The process of closing or transferring email access when a user leaves or changes role. For identity governance, it includes mailbox closure, forwarding removal, and revocation of delegated access so a departed identity cannot continue to speak for the organisation.
Expanded Definition
Email offboarding is the controlled removal, transfer, or restriction of mailbox access when a person leaves, changes function, or no longer needs to represent the organisation. In NHI governance, it is not limited to disabling a login. It also covers mailbox delegation, shared inbox permissions, forwarding rules, group memberships, auto-replies, and any connected workflow or application that can still send mail under the departed identity. That makes it closely related to identity lifecycle management, as described in the NHI Lifecycle Management Guide, and to the broader lifecycle controls discussed in the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs.
Definitions vary across vendors when email is treated as a pure HR exit task versus an access governance control. NHI Management Group treats it as both, because mailbox continuity can preserve operational knowledge while also creating a path for impersonation if delegation is not revoked. The security objective is to ensure that no stale identity can continue to speak for the organisation, whether directly through the mailbox or indirectly through retained forwarding and delegated send privileges. The NIST Cybersecurity Framework 2.0 aligns with this approach through identity and access governance discipline. The most common misapplication is closing the inbox while leaving forwarding, delegation, or application-linked mail permissions active, which occurs when offboarding is treated as a single system action rather than a coordinated access review.
Examples and Use Cases
Implementing email offboarding rigorously often introduces coordination overhead, requiring organisations to balance fast account closure against continuity for customers, legal hold, and business handoff needs.
- A departing sales director’s mailbox is converted to a shared team resource, but send-as rights are removed first so the former identity cannot continue responding to customers.
- An engineer leaving a project has all mailbox forwarding and delegated access revoked, while critical operational threads are transferred to a managed team inbox.
- A contractor’s email account is disabled on the final day, and any calendar-linked rules, aliases, and third-party integrations are checked to prevent residual access.
- A merger transition uses controlled mailbox retention for records, but the organisation verifies that only authorised administrators can access the archive and that no outbound impersonation path remains.
These workflows are easier to govern when tied to the lifecycle patterns documented in the Top 10 NHI Issues, especially where shared operational identities and delegated access overlap. For access-risk thinking, the NIST Cybersecurity Framework 2.0 remains a useful reference for disciplined account deprovisioning and access revocation.
Why It Matters in NHI Security
Email offboarding matters because email is often the most trusted outward-facing identity channel in the organisation. If it remains active after role change or departure, an attacker, insider, or inattentive administrator can exploit it to reset passwords, approve invoices, request access, or authenticate into downstream systems. In NHI environments, the risk is amplified when email is used for alerts, approvals, or human-in-the-loop escalations that indirectly authorize machines or service access. NHIMG research shows how quickly exposed credentials can be acted on, with attackers attempting access within an average of 17 minutes after AWS credentials are exposed publicly, which underscores how little time organizations have once a mailbox or forwarding path becomes exposed. The operational lesson aligns with the broader lifecycle discipline described in the NHI Lifecycle Management Guide and the threat patterns discussed in the LLMjacking: How Attackers Hijack AI Using Compromised NHIs source article by Entro Security.
Email offboarding also supports the controls around secret exposure and account misuse highlighted in The State of Secrets in AppSec, because inboxes frequently contain password resets, API key notices, and authorization workflows. Organisations typically encounter the consequence only after a former user successfully receives a sensitive notification or a fraudulent request is traced back to a still-active mailbox, at which point email offboarding becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers stale access and secret exposure risks tied to NHI lifecycle failures. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be managed and removed when employment or role changes. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous verification and no implicit trust in stale identities. |
Treat departed mail access as untrusted and revalidate every downstream privilege.
Related resources from NHI Mgmt Group
- Should organisations include ownership checks in offboarding workflows?
- How should security teams handle SaaS offboarding when non-human identities are involved?
- What is the difference between SSO offboarding and full SaaS lifecycle revocation?
- How should security teams handle SaaS offboarding when users also use AI tools?
