The AI governance gap is widening rapidly as AI agents assume operational roles inside enterprise workflows, expanding the security perimeter faster than most organizations can mitigate exposure.

But the shift from security awareness training to human risk management is no longer where the governance conversation stops. The harder problem now is what happens when the human workforce is joined — and in some cases outnumbered — by autonomous agents that nobody fully cataloged or credentialed, according to Greg Kras (pictured), chief product officer at KnowBe4 Inc. The agents themselves have become the ungoverned endpoint — and unlike employees, they can multiply overnight.

“The fact that agents can beget agents — it becomes very interesting,” Kras said. “If you think of traditional human staffing, you usually know when you have a new person on your team, but with agents, an agent could spin up another agent or ingest a [Model Context Protocol server] that may or may not be what they should be doing.”

Kras spoke with theCUBE’s Scott Hebner at KB4-CON 2026, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed how KnowBe4 is addressing the AI governance gap by extending human risk management into agentic AI security. (* Disclosure below.)

The AI governance gap meets the shadow AI problem

KnowBe4 has spent more than a decade building its platform from simulated phishing and security awareness training into what it now describes as a full human risk management platform — one that now extends explicitly to non-human digital workers, Kras explained. The same dynamics that drove unsanctioned browser adoption a generation ago are now playing out with AI, with the scale of invisible exposure being strikingly familiar as employees quietly adopt tools that never appeared on any inventory list.

“How many different AI applications does your organization use?” Kras said. “One or two? Okay, you forgot the word dozen — because that’s … when you start discovering: ‘I had no idea that we were doing that.’ You can’t measure it and you certainly can’t control it and protect it if you didn’t know it even existed.”

The company’s response on the human side of that equation is AIDA Orchestration, launched in Q1 2026 as the eighth agent in KnowBe4’s Artificial Intelligence Defense Agents suite. The system autonomously creates, schedules and personalizes phishing simulations and security awareness training at the individual user level. Early results show about a five-point drop in risk score — roughly a 15% reduction — for customers using the Orchestrator, with less manual effort than traditional program administration, Kras noted.

“I don’t care how good you are with your coworkers or your employees, you don’t know them all,” he said. “You want to make a program that’s accustomed to them — that’s what AIDA Orchestration’s capable of doing.”

On the agent governance side, KnowBe4 recently launched its Agent Risk Manager, which gives security teams real-time visibility into the AI agents operating across their environments — inventorying what they are, who is running them and what data they can reach. The product reflects the company’s three-pillar approach to agentic risk: visibility, accountability and control. Without the first, the other two are moot, Kras explained.

“As a company, you’re going to not do well if you shun AI because your competition is going to just eat your lunch,” he said. “But [the] same thing applies if you just open the doors without having any governance or control — you don’t know what’s happening in there.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of KB4-CON 2026:

(* Disclosure: TheCUBE is a paid media partner for the KB4-CON 2026 event. Neither KnowBe4, the sponsor of theCUBE’s event coverage, nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE