Phishing has been the leading initial access vector for enterprise breaches for over a decade. Security awareness training — the annual compliance exercise that organizations deploy to satisfy auditors and reduce cyber insurance premiums — has been the dominant organizational response for the same period. The training has not significantly reduced phishing click rates in most organizations. The reasons are structural, not motivational, and the solutions require technical controls rather than behavioral ones.