For this edition of Partner POV, we spoke with Marco Muto, SVP of Strategy at KnowBe4, about the evolving nature of agentic AI and human risk, why traditional approaches are falling behind, and how KnowBe4 and Drata together help customers stay audit-ready while building a stronger security culture.
Meet KnowBe4: From Security Awareness to Digital Workforce Security
KnowBe4 is the global leader in digital workforce security, trusted by more than 70,000 organizations over the past 15 years to strengthen security culture. As workforces evolve to include both humans and autonomous AI agents, KnowBe4 is pioneering a hybrid approach that combines advanced technical defenses, continuous risk intelligence, automated personalized training, and a quantified Risk Score that shows how risk is changing over time.
The company has been AI-powered since 2016, with more than 50 patents and a dedicated AI Center of Excellence, giving it a significant head start as threats and defenses move into an agentic future.
KnowBe4’s differentiation rests on four pillars:
A production-scale agentic AI via its AIDA suite of specialized agents that automate and orchestrate the full agentic AI and human risk program.
A sustained track record of AI innovation and patents that keeps it years ahead of competitors.
A risk-first model powered by its SmartRisk Agent, which analyzes 316 indicators to deliver what it calls the industry’s most accurate Risk Score.
An integrated cloud email security that not only blocks threats but also creates teachable moments and feeds behavioral data back into the broader program.
All of this is grounded in a belief that true resilience is collective—aligning security investments with the behavior of AI agents and humans, not just infrastructure, to better protect people, data, and the planet.
Why agentic AI and Human Risk Is the New Security Blind Spot
Despite record investments in security technology, most data breaches still involve people. One recent data set points to 68% of data breaches involving people, even as less than 3% of security spending is directed at the human layer. At the same time, employees frequently bypass security guidance—69% admit to doing so in at least one survey—creating a persistent gap between policy and behavior.
The KnowBe4 team sees this gap widening as AI becomes both a powerful tool and a new attack surface:
AI-powered social engineering is scaling. An estimated 82.6% of phishing emails now use some form of AI, and attackers are increasingly layering in vishing and deepfakes to impersonate voices and faces at unprecedented scale.
Email controls alone aren’t enough. In 2025, 85% of phishing emails bypassed Domain-based Message Authentication, Reporting, and Conformance (DMARC), and organizations saw a 38% increase in attacks that slipped past traditional secure email gateways (SEGs). Meanwhile, 91% of cybersecurity leaders report frustration with the amount of risk that still gets through their email security stack.
Shadow AI is creating blind spots. As AI tools become embedded in knowledge work, 44% of organizations report increased incidents related to AI use, and 43% of workers admit to sharing sensitive information with AI tools without permission.
All of the above describes a fundamental shift: the workforce is now a hybrid of humans and autonomous AI agents, but most security investment still focuses on protecting networks and endpoints. The human—and now the AI agent—remains the most underestimated and therefore vulnerable part of the attack surface.
From this perspective, organizations need to move from training-first to risk-first strategies: measure and quantify agentic AI and human risk at scale, use dynamic risk scores to pinpoint the riskiest users and AI agents, and then automate interventions that are tailored to specific behaviors and threat vectors, including deepfakes and vishing.
How KnowBe4 Is Responding: From Insight to Action
KnowBe4’s platform is built to both measure and manage agentic AI and human risk.
First, the SmartRisk Agent ingests hundreds of indicators—ranging from phishing simulation results to email behavior—to produce a granular Risk Score at the individual and organizational level. That score becomes the backbone for prioritization and reporting.
From there, AIDA (AI Defense Agents) and integrated cloud email security take over:
Integrated Cloud Email Security (ICES) blocks multi-channel threats and feeds behavioral data—like who clicked what, and when—back into the SmartRisk model.
AI-driven simulations and training span phishing, vishing, and deepfake scenarios, with personalized content that targets the specific behaviors and risk patterns observed in each user or group.
Program orchestration allows teams to automate campaigns, workflows, and escalations at scale, ensuring that interventions happen at the right moment instead of relying on manual scheduling alone.
The result is a measurable impact on phishing susceptibility and incident reduction: KnowBe4 customers can reduce their “phish-prone percentage” from over 30% to under 5% within 12 months, and integrated platforms are projected to drive up to 40% fewer employee-driven cybersecurity incidents.
Why Drata and KnowBe4 Are Better Together
KnowBe4 helps organizations change behavior. Drata helps them prove and extend that progress across compliance, risk, and customer trust.
KnowBe4 and Drata already have a deep integration that automatically pulls evidence of personnel security awareness training from KnowBe4 into Drata, maps it to the right controls and frameworks, and keeps it continuously up to date. Customers save hundreds of hours each year by eliminating manual screenshots, exports, and spreadsheet wrangling before audits.
As KnowBe4 sunsets its own KCM platform—which included compliance, risk, policy, and vendor risk management modules—it has recommended that customers migrate to Drata to continuously maintain and mature their GRC programs. Following an exhaustive assessment of the market, KnowBe4 selected Drata as its exclusive GRC partner and preferred compliance automation platform, citing Drata’s expansive product offering and customer-centric values.
On the Drata side, customers gain:
Coverage across 16+ compliance frameworks and 80+ integrations with the systems they already use, from infrastructure to HR and finance.
An automation-led approach that continuously collects and maps evidence, surfaces gaps, and keeps organizations audit-ready—all while reducing the burden on internal teams.
Drata Products like Trust Center, TPRM, and the Drata Open API that give security and GRC leaders a single pane of glass into their posture and the ability to share that story with customers and prospects.
The combination is especially powerful for GRC and compliance teams who are tired of last-minute audit scrambles. While KnowBe4 runs a sophisticated, AI-driven agentic AI and human risk program in the background, Drata continuously connects that work to the controls, frameworks, and customer trust signals that matter most.
Customer Spotlight: DistillerSR
One example of the partnership’s impact comes from DistillerSR, an AI-enabled literature review platform in healthcare technology. DistillerSR uses Drata and KnowBe4 together to scale its security and compliance program without slowing down the business.
With Drata and KnowBe4, DistillerSR has:
Achieved 90% fewer meetings during its SOC 2 audit
Seen 75% fewer auditor requests
Reduced internal personnel involved in GRC work by 40%
By centralizing continuous compliance in Drata and agentic AI and human risk management in KnowBe4, DistillerSR can spend more time on product and customer outcomes, and less time orchestrating evidence or chasing status updates.
Looking Ahead: Securing Humans and AI Agents
Looking to the future, KnowBe4 expects the agentic shift to accelerate. Gartner predicts that roughly one-third of enterprise software will include agentic AI by 2028, and KnowBe4 already has 12 AIDA agents in market—more than any other vendor in the space—with more to come.
As KnowBe4 moves toward a unified platform, it plans to continue expanding its integration and go-to-market work with Drata. The partners are collaborating on new initiatives, and KnowBe4 is welcoming Drata as an exhibitor at its annual user conference, KB4-CON—a reflection of how central the partnership has become for mutual customers.
For organizations navigating the realities of AI-driven threats, hybrid workforces, and rising customer expectations for trust, the message from KnowBe4 is clear: it’s time to treat agentic AI and human risk as first-class citizens in your security strategy—measured, managed, and continuously evidenced.
With KnowBe4 changing behavior and Drata turning that progress into continuous, auditable proof, customers can move faster through security reviews, reduce people-driven incidents, and give buyers confidence from the first conversation onward.
If you’ll be at KB4-CON in Orlando, Florida from May 12–14, stop by Booth 301 to see how Drata helps automate audits, security questionnaires, and third-party risk.
