Unlike traditional manual campaigns, AIDA Orchestration acts as an always-on intelligence layer that continuously analyzes user behavior to deliver the most impactful security interventions at the exact moment they are needed.

For information on how to use AIDA Orchestration in our console, see our AIDA Orchestration Guide.

Why AIDA Orchestration Works

The main goal of AIDA is to make high-quality security training easier to manage while doing a better job of lowering risk than manual methods. By automating the daily work of testing and training, AIDA removes the complex setup usually required by admins. It uses real-time data to create a personalized experience that is more effective at reducing a learner's Risk Score than a one-size-fits-all approach.

Admins can choose a default plan or create a custom plan for user groups, and AIDA identifies the specific strengths and weaknesses of every learner, creating a highly personalized journey for each individual. This targeted approach ensures that every lesson and test is relevant, which is the most effective way to drive down your organization's Risk Score.

• Personalized for each user: Every person is different. AIDA personalizes the journey for each user to help lower their Risk Score. AIDA measures the risk reduction, resulting in a lower risk score for both the user and the overall organization.
• Lowering risk where it matters most: Instead of guessing what might work, AIDA uses data to choose the best time, the best topic, and the right level of difficulty for each phishing test. This approach ensures the training is helpful and never too easy or too difficult.
• Saving you time: It would be impossible to create a custom campaign for every user. AIDA does this work automatically for you. This approach lets you focus on the big picture while AIDA handles the daily tasks.
• Better results with less effort: Since AIDA assigns training tailored to each user's specific needs, we can see measurable changes in an individual’s Risk Score and the organization overall.

AIDA Orchestration is powered by specialized agents that manage ongoing training, phishing Security Tests, and remedial training.

Ongoing Training Agent

The Ongoing Training Agent is designed to find and address knowledge gaps for each user. AIDA uses an individual’s Risk Score to identify key learning opportunities to help strengthen their security awareness knowledge and reduce their overall risk.

How AIDA Assigns Training

To decide what training to assign, AIDA looks at:

• Individual Risk Scores: AIDA uses an individual’s Risk Score to identify key learning opportunities to help strengthen their security awareness knowledge and reduce their overall risk.
• Past performance: AIDA looks at what a person has done in the past. It checks which training they have already finished and how well they did, ensuring it doesn't repeat old lessons.
• Training metadata: AIDA knows KnowBe4’s training content inside and out. It understands specific details about what each training module covers - topic, difficulty level, length, and more. By comparing this data against the individual needs of a user, AIDA is the best at finding the perfect match for the user's current needs.
• User Metadata: AIDA uses each user's job title and demographic data to personalize the training content it assigns. To get the most relevant recommendations, make sure your users' profiles include job titles. If a user's profile doesn't include a job title, AIDA won't apply job-based personalization to their training assignments. For help adding or updating user information, see the Users and Groups Management Guide.

Phishing Agent

The Phishing Agent automatically generates and sends realistic phishing tests to your users. These tests are safe examples of what a real attacker might send. By practicing with these simulations, users learn how to spot and report threats before they become a real problem for your organization.

Just-in-Time Template Generation

AIDA doesn't rely solely on a static library. Instead, it uses just-in-time (JIT) generation to create phishing content that's contextually relevant to the current threat landscape, as well as your organization and users. This feature ensures simulations reflect the real-world tactics your users are likely to encounter.

How AIDA Creates Phishing Tests

To make every test feel real, the agent looks at these key areas:

• Spoofing: AIDA uses spoofing to make phishing tests feel like the real messages a user sees every day. By mimicking trusted brands and senders, AIDA helps users practice recognizing when an attacker is trying to hide behind a familiar name to gain their trust.
  • Logo Spoofing: AIDA strengthens every phishing test by spoofing software and services familiar to your users. When generating a template, AIDA intelligently includes relevant brand logos to mirror the exact types of brand impersonation learners face in the real world. To further challenge your team, AIDA can vary the quality of these logos based on the test's difficulty level. These variations act as intentional red flags. This feature teaches learners that a familiar logo isn't enough to prove an email is safe and prepares them to spot the same sophisticated AI-generated tactics used by real attackers today.

  • Domain Spoofing: Real attackers often change or "spoof" this domain to make an email look like it is coming from a trusted colleague or a known organization. AIDA uses domain spoofing to increase the realism of a test, helping users stay alert and carefully check the sender’s details before taking action.

