TL;DR: Abnormal Security’s CISO fireside chat says visible executives are easier impersonation targets and that social engineering remains effective because attackers can bypass controls by deceiving employees, according to Abnormal AI. The practical lesson is that identity and email controls must assume human trust is a live attack surface, not a perimeter side issue.
At a glance
What this is: A webinar on executive impersonation and social engineering argues that visible online presence and convincing scams make employee deception a persistent identity risk.
Why it matters: It matters because IAM, PAM, and human identity programmes must account for impersonation, approval fraud, and trust abuse, not just authentication failures.
👉 Watch Abnormal AI's fireside chat on executive impersonation and social engineering
Context
Executive impersonation is a human identity and social engineering problem, not just an email problem. When attackers can convincingly pose as a known executive, the control failure often happens after authentication, inside the approval and trust process that people rely on to move work forward.
Abnormal AI’s webinar frames that gap around a familiar but still under-controlled pattern: criminals exploit visibility, urgency, and familiarity to get employees to act against their normal safeguards. For identity teams, the lesson is that human decision points remain a security boundary, especially where email, chat, finance, and privileged approvals intersect.
Key questions
Q: How should security teams reduce executive impersonation risk?
A: Security teams should add verification steps that do not depend on recognising the sender, such as callback procedures, second-channel confirmation, and approval rules for sensitive requests. They should also treat executives and other visible leaders as higher-risk identity subjects because their public profile gives attackers better material for believable scams.
Q: Why do social engineering attacks still work against mature security programmes?
A: They work because mature controls often stop at authentication, while the real attack happens in the human approval layer. If a user can still be persuaded to reset access, approve a transfer, or disclose a code, the attacker has found a path around the technical perimeter through trust.
Q: What breaks when organisations rely on awareness training alone?
A: Training without workflow controls leaves employees responsible for detecting deception in real time, under pressure, and with limited context. That is not a reliable control for high-value requests. Organisations need policy, verification, and approval design that make a fake request harder to complete even when a user is uncertain.
Q: Who should own impersonation risk when it affects finance, help desk, and identity teams?
A: Ownership should be shared across IAM, PAM, security awareness, and the business functions that approve sensitive actions. The risk spans identity, messaging, and process controls, so it cannot be solved by one team alone. A common escalation path and control standard are essential.
Background and context
Executive impersonation and trust transfer
Executive impersonation works by transferring trust from the real identity to a convincing copy. Attackers study public signals such as speaking events, social profiles, and organisational charts, then reuse names, tone, and context to create a believable request. The technical problem is not authentication alone, but the fact that many business actions still depend on informal trust after authentication has already succeeded. Once an employee believes the request is legitimate, they may approve payments, reset access, or reveal data without a formal control challenge.
Practical implication: add verification steps for high-risk requests that do not depend on the sender’s claimed identity alone.
Social engineering bypasses control planes
Social engineering succeeds when the human approval layer becomes the easiest path around strong technical controls. Email security, MFA, and segmentation can all be present while the attacker still wins by persuading a user to disclose a code, approve a session, or follow a malicious instruction. In identity terms, the attack chain shifts from external access control to behavioural manipulation. That is why training alone is not enough unless it is paired with friction for sensitive actions and out-of-band confirmation for exceptions.
Practical implication: harden high-impact workflows with step-up verification, out-of-band callbacks, and approval policies that resist pressure tactics.
Why identity programmes must include human risk signals
Human identity governance often focuses on authentication strength and access reviews, but impersonation risk depends on how much an employee, executive, or approver is exposed online. The more public the persona, the richer the attacker’s material for crafting a targeted scam. This creates a governance issue across IAM, PAM, and security awareness: the organisation needs a way to treat public visibility, role sensitivity, and approval authority as part of identity risk, not as separate concerns. That is especially true for executives and finance approvers.
Practical implication: incorporate role visibility and approval authority into identity risk scoring for executives and other high-trust users.
NHI Mgmt Group analysis
Human identity risk now includes public persona exposure. Executive impersonation is not random phishing. It is a governance problem created when public visibility, role authority, and informal approval habits combine into an exploitable trust profile. Security teams should treat visible leadership presence as part of identity risk, because the attacker’s inputs are often already public.
