For two decades, end-user phishing training has leaned on the same heuristics: watch for spelling errors, awkward phrasing, vague greetings. None of those signals reliably exist any more. Generative AI has made it trivial for a phishing operator to produce grammatically flawless, contextually accurate, individually tailored lures at scale.
The security-awareness response cannot keep pace by upgrading the heuristics. What can keep pace is structural: phishing-resistant authentication (FIDO2, Windows Hello, passkeys) that can't be replayed against a fake page, no matter how convincing the page looks. Conditional Access policies that block sign-ins from unmanaged devices. Defender for O365 Safe Links rewriting URLs at click-time. Impersonation protection on the email gateway.
The user is still the target. But the user's actions stop being the last line of defence. The auth layer takes the weight instead.