Audacy’s email security shift shows why legacy gateways fail at scale

At a glance

What this is: This webinar frames Audacy’s move away from a traditional gateway as a response to email security controls that no longer scaled with its distributed workforce and threat environment.

Why it matters: It matters to IAM and security teams because email remains an identity-driven control plane, and weak detection around user behaviour, inbox abuse, and access pathways can undermine both human and machine identity programmes.

By the numbers:

• Audacy, operating 200+ affiliate stations, replaced a traditional gateway solution with Abnormal to address evolving email threats.

👉 Watch Abnormal AI's webinar on Audacy's email security shift

Context

Email is still one of the most sensitive identity surfaces in the enterprise because it sits at the junction of user trust, message delivery, and access to downstream systems. When a company with more than 200 affiliate stations says its legacy gateway no longer fits the threat environment, the deeper issue is not just email filtering. It is whether security controls can still distinguish benign activity from attack behaviour at the speed and scale of modern abuse.

For IAM and security leaders, the real governance question is how much protection depends on static perimeter logic versus behaviour analysis across users, inboxes, and connected accounts. That matters not only for human identity programmes, but also for environments where compromised mailboxes become stepping stones into broader access paths, delegated accounts, and identity-linked workflows.

Key questions

Q: How should security teams evaluate email security beyond traditional gateway filters?

A: They should test whether controls can detect behaviour after delivery, not just inspect content at the perimeter. The key question is whether the platform can spot impersonation, thread hijacking, and abnormal sender behaviour in real communication flows. That is where modern abuse lives, especially in large distributed organisations with many trusted relationships.

Q: Why do large distributed organisations struggle with legacy email security models?

A: Large organisations create more communication paths, aliases, shared mailboxes, and delegated trust relationships, which makes normal behaviour harder to define. Legacy gateways are poor at understanding this context. The result is that malicious activity can look legitimate if the message itself is clean and the abuse happens inside an established trust channel.

Q: What do security teams get wrong about email as an identity control surface?

A: They often treat email as a content problem instead of an identity problem. In practice, email is tied to user trust, delegated access, and downstream workflows, so abuse can become a gateway to broader compromise. A control that only blocks messages cannot govern how trust is used once it exists.

Q: Who is accountable when email abuse bypasses perimeter defenses?

A: Accountability sits with the teams responsible for identity, messaging, and detection governance together. If security relies only on gateway filtering, it has accepted a narrow control model that cannot cover impersonation or post-delivery abuse. Frameworks such as the NIST Cybersecurity Framework and identity lifecycle practices help define shared responsibility.

Background and context

Why legacy email gateway models miss modern attacker behaviour

Traditional email gateways were built to inspect messages at the perimeter using rules, signatures, and reputation-based controls. That model works poorly when attackers use living-off-the-land techniques, credential theft, thread hijacking, or trusted sender abuse, because the message itself can appear legitimate while the behaviour behind it is malicious. Behaviour-based email security shifts the signal from the message alone to the pattern of sending, replying, impersonation, and account interaction. In practice, that means detection has to understand abnormal communication context, not just suspicious content.

Practical implication: teams should assess whether their email controls can detect behaviour anomalies after delivery, not just block suspicious mail at the edge.

Why scale changes the email identity problem

Audacy’s size matters because distributed organisations create more identity edges, more mailbox relationships, and more ways for attackers to blend in. Once email becomes a high-volume identity channel across affiliates, the challenge is no longer simple spam suppression. It becomes governance of who can communicate, impersonate, or pivot through trust relationships without being noticed. In that environment, static gateway controls struggle to keep pace with the volume and variation of normal communication patterns.

Practical implication: security teams should test email protection against multi-site, high-relationship environments where normal behaviour is diverse and hard to baseline.

Behavioral detection versus perimeter defense in email security

Behavioural detection looks for deviations in sender intent, conversation flow, inbox interaction, and account activity. Perimeter defense assumes risky content can be identified before delivery. Those are different detection models, and only the first can surface attacks that exploit trust already established inside the mailbox environment. For practitioners, this is a governance issue as much as a tooling issue, because the control objective moves from blocking emails to monitoring identity-driven abuse paths.

Practical implication: align email security requirements to identity abuse scenarios, not just message threat categories.

