Nah, I expect a human to do various things. Examples below, sorted by decreasing preference and increasing complexity:
* Compare the security question's answer with a brain vs. strict equality ("Is the answer provided by the person essentially the correct one, spelling ignored?"). Right now the account is (forever?) inaccessible although the correct answer is known. It's a name of a place. She could provide GPS coordinates. For some reason she cannot come up with her original way of answering the question and you're very heavily rate limited, so she was able to try a couple variations only.
* Potentially validate the former password (if that is stored somewhere) or metadata ("I changed the password on day X, local time was around ...")
* Ask specific questions about account access or emails (last resort, but still better than losing the account forever imo)
