Cognitive Biases and User Vulnerability to AI-Driven Social Engineering Attacks in Corporate IT Systems

Social engineering remains one of the most persistent cybersecurity threats to corporate information systems, primarily because it exploits human cognitive processes rather than technical vulnerabilities. Despite substantial investments in advanced security infrastructures, employee behaviour continues to represent a critical point of failure, a challenge that has intensified with the emergence of artificial intelligence (AI)–driven social engineering attacks. AI-generated phishing, voice cloning, and deepfake impersonation enable highly personalized, context-aware, and scalable attacks that are increasingly difficult for users to detect. Central to the success of these attacks is the exploitation of cognitive biases, such as authority, urgency, familiarity, confirmation, and optimism biases, which systematically influence human judgment and decision-making in high-pressure corporate environments. This study examines how specific cognitive biases shape employee susceptibility to both traditional and AI-powered social engineering attacks within corporate IT environments. Drawing on cognitive psychology, human–computer interaction, and cybersecurity engineering frameworks, the research analyses the mechanisms through which biases affect user responses to deceptive digital interactions. It further investigates how AI-enhanced attack techniques amplify these vulnerabilities by mimicking legitimate communication patterns and dynamically adapting to user behaviour. The study evaluates the effectiveness and limitations of existing technical and human-centred security controls and highlights gaps in current organisational defence strategies that fail to adequately account for cognitive vulnerabilities. Based on these insights, the research proposes engineering-oriented mitigation strategies, including adaptive security training, cognitive-aware authentication mechanisms, behavioural analytics, and AI-driven detection systems, aimed at reducing user susceptibility and strengthening organisational resilience. By integrating human cognitive factors into security system design, this research contributes to the development of next-generation socio-technical cybersecurity models capable of countering both human error and AI-enhanced adversarial tactics.