NHI Mgmt Group analysis

Legacy email gateways fail when attackers no longer need to look malicious at the perimeter. The core problem is not delivery, it is trust manipulation after delivery. Behavioural controls become necessary because identity abuse increasingly happens inside the communication flow, where static filters have little context. Practitioners should treat email as an identity governance surface, not just a messaging channel.

Identity trust debt: when organisations keep inheriting communication trust they no longer actively verify, attackers exploit the gap between approved relationships and actual behaviour. A large distributed organisation amplifies that debt because more affiliates, aliases, and human trust paths create more room for impersonation and conversation hijacking. The lesson is that security must track trust drift, not only message risk. Practitioners should map where inherited trust exceeds current verification.

Behaviour-based email security is becoming the practical bridge between human IAM and wider NHI governance. Mailboxes, service addresses, and delegated workflows all rely on identity-linked communication patterns that can be abused once trust is established. That makes email security part of the broader identity fabric, especially where compromised human accounts become launch points into automated workflows or shared service identities. Practitioners should align email detection with identity lifecycle and access review discipline.

The strategic shift is from perimeter certainty to continuous behavioural assurance. Legacy gateways assume security can be decided before delivery, but modern email abuse often unfolds through interaction over time. This changes the category from content filtering to runtime assurance, where the question is whether the organisation can still tell normal from abnormal once trust has already been granted. Practitioners should re-evaluate which email controls are truly identity-aware.

From our research:

• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%, according to the same report.
• That gap makes lifecycle control central, so practitioners should also review the NHI Lifecycle Management Guide for rotation, offboarding, and visibility discipline.

What this signals

Identity trust debt: organisations that keep adding communication channels without revalidating trust paths will keep seeing email security failures that look like content problems but behave like access problems. Behaviour-based detection is becoming the minimum viable control where static gateway logic cannot keep up.

The programme implication is clear for IAM, PAM, and collaboration owners: mailbox permissions, delegated access, aliases, and forwarding rules now need the same lifecycle discipline applied to other identity assets. The teams that do not connect those dots will keep treating an identity control failure as a messaging nuisance.

As email abuse increasingly overlaps with account takeover and downstream workflow abuse, practitioners should align their detection roadmap with identity lifecycle governance and the Anthropic AI-orchestrated cyber espionage report for a view of how trusted tool use and communication abuse can combine.

For practitioners

• Audit email controls for post-delivery detection Test whether your current stack can identify thread hijacking, reply-chain abuse, and sender impersonation after a message is delivered. If it cannot, you are relying on perimeter judgement alone, which is weak once trust is established inside the mailbox.
• Map identity trust paths across mail and collaboration tools Document which users, shared mailboxes, delegated accounts, and automation-linked inboxes can influence downstream action. Focus on where inherited trust exists without current verification, especially across affiliates or business units.
• Tie email security to access review and lifecycle governance Review which mailbox permissions, aliases, forwarding rules, and delegated access paths are still valid and whether they are recertified on a schedule. Include shared and service mailboxes in the same governance cycle as human access.
• Benchmark behavioural controls against real attack patterns Run tests using phishing, impersonation, and conversation-hijack scenarios to see whether the system flags abnormal communication patterns rather than just blocked content. Measure alert quality against identity abuse scenarios, not spam volume.

Key takeaways

• Audacy’s move away from a traditional gateway highlights a basic truth: email security fails when behaviour changes faster than perimeter rules can adapt.
• The practical gap is identity trust, because attackers exploit trusted communication paths after delivery rather than only sending obviously malicious content.
• Teams should treat email protection as part of identity governance, with lifecycle review, delegated access control, and behavioural detection working together.

Key terms

• Behaviour-based email security: A security approach that judges email risk by how messages and accounts behave over time, not only by content or sender reputation. It looks for unusual reply patterns, impersonation signals, and identity-linked anomalies that traditional perimeter filters often miss.
• Identity trust debt: The accumulation of trusted relationships, delegated access, and inherited communication paths that are no longer actively verified. In email environments, this creates a gap between who is believed to be trusted and who is actually operating within current governance boundaries.
• Mailbox delegation: A control arrangement where one identity can act on behalf of another through shared access, forwarding, or administrative permissions. It is a legitimate operational pattern, but it expands the attack surface unless lifecycle review and access recertification are maintained.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: A Higher Frequency, how Audacy stops audacious attackers with Abnormal. Read the original.