Ask Runable forDesign-Driven General AI AgentTry Runable For Free
Runable
Back to Blog
Technology9 min read

What election polling teaches us about ML-based email security | TechRadar

What election polling reveals about email security risks Discover insights about what election polling teaches us about ml-based email security | techradar.

TechnologyInnovationBest PracticesGuideTutorial
What election polling teaches us about ML-based email security | TechRadar
Listen to Article
0:00
0:00
0:00

What election polling teaches us about ML-based email security | Tech Radar

Overview

News, deals, reviews, guides and more on the newest computing gadgets

Start exploring exclusive deals, expert advice and more

Details

Unlock and manage exclusive Techradar member rewards.

Unlock instant access to exclusive member features.

Get full access to premium articles, exclusive features and a growing list of member rewards.

What election polling teaches us about ML-based email security

What election polling reveals about email security risks

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Like election polls, email security models hide uncertainty and struggle with rising AI complexity. (Image credit: Thapana Onphalai via Getty Images)

The margin of error is wider than your vendor is telling you. And the agentic inbox is about to make it catastrophically worse.

Two weeks before a major election, a respected polling organization publishes its latest numbers. Candidate A leads by three points. Margin of error: plus or minus four. The lead is smaller than the margin of error.

The headline says “Candidate A leads.” Millions of people form opinions based on a number that is statistically indistinguishable from a coin flip.

The fake Rolex problem: How AI turned amateur attackers into nation-state threats

Here are the Open Claw security risks you should know about

AI-created malware is on the rise – here's what your business needs to stay safe

Now replace “election result” with “this email is malicious” and “polling organization” with your email security platform.

When your email security system flags a message, somewhere behind that decision is a probability score. 0.73. 0.81. 0.67. Those numbers look precise. They are not. Behind every score is a confidence interval determined by the quality of the training data and the quantity of examples the model has seen for that specific attack class.

When both are high, the interval is narrow and the score is meaningful. When either is low, the interval widens. The model is telling you it is 73% confident with a margin of error it is not disclosing.

For high-volume, stable attack types like bulk phishing and malspam, training data is abundant. The model has surveyed millions of confirmed examples. The margin of error is small. But for the attacks that actually keep security leaders up at night, the picture is fundamentally different.

Adversary-in-the-Middle phishing works by placing a reverse proxy between the victim and a legitimate authentication service. The victim clicks a link, enters credentials, completes their MFA challenge, and authenticates successfully.

The proxy captures the live session cookie. The attacker now has authenticated access without needing the password. MFA is not broken. It is bypassed. The authentication event happened legitimately. The attacker just intercepted the proof of it.

Here is what makes this an ML detection problem of a different kind. The email that initiates the attack is often completely clean by every surface measure. The sending infrastructure may be legitimate. The URL may be a real Share Point link.

You can’t firewall a conversation: how AI red-teaming became mission-critical

It’s time cyber security understood human behavior and acted accordingly

Spotting the spyware: How modern spies are weaponizing phishing

The social engineering is contextually appropriate. There is no malicious attachment, no suspicious payload, no domain registered yesterday. Every signal ML models have been trained to recognize as indicative of malicious email is absent. The attack specifically engineers around those signals because the attackers understand exactly what the models are looking for.

And the training data problem compounds this. Ai TM at operational scale is only a few years old. The labeled sample for confirmed Ai TM-initiating emails is thin compared to commodity attacks.

Worse, the training data is systematically biased: models learn primarily from Ai TM variants that were eventually detected by other means and retrospectively labeled. The sophisticated variants that passed through undetected never entered the training set. They were not caught, so they were not labeled, so the model never learned from them.

This is the likely voter screen problem that breaks election polling. Pollsters who only reach people who answer their phones are not sampling the electorate. They are sampling people who answer their phones. Your Ai TM detector has the same structural flaw. It is modeling the attacks it could see, not the attacks it needed to catch.

The model is reporting a three-point lead with a four-point margin of error. Your dashboard just does not show you the margin of error column.

Your own IT decisions are breaking your baselines

These were reliable signals in a simpler world. The world is no longer simple.

Enterprise AI agents are being deployed at scale right now. Microsoft Copilot drafts and sends responses on behalf of users. Workflow automation agents process approvals. Scheduling agents manage calendar-adjacent email. Financial agents handle routine transaction communications. Some organizations already have multiple agents running concurrently on executive inboxes.

Think about what this looks like from the perspective of a behavioral baseline model. The human has a characteristic signature built over years: inconsistent timing, occasional typos, variable response latency. Emails from a phone in traffic look different from emails written at a desk. The signature is distinctly human.

