Executive Summary
As artificial intelligence agents increasingly participate in organisational cyber risk landscapes, a critical question emerges: Can the behavioural frameworks we have developed to understand human cyber risk apply to AI agents? Behavioural Convergence Theory (BCT) represents ongoing research investigating this fundamental question, exploring how established human behavioural science frameworks can be meaningfully extended to understand and manage AI agent behaviour in cybersecurity contexts.
Initial findings suggest remarkable convergence: approximately 69% of core behavioural factors demonstrate strong analogical relationships between human and AI agent behaviour, whilst 31% require adapted approaches that account for the unique characteristics of artificial intelligence systems. These preliminary findings will be put to rigorous empirical testing this year, with results expected to either validate or refine our current theoretical position.
The Research Challenge
The Changing Cyber Risk Landscape
The cybersecurity threat landscape has traditionally focused on human behaviour, seeking to understand why people click phishing links, share passwords, or bypass security protocols. Approaches such as Human Cyber Risk Management (HCRM) have provided robust theoretical foundations for understanding and addressing the behavioural dimensions of cyber risk. These frameworks have served organisations well, offering structured approaches to identifying, assessing, and mitigating risks that stem from human actions and decisions.
However, organisations now face a new reality: AI agents are becoming active participants in cyber risk scenarios. These agents make decisions, interact with systems, process sensitive data, and can introduce or mitigate cyber risks through their behaviour. They operate with increasing autonomy, learning from interactions, and adapting their responses in ways that mirror, yet fundamentally differ from, human behavioural patterns. This evolution raises fundamental questions that challenge our existing frameworks.
Do the behavioural factors that predict human cyber risk apply to AI agents? Can we use established behavioural science frameworks to understand AI decision-making in security contexts? Where do human and AI behavioural patterns converge, and where do they diverge? Most importantly, can we develop a unified theoretical lens that accounts for both populations without losing sight of their essential differences?
The Need for Theoretical Integration
Without a coherent theoretical framework bridging human and AI behaviour, organisations face fragmented approaches to cyber risk management. They must maintain separate models, separate controls, and separate assessment methodologies for human and AI agents. This fragmentation creates gaps in security postures and inefficiencies in risk management. Security teams find themselves speaking different languages when discussing human versus AI risks, making it difficult to develop holistic risk assessments or integrated control strategies.
Moreover, the interactions between human and AI agents create new risk vectors that neither framework alone adequately addresses. An AI agent might be exploited to influence human behaviour, or human actions might inadvertently compromise AI systems. These convergent risk scenarios demand theoretical frameworks that can account for both populations simultaneously.
Behavioural Convergence Theory seeks to address this challenge by investigating whether and to what extent behavioural frameworks can provide a unified lens for understanding both human and AI-agent behaviour in cybersecurity contexts.
Theoretical Foundations
Building on Human Cyber Risk Management
BCT is grounded in established HCRM research, which identifies behavioural factors across multiple dimensions that interact to create cyber risk or resilience.
The cognitive layer encompasses individual psychological factors, including awareness, knowledge, attitudes, and cognitive biases that influence security-related decisions. At this foundational level, we examine how individuals perceive threats, process information about risks, and form judgements that guide their actions.
The behavioural layer captures observable actions and practices, including habits, skills, compliance behaviours, and decision-making patterns. This is where psychological factors manifest in concrete actions, where awareness translates into practice, and where skills determine capability.
Moving outward, the social layer addresses interpersonal and group dynamics, including social norms, peer influence, trust relationships, and communication patterns. Security behaviour rarely occurs in isolation. People make decisions within social contexts, influenced by what they observe others doing, what their peers expect, and what their organisations signal as important.
Finally, the organisational layer captures structural and cultural factors, including security culture, leadership, policies, and organisational learning mechanisms. This outermost layer shapes all the others, creating the context within which cognitive processes develop, behaviours emerge, and social norms take hold.
