User awareness training has long been treated as the foundation of social engineering defense. But real-world attacks continue to succeed, even in organizations with mature training programs, phishing simulations, and security-conscious employees.

In this session, Alethe Denis, Senior Security Consultant II at Bishop Fox, shifts the conversation from how attackers deceive people to why business systems still allow impact when deception succeeds. Building on the themes explored in Tactics of Deception, this virutal session moves beyond the mechanics of persuasion and focuses on the workflows, identity signals, and control gaps that allow social engineering to become a compromise path.

Drawing from hands-on red team experience, Alethe will break down where defenses actually fail: over-trusted help desk processes, weak verification paths, low-friction approval workflows, exposed SaaS integrations, and escalation points where employees are forced to make security decisions without enough support. She’ll also examine how modern attackers are using AI, deepfakes, voice phishing, and targeted pretexting to increase the scale and realism of these attacks.

More importantly, this session focuses on what organizations can do about it. Attendees will learn how to rethink social engineering defense as a control design problem, where the goal is not to prevent every employee mistake, but to ensure one persuaded person cannot create disproportionate business impact.

Alethe will also discuss how red team assessments can validate whether controls hold up under real-world pressure, including scenarios involving AI-enabled deception, help desk impersonation, executive pretexts, and workflow abuse.

If your organization is ready to move beyond awareness training and build defenses that reduce actual impact, this session will offer a practical, field-tested perspective on what needs to change.