In this SJUK exclusive, Digital Content Editor, Eve Goode speaks with James Mackay, CEO of MetaCompliance about exposure monitoring.
Deepfakes are perhaps one of the biggest AI-driven threats.
Their ability to create highly believable impersonations of senior executives or colleagues, paired with real details like a legitimate work email address or leaked credentials from past breaches, makes the whole scenario feel credible right from the start.
Exposure monitoring works by continuously scanning trusted breach databases, such as Have I Been Pwned, for your employees’ work email addresses and related information.
When a match appears – say from a recent data incident – it immediately alerts your security team with details on the breach, while automatically enrolling the affected employee in short, targeted training that explains exactly what data was exposed and the practical steps they should take to secure their account.
This exposure data also flows directly into your organisation’s overall human risk score, giving CISOs a dynamic, real-time picture of which individuals or teams represent the highest risk for targeted impersonation attacks, allowing you to prioritise protections where they’re needed most.
While exposure monitoring can’t prevent the technical creation of deepfake audio or video, it plays a crucial role in disrupting how effectively attackers can deploy the content by removing the real-world details bad actors rely on for credibility.
For instance, a fake video of your CEO requesting an urgent wire transfer becomes far more convincing if the accompanying email comes from a known corporate address that’s already been leaked in a breach.
The system identifies these compromised work accounts by checking them against verified breach records, showing specifics like the breach name, what data was compromised (emails, passwords, etc.), the date it occurred and whether it’s still an active risk within your monitoring timeframe.
From there, security teams can take immediate action such as enforcing password resets, applying stricter verification for financial requests from those accounts, or providing tailored guidance to the affected users.
When you layer on deepfake simulations as part of your training programme, those same high-risk employees gain hands-on experience in recognising how their exposed data could be weaponised, building a much stronger defence against identity-based social engineering.
Traditional phishing training was designed for an era when scam emails often betrayed themselves through obvious errors like poor grammar and unfamiliar domains, so the focus was on teaching people to spot those surface-level flaws.
Modern AI-driven deepfakes have eliminated most of those telltale signs, producing synthetic audio, video or even emails that mimic trusted colleagues with startling realism, which means employees need to learn a different skill: questioning even the most convincing requests.
Deepfake simulations address this by safely exposing staff to state-of-the-art fake content – for example, a realistic video of their line manager urgently asking for credentials or access to sensitive materials – all within their security awareness platform.
This experience shifts the training emphasis to practical verification habits, such as always confirming high-value instructions through a separate communication channel like a phone call, regardless of how legitimate the initial message appears.
As these scenarios feel so real and memorable, employees internalise the lesson far better than they would from generic slide-based modules, preparing them to pause and verify in live situations where an attack could unfold rapidly.
As AI accelerates both attack sophistication and workplace decision-making speed, the most actionable risk signals for CISOs will combine external breach intelligence with observable human behaviours to create a fuller picture of vulnerability.
AI is making phishing and social engineering attacks significantly more convincing.
Deepfakes, AI-generated emails and credential-based attacks are increasingly difficult for employees to detect. This means the human layer of risk is more important than ever to monitor.
Key signals CISOs should be tracking include unusual login patterns, credential exposure from third-party breaches, and whether employees are applying the security behaviours they have been trained on.
When a breach is detected, organisations need to be able to act fast, identifying affected users, triggering targeted training and prompting immediate remediation steps like password resets.
Balancing exposure monitoring with privacy requires implementing technical safeguards from the ground up, combined with transparent communication to maintain employee trust.
The process starts by converting work email addresses into hashed codes – essentially scrambled, one-way strings that can’t be reversed to reveal the original – before any external checks occur.
Then, only a small, anonymised prefix of that hash, such as “3F2A9” from a much longer code, is sent to Have I Been Pwned using k-anonymity techniques, ensuring that neither MetaCompliance nor Have I Been Pwned can access or have any view of personal data such as email addresses, passwords or other identifiable information.
The system then matches those results back to specific work accounts entirely within your own secure tenant, meaning only your authorised admins can see which employees are affected, while neither MetaCompliance nor the external breach service receives identifiable lists of individuals.
Ethically, it’s important to frame this for staff as a protective measure – scanning publicly available breach data to identify and mitigate their personal exposure risks, then delivering supportive, breach-specific training rather than assigning blame for incidents beyond their control.
This helps position the programme as a benefit to their security rather than intrusive surveillance.
