The State of Human Risk: Governance and Compliance

I’ve seen firsthand how human behavior continues to be the linchpin in both successful security programs and damaging breaches. It’s no longer just a checkbox for compliance — it’s the heart of real cybersecurity resilience.

This need to address human risk inside today’s organizations is the overwhelming top priority for cybersecurity teams in 2025. It is also the main theme of Mimecast’s recently released ninth annual report on the state of the industry, this year aptly titled The State of Human Risk 2025              .

Each year, Mimecast conducts a survey of CISOs and other cybersecurity professionals to gain an understanding of the problems they are facing and the issues that are their priority for the coming year. For 2025’s report, we surveyed 1,100 IT security and IT decision makers from the United States, United Kingdom, France, Germany, South Africa, and Australia. A range of private and public sectors were covered, including healthcare, retail, finance, manufacturing, and utilities.

Governance and Compliance

Governance and compliance is a very important part of ensuring smooth operations across an organization, and can stand as a testament to the security and stability of an enterprise. Organizations that can demonstrate strong governance and compliance will have a better reputation in their marketplace and build better customer loyalty.

A robust governance and compliance framework identifies and better manages cyber risks, keeping operations legally sound and in line with industry standards and internal policies. By focusing on ensuring business continuity, securing sensitive data, and dodging damaging legal fallout from data breaches or security incidents, organizations build a proactive defense against cyberattacks.

Artificial Intelligence

Organizations can take the governance and compliance a step further using artificial intelligence (AI). AI isn’t just another tool – it’s a force multiplier. It helps teams process enormous volumes of data, automate tedious tasks, detect anomalies, and prioritize real threats before they escalate. AI ensures adherence to relevant security standards and regulations, enables proactive threat mitigation, and maximizes efficiencies to streamline ediscovery efforts.

AI will not only boost an organization’s compliance and security levels but also turbocharge staff efficiency. The future of cybersecurity is in security tools that leverage AI strategically, and it’s arguably the only way to outsmart and outpace the ever-evolving world of cybercrime.

Governance and Compliance Survey Results

When it comes to survey respondents and AI, 95% say their organization is using AI to help defend against cybersecurity attacks and/or insider threats, 81% are concerned about the potential for sensitive data leaks via GenAI tools, and 55% admit to not being fully prepared with specific strategies for AI-driven threats.

In addition, 46% of the organizations surveyed said they are using AI tools for threat detection and monitoring as well as for analysis and response to phishing attacks. And 43% said they are using AI tools for endpoint protection, behavioral or sentiment analysis, insider threat detection, and automated incident response.

And when it comes to addressing the potential for AI to exploit human behavior and mistakes in cybersecurity:

• 44% of organizations are Implementing AI-powered monitoring and protection tools and are developing internal AI tools to protect against AI-drive attacks.
• 42% are training their teams on how to use AI to avoid exploitation.
• 40% are creating policies on AI usage.
• 38% are updating or introducing code of conduct for AI-driven risks.
• 36% are collaborating and sharing relevant information with partners.
• 35% are conducting simulated AI-driven phishing attacks.

The Bottom Line

While we are seeing great improvements in governance and compliance, especially when it comes to organizations successfully using AI tools to reach their governance and compliance goals, today’s security teams must remain aware of current known threats and be diligent in discovering new threats in order to maintain their compliance. Human risk is complex and it’s evolving. But with the right tools and strategies, security teams can stay ahead. The full State of Human Risk 2025 report digs deeper into the findings and offers a clear path forward.