Beyond Compliance: Rethinking Human Risk in the Age of AI

A conversation featuring Cracken AI co-founders Artem Sorokin and Dr. Oleksii Baranovskyi

---

Cybersecurity has long operated under a comforting illusion: that compliance equals protection. Check the box, pass the audit, and assume the organization is secure. But in today’s threat landscape—defined by AI-driven attacks, adaptive adversaries, and increasingly complex systems—that illusion is breaking down.

The reality is far less tidy. Security is no longer just a technology problem, it’s a human one. And increasingly, it’s a systems problem where people, processes, and intelligent machines intersect in unpredictable ways.

In this conversation, Cracken AI’s Artem Sorokin and Dr. Oleksii Baranovskyi challenge conventional thinking around cybersecurity, arguing that resilience cannot be measured by policies alone, but by how organizations actually perform under pressure. From the rise of automated social engineering to the growing gap between executive perception and operational reality, they outline a future where human risk management is not a side discipline—but the foundation of modern cyber defense.

NINJIO: What’s broken about the compliance-driven model of cybersecurity? And how should organizations distinguish between vanity metrics and real indicators of resilience, especially when it comes to human risk?

Artem Sorokin: Too often, organizations treat compliance as a checkbox exercise. Policies exist, processes exist—but they’re not truly embedded in how the organization operates. Even in areas like penetration testing, issues are identified and then ignored, deprioritized, or left unresolved due to budget or legacy constraints. That mindset creates vanity metrics: signals that look good on paper but don’t reflect actual security posture.

Real resilience shows up differently. It’s about understanding how your organization behaves under stress. For example, how quickly you detect, respond, and recover. Metrics like mean time to recovery or response tell a much more honest story. They reflect whether your systems and your people can actually withstand an attack.

Dr. Oleksii Baranovskyi: Resilience is best measured in two ways: real-world incidents or realistic simulations.

If you’re not learning from actual disruptions, then you should be running structured exercises—tabletops, red teaming, scenario testing—and capturing meaningful data from them. Metrics like recovery time objectives, response times, and vulnerability recurrence rates give you a grounded understanding of risk.

Compliance alone doesn’t tell you that. But data derived from real or simulated events—that’s where true insight lives.

NINJIO: How does human risk management fit into this conversation? And where does it intersect with broader enterprise risk?

Dr. Oleksii Baranovskyi: Cybersecurity should not exist as a separate discipline. Rather, it should be integrated into overall risk management.

Today, many organizations treat cyber risk differently from operational or financial risk. That separation happened because technology evolved faster than traditional risk frameworks could adapt. But fundamentally, risk is risk.

Human behavior, system misconfigurations, operational errors—these are all part of the same equation. To manage them effectively, organizations need to apply consistent metrics, evaluate return on investment, and understand the real impact of security decisions across the business.

Artem Sorokin: Humans have always been part of the risk surface, and now AI is joining them. Both are non-deterministic. Both can introduce unpredictability. From a human risk management perspective, the goal should be integration. Security shouldn’t treat people as an external variable—it should treat them as a core component of the system.

In the future, human risk won’t sit on the sidelines. It will be embedded directly into how organizations think about resilience.

NINJIO:Why is there still such a significant gap between executive perception of security and the reality on the ground?

Artem Sorokin: A lot of it comes down to misaligned incentives. Boards want to reduce breach risk. Regulators want compliance. Customers want trust. CISOs are stuck navigating all three; and those priorities don’t always align.

So sometimes organizations optimize for what’s being measured or required in the moment, even if it doesn’t reflect true security. That’s how vanity metrics persist. There’s also a communication gap. Different layers of the organization are speaking different languages—and often operating at different levels of abstraction.

Dr. Oleksii Baranovskyi: Exactly. Executives speak in financial terms: investment, return, cost. Security teams speak in technical terms: vulnerabilities, dependencies, controls. If you can’t translate between those two, the gap will always exist. The most effective CISOs are the ones who can connect technical risk to business impact in a clear, measurable way.

NINJIO: How is AI accelerating social engineering threats—and what should organizations be preparing for next?

Artem Sorokin: AI is transforming social engineering into a fully automated lifecycle. I see it in three steps.

First, it starts with reconnaissance: gathering open-source intelligence about a target. Then planning, which basically means designing a tailored attack. Lastly, execution—engaging directly with the victim through phishing, voice, or even video impersonation.

