Highlights
The unit of human risk is shifting from the click to the allow
Annual risk policies can't track people who adopt new tools weekly
Agents and automations inherit their humans' risk: same column, new rows
Ask anyone in security to sketch their riskiest employee and you'll get the same drawing: someone in a back office, three years behind on training, clicking whatever lands in the inbox. The whole awareness industry is built on this picture. Find the clickers, train the clickers, watch the click rate fall.
In a conversation with a leading AI company this week, their security leader gave me a different drawing. His riskiest people aren't behind. They're ahead. "Twenty people in my company are the worst offenders," he told me, "because they're so forward-thinking." His best researchers, the ones adopting agents, wiring up automations, and granting tools access to everything, are generating more novel risk than the rest of the company combined.
Here is the claim, stated plainly: the unit of human risk is shifting from the click to the allow. And almost every measurement program is still pointed at the click.
Escape velocity
Think of your controls as a gravity well. Most employees orbit comfortably inside it. The tools they use are sanctioned, the paths they take are mapped. Your most capable people are different: they move fast enough to reach escape velocity. Not maliciously. Enthusiastically. They install the agent, approve the OAuth scope, hand the automation a credential, because that's what building ahead of the curve looks like from the inside.
The click was a discrete, trainable event. The allow is different: it's continuous, it compounds, and it delegates. An agent granted access on a Tuesday keeps that access every day after, making decisions its human never reviews. Gartner expects a large share of enterprises to deploy AI agents within the next twelve months. Every one of those deployments is a human decision, an allow, that traditional awareness programs will never see.
The risk column didn't move. It grew.
There's a tempting misread here: that agentic risk is a new category, someone else's problem, a different budget line. It isn't. An agent has no risk of its own. It inherits the judgment, the permissions, and the blind spots of the human who deployed it. The human risk column now includes everything associated with the human: their clicks, approvals, agents, and automations.
That has an uncomfortable implication for how risk gets managed. Annual policy cycles, V1 this year and V2 next, assume risk categories hold still long enough to document. They don't anymore. The engineer who adopts a new agent framework every month has a risk profile with velocity, and you cannot capture velocity with an annual snapshot. Static maps, living territory, widening gap.
Where to point the instrument
None of this means abandoning phishing programs or awareness training. The floor still matters. It means the ceiling has moved: the most consequential human decisions in your company are now permission grants made by your most trusted people, and almost nobody is testing what happens after those grants.
So start there. Not with your weakest users. Start with your strongest. The riskiest person in your company has never failed a phishing test. He builds things you're proud of. And last week he gave an agent access to something neither of you has thought about since.
Key Takeways
Inventory the allows, not just the clicks: OAuth grants, agent deployments, and automation credentials from your top builders.
Score agents and automations under the risk profile of the human who deployed them.
Replace annual risk-category reviews with a living model that tracks adoption velocity per person.
Test post-grant behavior: simulate what a compromised or confused agent can do with inherited access.





