User vigilance is not a suitable defense strategy against AI-generated phishing attacks; instead, organizations should structure their processes by trust levels and continuously review fast paths.
NIS2 requires organisations to ensure security awareness functions in real work situations and does not remain merely theoretical knowledge — a focus on behavioural change rather than compliance documentation.