Social engineering succeeds where security workflows still assume people can recognise legitimacy on sight. That assumption was designed for slower, less personalised attack campaigns. It fails when attackers can tailor requests from real-world signals in minutes and push employees to act before verification happens. The implication is that trust-based approvals need to be reclassified as high-risk identity events.
Approval abuse is the real control gap behind many impersonation attacks. The issue is not merely that users are fooled. The deeper failure is that business workflows often allow a single human judgement call to substitute for a stronger authentication or authorisation check. Practitioners should reframe executive impersonation as an identity governance and workflow assurance problem, not an awareness-only problem.
Human, email, and privileged access controls need a shared threat model. Abnormal AI’s framing makes clear that the same scam can move from inbox to finance to privileged action if those layers are governed separately. IAM, PAM, and security awareness teams need a common view of who can approve what, under what conditions, and with what verification burden.
Named concept: trust-transfer attack surface. This is the point where a legitimate identity’s reputation is used to move an attacker through human decision-making. It matters because the attack is not on authentication alone but on the trust the organisation places in a recognisable name, title, or request path. Practitioners should model that trust as an attack surface in its own right.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- For a deeper control lens, compare that visibility gap with 52 NHI Breaches Analysis, which shows how unmanaged identity trust creates repeatable failure patterns.
What this signals
The governance signal is straightforward: organisations that still separate human identity risk from impersonation, approval fraud, and executive visibility are under-modeling the attack surface. With only 1.5 out of 10 organisations highly confident in securing NHIs, the broader identity programme already shows that confidence does not track actual exposure.
Trust-transfer attack surface: the next phase of identity governance will be defined by whether teams can model how a legitimate name, title, or persona becomes an attack path. That means linking email security, IAM, PAM, and business process controls into one decision model rather than treating them as separate layers.
Security leaders should expect more attacks that blend impersonation with approved workflows, because the attacker does not need to defeat every control. They only need one human or one process that still treats familiarity as sufficient proof.
For practitioners
- Add out-of-band verification for high-risk requests Require a second channel confirmation for payments, password resets, gift card requests, wire changes, and unusual access approvals. The control should be mandatory for sensitive actions and tied to role, not user discretion.
- Treat executive visibility as an identity risk input Score public exposure, role authority, and approval privilege together when assessing who is most likely to be impersonated. Use that score to drive tighter controls for assistants, finance, and help desk workflows.
- Harden help desk and privilege workflows against impersonation Use challenge steps, callback procedures, and manager approval for requests involving account recovery, MFA resets, or elevated access. Ensure the procedure does not rely on the caller sounding believable.
- Align IAM and awareness around the same abuse cases Build training around actual scam paths that move from email to action, then map those paths to workflow controls. The goal is to reduce the number of human decisions that can authorise a high-risk change.
Key takeaways
- Executive impersonation turns human trust into an identity control problem, which means inbox security alone will not close the gap.
- The article reinforces that deception succeeds where approval workflows still rely on recognition, urgency, and informal trust.
- Teams should harden high-risk approvals, combine IAM and PAM governance, and treat public persona exposure as part of identity risk.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity verification is central when attackers impersonate trusted users. |
| NIST SP 800-63 | Human-facing identity assurance underpins resistance to impersonation. | |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Continuous verification matters when trust can be manipulated socially. |
Use stronger authentication and step-up verification for sensitive access and approval paths.
Key terms
- Executive impersonation: Executive impersonation is a social engineering tactic where an attacker poses as a senior or trusted person to influence decisions or approvals. The goal is not always account takeover. It is often to exploit authority, urgency, and familiarity to make a person bypass normal checks.
- Trust-transfer attack surface: The trust-transfer attack surface is the point at which a legitimate identity's reputation is used to move an attacker through human decision-making. It appears when employees rely on a name, role, or familiar communication style instead of a stronger verification step before acting.
- Approval abuse: Approval abuse is the misuse of normal business authorisation steps to complete a harmful action, such as a payment, reset, or access change. The weakness is usually procedural rather than technical, because the attacker only needs one approving human to treat a malicious request as valid.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Abnormal AI: CISO Fireside Chat on hacking and cybersecurity in a new era. Read the original.
Published by the NHIMG editorial team on 2026-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