What’s changed is that every stage can now be automated. Attackers can run highly personalized spear phishing campaigns at scale, with AI handling not just the setup, but the interaction itself. We’ve seen scenarios where AI actively persuades someone to override security warnings in real time. That’s a completely different level of threat.

NINJIO: Where do you see unnecessary friction in how organizations approach human risk today?

Artem Sorokin: One of the biggest gaps is in how organizations train and prepare their people. Traditional awareness programs haven’t kept pace with how attacks actually work today. Education needs to evolve into something more dynamic and more experiential.

Think of it as vaccination. You expose people to realistic scenarios so they build instinct and muscle memory. When a real attack happens, they’re not seeing it for the first time—they already know how to respond.

NINJIO: Why is enterprise-wide cybersecurity more critical than ever?

Dr. Oleksii Baranovskyi: It’s not that humans are the weakest link, it’s that complexity has increased dramatically. The number of tools, systems, and configurations in modern environments creates more opportunities for unintentional error. And humans, naturally, will make mistakes.

The solution isn’t to eliminate human risk—it’s to design systems that contain it. That’s where approaches like zero trust and distributed architectures come in. If a mistake happens, it doesn’t cascade. It’s isolated.

Artem Sorokin: Exactly. Resilient systems assume failure will happen, and they are designed to limit the impact.

But implementing that kind of architecture requires executive buy-in. And that brings us back to alignment. It’s imperative that leadership prioritize resilience over speed when necessary.

NINJIO: What’s the most effective way to generate that buy-in for a more proactive cybersecurity strategy?

Artem Sorokin: At the executive level, it’s actually simpler than people think—it’s a smaller group, and decisions can move quickly. The challenge is framing the trade-off clearly.

Do you prioritize speed and flexibility, or resilience and control? Every organization has to make that choice based on its risk profile.

But one thing is clear: in today’s environment, reactive security is no longer enough. Proactive, integrated strategies, especially those that account for human risk, are essential.

About Artem Sorokin

Artem Sorokin is the CEO of Cracken. His obsession with cybersecurity wasn’t learned in a classroom, but forged during the invasion of Ukraine, where he witnessed nation-state cyberattacks on critical infrastructure firsthand. Now based in San Francisco, Artem combines 14 years of experience building software for Fortune 100 giants and MAANG engineers with a mission to build tools that actually protect lives. A founder with an MIT MBA background and a lifelong passion for AI, he has managed petabytes of data and billions in revenue, all driven by a philosophy of ethical innovation.

LinkedIn: Artem Sorokin | LinkedIn

About Oleksii Baranovskyi

Dr. Oleksii Baranovskyi is a distinguished cybersecurity expert whose work bridges the gap between academia and national defense. He has received accolades from the National Security Council of Ukraine and the Head of Cyberpolice for his role in developing national cybersecurity capabilities. A certified trainer in CISSP and CISM, Dr. Baranovskyi has served as a subject matter expert for global organizations like the OSCE and USAID. At Cracken, he brings battle-tested expertise to the fight against modern cyber threats.

LinkedIn: Dr. Oleksii Baranovskyi | LinkedIn

Frequently Asked Questions

Q: Why is compliance no longer enough for cybersecurity?

A: Compliance focuses on meeting regulatory requirements, not actual security performance. Organizations can pass audits while still being vulnerable because compliance often relies on static policies rather than real-world threat readiness.

Q: What is human risk in cybersecurity?

A: Human risk refers to the potential for employees, contractors, or users to unintentionally or intentionally contribute to security incidents through behavior, decision-making, or error. It’s now a core part of the overall attack surface.

Q: How should organizations measure true cybersecurity resilience?

A: Instead of relying on vanity metrics, organizations should track real performance indicators like detection time, response time, recovery time, and outcomes from simulated or real-world attacks.

Q: How is AI changing social engineering attacks?

A: AI enables attackers to automate reconnaissance, personalize phishing at scale, and even interact with targets in real time. This makes attacks more convincing, faster to deploy, and harder to detect.

Q: How can companies improve their approach to human risk management?

A: Organizations should move beyond static awareness training and adopt experiential, scenario-based learning that builds instinct and prepares employees to respond effectively under pressure.

About NINJIO

NINJIO’s human risk management platform reduces cybersecurity risk through personalized security coaching, engaging awareness training, and adaptive testing. Our multi-pronged approach to risk mitigation focuses on the latest attack vectors to build employee knowledge and the behavioral science behind social engineering to sharpen users’ intuition. Our simulated phishing and coaching tools build a proprietary Emotional Susceptibility Profile for each user to identify their specific social engineering vulnerabilities and change behavior.