The Core Proposition of BCT
Behavioural Convergence Theory proposes that many of the behavioural mechanisms identified in human cyber risk frameworks have meaningful analogues in AI agent behaviour. The theory rests on three core propositions:
Analogical transfer suggests that behavioural factors can be meaningfully mapped from human to AI contexts where similar functional relationships exist, even if the underlying mechanisms differ substantially. Adaptive extension recognises that some factors require conceptual adaptation to account for the unique characteristics of AI systems whilst maintaining the core behavioural construct. Convergent outcomes propose that despite different underlying mechanisms, human and AI behaviours may converge on similar outcomes in cyber risk scenarios, enabling unified risk management approaches.
Key Research Findings
Strong Analogical Relationships
Our research has identified eleven behavioural factors, representing 69% of the total, where strong analogies exist between human and AI agent behaviour. Within the cognitive layer, awareness in humans requires conscious attention to threats. For AI agents, this translates into trained recognition patterns and threat-detection capabilities. Attitudes in humans reflect risk tolerance and security priorities. AI agents exhibit analogous characteristics through configuration parameters and decision thresholds. Cognitive biases show strong analogies, with human biases stemming from evolutionary heuristics, whilst AI systems exhibit analogous biases emerging from training data and algorithmic design.
In the behavioural layer, habits represent automatic, learned responses. AI agents similarly develop default behaviours and learned patterns through training. Skills represent competencies to perform security-relevant tasks, mapping directly to AI capabilities and trained proficiencies. Compliance finds its parallel in AI alignment with specified rules and constraints.
The social layer shows surprising convergence. Social norms influence AI agents through training on human-generated data and through norms embedded in their design. Peer influence in humans parallels AI transfer learning and multi-agent interactions. Communication parallels AI data sharing and multi-agent communication protocols.
At the organisational layer, security culture influences both human behaviour and AI system design priorities. Organisational learning applies to both human workforce development and AI continuous learning processes.
Adapted Approaches
Five behavioural factors, representing 31% of the total, require more significant adaptation. Knowledge in humans involves declarative understanding, whilst AI systems require structured knowledge representation that functions quite differently. Trust presents an interesting case, with human interpersonal trust involving emotional bonds, whilst AI trustworthiness is assessed through reliability metrics. Leadership in human contexts involves influence and motivation, whilst AI governance requires different oversight mechanisms. Policies and procedures create perhaps the starkest difference, with humans interpreting policies through natural language and judgment, whilst AI agents implement encoded rules. Reporting and feedback mechanisms in humans involve judgment and context, whilst AI logging capabilities are more comprehensive but less interpretive.
No Limited Analogies
Significantly, no behavioural factors were classified as having limited analogy, suggesting that all core behavioural constructs can be meaningfully extended to AI agents, though some require more substantial adaptation than others.
Empirical Testing and Future Validation
Testing Programme for 2026
The theoretical framework outlined above represents our current research position. However, theory must be tested against empirical reality. This year, we are undertaking a comprehensive programme of empirical research designed to validate, refine, or potentially refute key propositions of Behavioural Convergence Theory.
Expected Outcomes and Reporting
We anticipate reporting initial findings from this testing programme later this year. These findings may support our current theoretical position, validate the strong analogies we have identified and confirm that adapted approaches work as expected. Alternatively, our findings may challenge aspects of the current theory. We may discover that some factors we classified as having strong analogies actually require more significant adaptation.
Either outcome advances knowledge. Validation provides organisations with confidence in applying BCT principles. Refinement or refutation drives theoretical development, helping us understand more precisely where and how human behavioural frameworks can inform the security of AI agents. Our commitment is to transparent, rigorous research that follows the evidence wherever it leads.
Conclusion
Behavioural Convergence Theory represents a significant step toward understanding the behavioural dimensions of cyber risk in an era where both humans and AI agents participate in organisational security landscapes. Yet theory without empirical validation remains speculative. The comprehensive testing programme launching this year will provide crucial evidence about whether these theoretical propositions hold in practice. We anticipate returning with findings that will either strengthen confidence in BCT's core propositions or drive important refinements to the framework.
About This Research: This insights article presents Behavioural Convergence Theory as ongoing research at CyBehave Ltd. Findings should be considered preliminary and subject to validation through empirical testing currently underway. Results from our 2026 testing programme will be reported as they become available.