Misdirected email and data loss: what IAM teams need to see

TL;DR: Misdirected email caused data loss or exposure for 96% of organisations in the past year, while 95% reported business impact and 98% judged it a significant risk, according to Abnormal AI. Human error in messaging has become a measurable governance problem, not just a training issue.

NHIMG editorial — based on content published by Abnormal AI: 2025 State of Misdirected Email Prevention, which examines the business impact of misdirected email

By the numbers:

• 96% of organizations surveyed experienced data loss or exposure from misdirected email in the past year.
• 47% of security and IT professionals learn of misdirected emails from recipients rather than from security tools.
• The average enterprise spends over 400 hours per year managing false positive alerts from data loss prevention or email security tools.

Questions worth separating out

Q: How should security teams reduce misdirected email risk in enterprise environments?

A: Security teams should add recipient-aware controls, behavioural detection, and sensitive-thread checks before send.

Q: Why do misdirected emails create a governance problem rather than just a user-training issue?

A: Misdirected emails create governance problems because authenticated, policy-compliant users can still expose sensitive data through normal workflows.

Q: What breaks when email security only looks for malicious exfiltration?

A: What breaks is the ability to detect legitimate mistakes that cause the same business impact as hostile theft.

Practitioner guidance

• Instrument recipient-risk checks before send Add pre-send controls that evaluate unusual recipients, external domains, and sensitive-thread context before a message leaves the mailbox.
• Reduce reliance on content-only DLP Use DLP as one layer, but add behavioural signals such as thread history, sending pattern anomalies, and recipient familiarity so legitimate messages sent to the wrong inbox are not missed by static policy.
• Measure false-positive cost as a governance metric Track the analyst hours, user friction, and missed detections created by low-value alerts.

What's in the full report

Abnormal AI's full report covers the operational detail this post intentionally leaves for the source:

• Survey breakdowns by role and team function showing how security and IT professionals perceive misdirected email risk
• The report's full set of benchmark findings on remediation cost, compliance impact, and customer trust damage
• Additional detail on how behavioral AI is being applied to detect abnormal sending patterns before disclosure occurs
• Context on the broader email security and human behavior problem space behind the headline findings

👉 Read Abnormal AI's report on preventing misdirected email data loss →

Misdirected email and data loss: what IAM teams need to see?

Explore further

View Full Forum →  |  NHI Foundation Course →