    Note: If you want to prevent AIDA from spoofing specific domains, you can enable the Overwrite [[domain]] Placeholder setting in your account. This setting provides a managed workaround for how domains are displayed in your tests while still allowing AIDA to provide high-quality training. You can find this setting under Account Settings > Phishing Settings. See the Phishing Settings section of our KnowBe4 Console Account Settings: Phishing article.
• User susceptibility: AIDA uses data from a user’s phishing history to determine which types of phishing a user is most likely to fall for. Does the person struggle with fake links, or are they more likely to open a suspicious attachment? AIDA selects the specific type of threat that the person needs to practice most.
• User Metadata: AIDA uses each user's job title and demographic data to personalize the phishing tests it assigns. To get the most relevant recommendations, make sure your users' profiles include job titles. If a user's profile doesn't include a job title, AIDA won't apply job-based personalization to their training assignments. For help adding or updating user information, see the Users and Groups Management Guide.
• Context and timing: AIDA considers what is happening in the world to make simulations feel indistinguishable from actual threats. By analyzing current global trends, the time of year, and specific details about your organization, AIDA sends tests that make sense in the moment. Whether it’s a time-sensitive alert or a seasonal theme, this perfect timing captures a learner's attention when they are most likely to be tested by a real attacker.
• Performance history: AIDA tracks how well a user has done on past tests. If they are doing well, AIDA gradually increases the difficulty of the tests to keep them sharp. If they are struggling, it adjusts the difficulty to help them learn without being overwhelmed.
• Attack vectors: AIDA doesn't rely on a single attack vector. It uses every tool in the toolkit, including links, attachments, QR codes, and "reply-to" emails. This feature ensures users are prepared for every way an attacker might try to reach them.

Remedial Training Agent

The Remedial Training Agent acts as a safety net for your users. When someone makes a mistake on a phishing test, like clicking a link or downloading an attachment, this agent steps in to help. It provides a quick lesson right away so the users can learn from the mistake while it is still fresh in their minds.

Why AIDA Assigns Remedial Training

AIDA remediates the impact a phishing failure has on an individual's Risk Score through targeted training. AIDA assigns this training to turn a mistake into a learning moment. Instead of waiting for a monthly training session, the user gets help the moment they need it. This immediate feedback helps change behavior much faster because the person can clearly see what they missed and how to do better next time.

How AIDA Makes Decisions

To make sure the help is useful, the agent follows these rules:

• Failure-triggered assignments: Any phishing test failure (not just AIDA-managed ones) can trigger remedial training. This feature makes sure your users get the right help the moment they need it.
  • Efficiency and deduplication: AIDA is designed to provide high-quality training without overwhelming the user. The system uses deduplication logic to ensure that training remains focused and manageable.
  • Multi-event failure management: If a user makes more than one mistake within a single phishing test, such as clicking a link and then entering their password, AIDA will not assign multiple training modules.
• Targeted selection: Instead of assigning several lessons for one email, AIDA identifies and picks the single most relevant lesson to address the failure. This feature ensures the user can focus on the most important security concept without repetitive work.
• Failure type and vector: Assignments are tailored to the specific test (such as a Link or Attachment) and the specific type of failure that occurred.
• User training history: The agent reviews the user's training history over the last 90 days to ensure it doesn't assign the same module twice.

Best Practices for AIDA Orchestration

To get the best results from AIDA, it is important to let AIDA do what it does best: personalize the experience for your users. Use these tips to help the system lower your organization's risk more effectively.

• Let AIDA handle the timing: Using the AIDA Selected setting allows AIDA to pick the perfect moment to send a test or assign a lesson.
• Group users by their unique needs: create separate plans for groups facing specific threats so AIDA can focus on their specific risks.
• Be intentional with plan priority: AIDA follows a specific order when it looks at your plans. Put your most specific plans at the top of the list.
• Limit manual campaigns: We recommend limiting the number of manual campaigns you run. By allowing AIDA to manage the majority of your phishing simulations and training, the system can more accurately track behavior and make adjustments. This feature allows AIDA to have a much greater impact on lowering your organization’s overall Risk Score.
• Watch your progress: Regularly check your activity under the Activity tab. This feature helps you see how AIDA is actually changing behavior and lowering the Risk Score for your entire organization over time.

Frequently Asked Questions

What happens if a user is in more than one plan?

AIDA uses a priority list to decide which plan to use. You can think of this like a leaderboard. If a user is in two different groups, the system will only follow the plan that is higher up on your list.

Will AIDA interrupt the manual phishing tests I already have scheduled?

No. AIDA works alongside your own tests and won't interfere with the campaigns you've created manually.

What happens if I disable AIDA Orchestration?

If you disable orchestration, it won't send any more phishing tests or assign new training. However, if a user already has a lesson assigned to their account, it will stay there until they complete it.

Can I keep certain people out of a specific plan?

Yes. You can use an Exclusion List. If you add a group to this list, AIDA will make sure those people are never included in that specific plan. This feature gives you total control over who receives which types of training.

What happens if someone isn't in any plan?

If a user doesn't fit into any of your plans, they are considered unassigned users. You can see a list of these users in the Unassigned Users page. This feature makes it easy for you to see who still needs a plan, so everyone in your organization stays protected.