Phishing simulation click rates are a metric, not a security outcome. AI just made real phishing dramatically harder to spot. Your tests haven't caught up.
