TL;DR: Delta Dental’s security programme is framed around business email compromise and invoice fraud, with controls designed to protect 80 million members across 39 independent companies operating in all 50 states, according to Abnormal AI. The case shows that at scale, identity and email governance have to be built around business workflows, not just perimeter controls.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- Delta Dental serves more than 80 million members across the country.
- Delta Dental operates through 39 independent member companies in all 50 states.
Questions worth separating out
Q: How should security teams reduce vendor email compromise risk in finance workflows?
A: They should remove email as the sole trust signal for any payment or vendor-change action.
Q: Why do business email compromise attacks succeed even in well-run organisations?
A: They succeed because many organisations still treat routine communication as proof of authority.
Practitioner guidance
- Map fraud-sensitive approval chains Identify invoice, vendor-change, and payment workflows that still trust email as an authority signal, then require a separate verification step before action is taken.
- Standardise verification across operating units Apply the same out-of-band approval and validation rules across all independent companies, subsidiaries, or departments that share business relationships.
- Separate communication trust from payment authority Ensure that the person who receives or forwards an email is never the only proof that a request is legitimate, especially for financial actions.
What to expect at the briefing
Abnormal AI's full webinar covers the operational detail this post intentionally leaves for the source:
- A walk-through of how Delta Dental prioritises business-driven security controls across large-scale member operations.
- Specific strategies for countering vendor email compromise attacks in complex approval environments.
- Practical tips for safeguarding patient data while maintaining a usable end-user experience.
- The security posture considerations that sit behind scalable protocols in a multi-entity insurance environment.
👉 Read Abnormal AI's webinar on Delta Dental’s response to vendor email compromise →
Vendor email compromise at Delta Dental: what IAM teams should note?
Explore further
Business email compromise is an identity governance failure before it is a fraud event. The real issue is that organisations still let email assertions stand in for verified business intent. That assumption breaks when attackers can imitate vendors, hijack reply chains, or exploit repetitive approval behaviour. The implication is that identity programmes must treat fraud-sensitive communication paths as governed trust domains, not informal collaboration channels.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: How can IAM and security teams support fraud resistance without hurting operations?
A: By designing controls around critical workflows rather than blanket restriction. Keep the user experience workable, but add stronger checks where the business impact is highest, such as payments, vendor onboarding, and account changes. The goal is friction where trust matters most, not everywhere.
👉 Read our full editorial: Delta Dental’s identity controls show the limits of email fraud defense