The Copilot agent sends grammatically perfect, consistently formatted responses at sub-minute latency regardless of time of day. The scheduling agent fires at precise intervals. The financial workflow agent responds to trigger phrases with templated precision at whatever hour the condition is met. From the model’s perspective, the inbox now looks like three or four distinct actors operating through a single account.

This is operationally close to what a compromised account with an attacker-installed persistence layer looks like.

Security teams can partially mitigate this. You can label agent-generated activity explicitly in your detection pipeline, segment baselines by actor type, and build separate behavioral profiles for human and automated traffic. Some teams are already doing this.

But the mitigation only works if every agent is inventoried, every integration is tagged, and the labeling stays current as agents get added and updated. In practice, agent deployments outpace security team awareness of them. And if even one agent’s activity leaks into the human baseline unlabeled, the contamination compounds silently. The model absorbs agent behavior as human behavior. What was once anomalous becomes the new normal. The baseline shifts on compromised ground.

The harder structural problem remains: even with perfect labeling, you have expanded the definition of “normal account behavior” to include automated, off-hours, grammatically perfect, sub-minute-latency activity. A real attacker operating alongside legitimate agents now falls within that expanded definition. The behavioral signal surface has genuinely narrowed.

The best polling organizations do not abandon quantitative models when confidence intervals widen. They do something more disciplined. They acknowledge the uncertainty explicitly in how they communicate findings.

They triangulate against independent data sources rather than trusting a single model. They weigh certain signals more heavily when the model is operating outside its training conditions. And critically, they treat poll output as a prior probability, not a conclusion. The model tells you where to look. It does not tell you what to decide.

Secure email needs the same architectural relationship with ML output. A probability score should be the starting point of an assessment, not the end of one.

But I want to be honest about what this actually requires, because it is harder than it sounds and the industry has not solved it yet.

The questions that matter for catching the attacks described above are questions like: does this authentication request make sense given who sent it, who received it, what their relationship looks like, and what the organizational workflow normally requires at this step? Is the urgency framing consistent with how this counterparty has historically communicated? Would a reasonable, informed person who understood this organization’s context find this email suspicious even if every surface feature looks clean?

Those are not pattern matching questions. They are reasoning questions. And no one in the industry, including my own company, has fully closed the gap between what ML pattern matching can do and what contextual reasoning requires. We are all building toward it from different directions. Some approaches will work. Some will not. The honest assessment is that the problem is genuinely hard and the tools are still maturing.

What security leaders can do right now is stop treating detection scores as verdicts. Demand that your vendors disclose confidence intervals alongside probability scores. Instrument your agent deployments as security-relevant events with the same rigor you apply to new user provisioning.

Build your own retrospective analysis of what got through, because modeling the gap between detection and reality is more valuable than optimizing the detection you already have.

The margin of error is wider than your dashboard shows. The first step is making it visible.

Better understand cyber security with the best online cybersecurity courses.

This article was produced as part of Tech Radar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.

The views expressed here are those of the author and are not necessarily those of Tech Radar Pro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

You must confirm your public display name before commenting

1 What is the release date for Dutton Ranch episode 4 on Paramount+?

2 The Terra Mow V1000 robot lawn mower is the perfect wire-free lawnbot for newbies and technophobes

3 Surfshark has dropped an exclusive deal for Tech Radar readers just in time for Memorial Day 2026 — here's how to claim your free Amazon gift card worth up to $30

4 From split-tunneling to post-quantum crypto: Nym VPN just had its biggest two-month update yet, and a fresh redesign is already on the way

5 Can you tell a bot from a human online? Surfshark's new experiment says nearly half of us cannot

Tech Radar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

© Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.

Key Takeaways

  • News, deals, reviews, guides and more on the newest computing gadgets
  • Start exploring exclusive deals, expert advice and more
  • Unlock and manage exclusive Techradar member rewards
  • Unlock instant access to exclusive member features
  • Get full access to premium articles, exclusive features and a growing list of member rewards

Cut Costs with Runable

Cost savings are based on average monthly price per user for each app.

Which apps do you use?

Apps to replace

ChatGPTChatGPT
$20 / month
LovableLovable
$25 / month
Gamma AIGamma AI
$25 / month
HiggsFieldHiggsField
$49 / month
Leonardo AILeonardo AI
$12 / month
TOTAL$131 / month

Runable price = $9 / month

Saves $122 / month

Runable can save upto $1464 per year compared to the non-enterprise price of your apps.

Start saving with Runable todayContact us for any pricing questions