By Byron V. Acohido

ORLANDO — Companies are pulling AI agents into their daily operations through a dozen side doors.

One of them was in focus at KB4-CON, KnowBe4’s annual customer conference at the Marriott World Center here last week.

The Clearwater, Fla.-based cybersecurity training vendor used the conference to lay out a pivot from a training-focused company to a workforce security platform — built through extending its core services to adjacent IT operations.

The logic holds. It’s a way to help its existing customer base leverage AI to streamline vital employee training and also boost protective filtering of company email.

But that’s just the starting line, CEO Bryan Palma told me. The company is stepping forward to help companies mitigate the cascading risks of a hybrid workforce where humans and AI agents share the same workflows.

“People say the agentic era is comparable to the Industrial Revolution. I think it’s true,” said Palma, who took over as CEO in May 2025. “It’s probably one of the biggest inflection points in humanity. For KnowBe4 that’s a lot of fun. We’ve been anticipating it.”

Training becomes orchestration

KnowBe4 spent 15 years selling security awareness training. It now sells agentic email security alongside it, with the email product feeding behavioral data back into the training engine. Agent Risk Manager, launched April 30, extends the platform into governing the AI agents customers are deploying to handle routine tasks across HR, finance, IT administration and customer support.

KnowBe4 is deploying AI agents on both sides of its own business. On the vendor side, agents build phishing simulation modules, update training content, and personalize delivery to individual employees. For customers, agents handle the routing and configuration work that the old training model imposed on IT administrators.

Alex Ziegelmeier, walking me through the product on the exhibit floor Wednesday, was specific about how the customer-side automation works. Ada Orchestration, the company’s training-side agent layer, picks the training modules, builds the phishing simulation templates, schedules the deployment and personalizes the content per employee — work that used to require a human administrator.

“The AI running the platform is more effective than a human administrator,” Palma said in a Thursday interview. “That’s what we’re finding.”

The new risk equation

KnowBe4 appears to be in the vanguard of B2B vendors recognizing an opportunity that did not exist before generative AI arrived in late 2022. The opening is to apply AI’s force-multiplier capacity in two directions — rebuilding how the vendor itself operates, and guiding customers through the same retooling across the dozens of functions where AI agents are now landing.

The market backdrop helps explain the urgency. Deloitte’s 2026 State of AI in the Enterprise report found agentic AI deployment accelerating sharply, with only about one in five companies operating a mature governance model for autonomous agents. A KPMG survey found 75 percent of enterprise buyers rank security, compliance and auditability as the most critical requirements for agent deployment. A fraction say they have the controls in place.

The analytical case for why a training vendor is now selling agent governance came from Perry Carpenter, KnowBe4’s chief human risk management strategist, in a Wednesday interview.

“Human risk management is an incomplete equation,” Carpenter said, “because of the addition of agentic AI.” AI agents, he argued, carry many of the same vulnerabilities humans do. They can be socially engineered. They can act on poisoned inputs. They can operate with excessive privilege.

What changes is speed. “When a human makes a mistake, they do it at human pace and human scale,” Carpenter said. “When an AI agent makes a mistake, it does it at agent scale.”

Exposures on the rise

The attack surface side of the equation confirms the timing. Chris Wallis, CEO of Intruder, attended KB4-CON as an exhibitor and gave me an unvarnished read Thursday morning. CVE counts are on track to hit 60,000 this year, up from roughly 50,000 in 2025.

That is before counting API exposures, orphaned services and unmanaged agent footprints that do not make the official list. Attackers are using AI to scale their operations the way enterprises are using it to scale theirs. “Anytime the difficulty level goes down for the attacker, it’s bad news for defenders,” Wallis said.

Recent intrusions illustrate the human-channel exposure. The Shiny Hunters group worked breaches at Google and Canvas (Instructure’s learning management platform) by calling employees, claiming to be from IT, and walking them through credential resets, Wallis noted. The technical defenses held. The humans on the phone did not.

A 2026 Gravitee State of AI Agent Security report found 88 percent of organizations reported confirmed or suspected AI agent security incidents in the last year. A separate Writer enterprise survey found 39 percent of companies have no formal strategy for AI adoption. Thirty-five percent are not confident they could pull the plug on a rogue agent if one started causing damage. Thirty-five percent are not confident they could pull the plug on a rogue agent if one started causing damage.

The platform pull

What KnowBe4 is doing is not unique to security training. Workday is running the same play in HR and finance, with internal AI agents accelerating product development and external agents handling scheduling, accounting and supplier contracts for customers. ServiceNow has told the market its internal AI specialist resolves IT service desk cases 99 percent faster than human staff and is shipping the same capability to customers across IT operations, HR, finance and procurement.

Every category that has spent the last decade serving as a necessary line item is staring at the same choice. Rebuild around AI-driven internal operations and extend the retooling into adjacent governance work, or watch the line item get rationalized into someone else’s platform in the next procurement cycle.

Whether KnowBe4 executes depends on decisions Palma’s team will make in the next 18 months. But the opening is real. Orlando offered a working preview of how AI agents are likely to reshape other necessary line items across the enterprise.

Seems very likely the pattern is about to show up a lot of other places. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(Editor’s note: I used Claude and ChatGPT to assist with research compilation, source discovery, and early draft structuring. All interviews, analysis, fact-checking, and final writing are my own. I remain responsible for every claim and conclusion.)

May 18th, 2026 | My Take | Top Stories