Cybersecurity awareness training is central to education and practice, yet persistent human error continues to expose organizations to breaches. AI-enabled attacks such as deepfakes, voice-cloned vishing, and automated spear phishing make these vulnerabilities even more consequential. This systematic review synthesizes 26 studies (2008–2025) using varied designs and training formats, from gamified learning and face-to-face sessions to e-learning, nudges, and simulated phishing. We introduced a residual-risk framework to capture outcomes that traditional effectiveness measures overlook. Residual Insecure Behavior (RIB) reflects the percentage of participants who continued risky practices after training, while Residual Knowledge Gap (RKG) indicates knowledge deficits that persisted. Across studies, improvements were common, but residual risks remained significant with phishing susceptibility often exceeding 10%, and knowledge gaps frequently surpassing 30%. Gamified approaches showed stronger behavioral effects, while conventional methods often raised awareness but left large gaps. For educators, these findings underscore that statistical gains can mask enduring weaknesses. By teaching and applying RIB and RKG, instructors can help students, practitioners, and organizations focus not just on learning outcomes, but on reducing real-world exposure in an AI-driven threat landscape.