Email security architecture: what IAM teams need to rethink now

TL;DR: Email security remains a high-risk identity problem, with the FBI reporting $2.8 billion in business email compromise losses in 2024 and API-based models detecting 665 advanced threats monthly that SEGs miss, according to Abnormal AI. The governance shift is from inbox filtering to behavioural visibility, because attack paths increasingly exploit compromised accounts and internal mail flows.

NHIMG editorial — based on content published by Abnormal AI: selecting the right email security approach for modern attacks

By the numbers:

• In 2024 alone, the FBI reported $2.8 billion in business email compromise losses.
• Pure API architectures detect 665 advanced threats monthly that SEGs miss by analyzing behavioral, identity, and historical context across mailboxes.
• Organizations using Abnormal's pure API model save 15+ hours of security team time weekly.

Questions worth separating out

Q: How should security teams handle email attacks that come from trusted accounts?

A: They should treat them as identity abuse, not just malicious content.

Q: When does a secure email gateway stop being enough?

A: A gateway becomes insufficient when the main risk is account takeover, internal-to-internal abuse, or vendor impersonation rather than spam and obvious malware.

Q: What do teams get wrong about inline email security APIs?

A: They often assume more inline inspection automatically means better security.

Practitioner guidance

• Map email controls to identity risk, not just inbox hygiene. Review where your current stack can see internal-to-internal mail, account impersonation, and conversation hijacking.
• Test for behavioural context coverage. Validate whether detections can correlate sender-recipient history, vendor relationships, and message tone shifts across the mailbox.
• Separate mail flow reliability from detection depth. Assess whether inline routing adds latency, connector complexity, or duplicate controls that increase operational risk.

What's in the full article

Abnormal AI's full article covers the operational detail this post intentionally leaves for the source:

• Connector and routing considerations for inline deployments in Microsoft 365 and Google Workspace.
• The mechanics of asynchronous mailbox analysis and automated remediation after delivery.
• Customer-reported time savings and workflow efficiency details that support implementation decisions.
• A deeper comparison of how the architecture behaves across spam, impersonation, and account takeover scenarios.

👉 Read Abnormal AI's analysis of SEG, inline API, and pure API email security →

Email security architecture: what IAM teams need to rethink now?

Explore further

View Full Forum →  |  NHI Foundation Course →