses visibility, while many cyber failures happen at the point of judgement. Those are related problems, but they are not the same problem.
Why the Decision Makes Sense
When something goes wrong, the instinct is to start with the outcome and ask what should have happened instead. But that perspective only becomes available afterwards, when the risk is already visible.
In the moment, the decision often makes complete sense.
Take a simple example. A message arrives from a senior colleague asking for login details so they can quickly check an issue. The request is framed as urgent, tied to a deadline, and positioned as a quick solution to a practical problem. The tone is familiar, the request feels internal, and nothing about it immediately suggests that it needs to be challenged.
The person receiving that message is not necessarily thinking about credential security. They are thinking about resolving the issue, being helpful, and keeping work moving. Responding quickly feels aligned with what the situation appears to require.
So they share it.
From a cybersecurity perspective, the action is clearly wrong. From a human perspective, it makes sense. There is trust in the colleague, pressure to respond efficiently, and a desire not to create friction. Refusing or slowing the process down can feel less like good judgement and more like causing a problem.
That is the point that often gets missed. The decision is not usually driven by a lack of awareness. It is driven by context: familiarity, urgency, authority, and expectation. These are normal features of working life, and they rarely announce themselves as risk.
Which means the decision does not feel dangerous. It feels appropriate. It feels proportionate. It feels like the right thing to do at the time.
Where AI Fits — And Where It Doesn’t
AI has a clear role in cybersecurity where scale, speed, and pattern recognition matter.
It can analyse large volumes of data far faster than any human team. It can identify unusual login behaviour, detect anomalies in communication patterns, flag suspicious attachments, and surface activity that deviates from an established baseline. In environments where thousands of interactions are taking place constantly, that capability is valuable and, increasingly, essential.
AI can identify that a login attempt is coming from an unusual location, that an email domain is slightly altered, or that a message contains characteristics commonly associated with phishing. It can raise alerts, quarantine content, or trigger additional checks. In that sense, AI significantly improves an organisation’s ability to see risk.
That is where it fits.
What it does not do is resolve the moment in which a human decision is made.
Return to the earlier Teams example. Even if a system flags the message as suspicious, the recipient still has to interpret that signal. They may see a warning, but they also see a familiar name, a plausible request, and a sense of urgency that fits with how work normally happens. If the situation still feels legitimate, the warning may be overridden, rationalised, or ignored.
The same pattern appears in other situations. An email flagged as suspicious may still be opened because it appears to come from a trusted contact. A login alert may still be approved because the user assumes it relates to their own activity. A request for sensitive information may still be fulfilled because it aligns with familiar business processes.
In each case, the system may have done its job. It has identified something unusual. But the outcome is still shaped by how the person understands and responds to that information.
And that understanding is shaped by context, not just data.
AI does not experience pressure to respond quickly. It does not feel the weight of deadlines, hierarchy, or workplace expectations. It does not balance competing priorities in the way people do during an ordinary working day. Human decisions are made inside those conditions, and that is precisely where the complexity lies.
In some cases, AI can introduce additional challenges. If people become used to systems catching threats for them, they may begin to rely on those systems to do more of the judgement than they should. If something is not blocked, it may feel safer than it really is. If warnings appear too often, they can become background noise. Over time, the presence of automated detection can create the impression that risk is being handled elsewhere.
Which is why the core issue remains unchanged. AI improves detection, but it does not alter the conditions in which human decisions are made.
The Gap Between Systems and Behaviour
This is where the problem becomes more visible.
Security systems are designed to operate through rules, patterns, and deviation. They look for something inconsistent, something unexpected, something that does not fit what is considered normal. When they find it, they raise a signal.
Human behaviour does not work like that.
People do not make decisions by asking only whether something is technically anomalous. They make decisions by asking, often implicitly, whether something feels familiar, whether it fits the task in front of them, and whether responding will help them move things forward. A message can be slightly unusual and still feel legitimate. A request can break a rule and still feel reasonable. A warning can appear and still be dismissed if it conflicts with what the person believes is happening.
That is the gap.
A system may identify risk because something is technically wrong. A person may move past that risk because everything feels contextually right. Those two perspectives do not always align.
A login attempt may be flagged as suspicious because it is coming from a new location. The user may approve it because they are travelling and expecting the prompt. A message may be flagged as potential phishing because of subtle indicators in the content. The recipient may trust it because the sender’s name is familiar, the request is relevant, and the tone matches previous exchanges.
In both cases, the system is responding correctly to technical signals. The person is responding reasonably to the context they can see. That is what makes the issue difficult to solve. Security is trying to identify what is different. People are trying to decide what is reasonable. Those are not the same judgement processes.
As long as that gap remains, improving systems alone will not remove risk. The final outcome still depends on how behaviour is shaped in the moment, not simply on what has been detected.
The Uncomfortable Reality
There is a persistent assumption that better technology will gradually reduce human risk. The thinking is that if detection becomes fast enough, accurate enough, and intelligent enough, the problem will begin to solve itself.
But that assumption begins in the wrong place.
Most human risk does not come from a lack of information. It comes from the way decisions are made when nothing feels obviously wrong.
In many organisations, detection is already working far better than it once did. Suspicious activity is flagged, unusual behaviour is surfaced, and warnings are generated at speed. From a system perspective, visibility has improved significantly.
What has not necessarily changed are the conditions in which people make decisions.
The person responding to a message, approving a request, or sharing information is still operating under time pressure, inside familiar workflows, and within expectations around speed and responsiveness. If the situation still feels legitimate, if the request still aligns with normal work, and if there is no strong contextual reason to pause, then improved detection does not automatically change the outcome.
Because the decision is not ultimately made at system level. It is made at human level, and that decision is shaped by context as much as by information.
In some environments, improved detection can even weaken active judgement if people begin to assume that anything serious will be caught for them. If alerts become frequent, they are more easily ignored. If something gets through without being blocked, it may feel implicitly trustworthy. Responsibility does not disappear, but the habit of questioning can weaken.
And the decision point remains exactly where it was before.
People still approve payments, still share access, and still respond to messages. They do so not because they are unaware, but because the situations they are responding to feel normal enough to justify action.
That is the more difficult reality beneath the technology conversation. AI will continue to improve how threats are identified, triaged, and surfaced. What it does not do, by itself, is change the human conditions under which decisions are made.
Until those conditions are understood more clearly, many incidents will continue to begin in the same place they always have: with a human decision that made sense at the time.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.
