Separate notification from authorization. Email can alert people that something needs attention, but sensitive actions such as bank-detail changes, identity updates, and credential verification should require a different authenticated channel. That keeps trust from being transferred automatically from the message to the transaction.
Why This Matters for Security Teams
Phishing in business workflows is most dangerous when a message is treated as evidence of legitimacy. Attackers exploit that habit to push payment changes, payroll updates, vendor edits, and password resets through the same channels people use for ordinary business communication. Current guidance from the NIST Cybersecurity Framework 2.0 and NHI governance research both point to the same failure mode: trust is being transferred from message delivery to business approval without a separate check.
That is why NHI Management Group recommends separating notification from authorization. An email can alert a person that an action is pending, but it should not be the authority that completes the action. For organisations with shared inboxes, delegated assistants, and fast-moving finance or HR processes, this distinction matters more than any single anti-phishing control. The Ultimate Guide to NHIs — Why NHI Security Matters Now notes that 91.6% of secrets remain valid five days after notification, showing how slowly many organisations actually remove exposure after a compromise signal.
In practice, many security teams encounter fraudulent workflow approvals only after money, identity records, or access rights have already been changed.
How It Works in Practice
The practical fix is to make the workflow itself resistant to message spoofing. Email remains useful for awareness, but the approval path should move to a separate authenticated channel that can verify the requester, the request context, and the approver’s authority. That can mean a workflow portal, a help desk system with strong authentication, a callback to a known number, or an internal approval app with step-up verification. The goal is not to eliminate email, but to stop it from acting as the transaction boundary.
Controls usually work best when they are tied to high-risk events such as bank-detail changes, payroll rerouting, vendor onboarding, identity proofing, credential resets, and changes to beneficiary or payment instructions. The Top 10 NHI Issues research is useful here because many phishing incidents are really workflow abuse problems: attackers are not just stealing secrets, they are trying to redirect a business process toward an illegitimate outcome. In that sense, phishing defence is also identity governance, because the approval mechanism becomes the control plane.
- Use email only as a notification layer, not as a decision layer.
- Require re-authentication for sensitive changes, especially when money or access is involved.
- Apply out-of-band verification for first-time payees, bank edits, and urgent exceptions.
- Log approvals, request origin, and identity proofing steps so reviewers can spot anomalies.
- Limit who can initiate and who can approve the same class of change.
NIST guidance supports this direction by emphasizing managed access, detectability, and response within the broader security lifecycle. Organisations that align workflow controls with the NIST Cybersecurity Framework 2.0 generally reduce both phishing success and recovery time. These controls tend to break down in highly distributed environments where approvals are handled through chat, email, and spreadsheets because there is no single system of record for the authorization itself.
Common Variations and Edge Cases
Tighter approval controls often increase friction, requiring organisations to balance fraud reduction against speed for legitimate business changes. That tradeoff is real, especially in finance, procurement, and executive support workflows where delays create operational pressure. Best practice is evolving, but current guidance suggests risk-based approval paths: low-risk changes can stay streamlined, while high-risk changes require stronger proof and secondary review.
Edge cases matter. Shared mailboxes can hide who actually read a request. Executive assistants may need delegated authority, but delegation should be explicit and logged. Third-party requests are especially risky because the sender may be real while the business context is still fraudulent. In mature environments, teams pair workflow controls with identity proofing and privileged access governance so that the person approving a change is not simply responding to a convincing message. The Ultimate Guide to NHIs — Key Challenges and Risks is relevant here because excessive privileges and weak offboarding turn a single successful phish into a broader compromise.
In practice, these controls are strongest when the organisation treats approval as a separately authenticated business action, not as a reply to an email thread.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Phishing-resistant workflow approval depends on verifying identities before action. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Workflow abuse often exploits stale or over-privileged non-human access paths. |
| NIST AI RMF | GOVERN | Business workflow phishing is a governance problem requiring policy and accountability. |
Require separate authentication for sensitive requests and approvals, not email-only trust.
Related resources from NHI Mgmt Group
- How can organisations reduce account takeover risk from reverse-proxy phishing?
- How should security teams reduce phishing risk when attacks blend into normal work?
- How can organisations reduce risk from voice-driven credential theft?
- How should security teams reduce the risk of MFA bypass through AiTM phishing?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 27, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
