Stale accounts, excessive delegation, and orphaned mailboxes remain trusted long after business need changes. That leaves attackers with easier paths to send internal-looking messages, forward data out of the organisation, or abuse shared mailboxes. In practice, infrequent reviews turn email trust into a durable attack surface.
Why This Matters for Security Teams
Email access reviews are often treated as housekeeping, but they are really a control over who can impersonate the business, move data, and reuse trust that was granted for a different job. When reviews slip, shared mailboxes, delegation rules, forwarding paths, and stale service-linked accounts remain active long after the original need has ended. That creates a durable control gap that attackers can exploit for internal-looking phishing, mailbox takeover, and quiet exfiltration. The 52 NHI Breaches Analysis shows how identity sprawl and weak lifecycle discipline repeatedly show up in real incidents, and the same pattern appears in email environments where no one owns review cadence.
The core issue is not just stale access. It is that email systems accumulate implicit trust through delegation, auto-forwarding, shared ownership, and recovery paths that are rarely revisited. The OWASP Non-Human Identity Top 10 is useful here because many mail flows depend on non-human identities and machine-managed access that sit outside normal employee offboarding. In practice, many security teams discover mailbox abuse only after a suspicious message has already gone out or data has already been forwarded externally, rather than through intentional review.
How It Works in Practice
Infrequent reviews fail because email access is not a single permission. It is a stack of entitlements that includes direct mailbox access, delegated send-as rights, calendar permissions, forwarding rules, API-connected apps, and inherited group membership. Each layer can remain valid even when the business reason is gone. That is why current guidance suggests reviewing both human and non-human access together, not as separate problems. The Ultimate Guide to NHIs is a useful reference for understanding how machine accounts and automated workflows often keep privileges long after the original workflow changes.
Operationally, strong programs tie reviews to lifecycle events rather than a fixed annual cycle alone. That means checking:
- Who can read mail, send as the mailbox, or approve forwarding
- Which shared mailboxes still have active business owners
- Which service accounts or apps can access mail via API or OAuth consent
- Whether forwarding routes data outside approved domains
- Whether dormant accounts still preserve recovery or delegate paths
Control quality improves when review evidence is paired with identity telemetry and change records, because static entitlement lists often miss delegated or inherited access. The NHI Lifecycle Management Guide is relevant because lifecycle ownership, rotation, and retirement are the same governance problems that surface in mailbox administration. Best practice is evolving toward continuous attestation for high-risk mailboxes, especially where finance, legal, or executive correspondence is involved. These controls tend to break down when organizations rely on monthly export spreadsheets and manual sign-off, because delegated access and forwarding can change between review cycles.
Common Variations and Edge Cases
Tighter mailbox review often increases administrative overhead, requiring organisations to balance reduction in exposure against review fatigue and approval delays. That tradeoff is most visible in shared executive mailboxes, department inboxes, and automation-heavy environments where multiple teams depend on the same account.
There is no universal standard for this yet, but current guidance suggests treating the following as higher risk than ordinary user mail:
- Mailboxes with send-as or delegate rights across departments
- Accounts with external forwarding enabled
- Shared inboxes used by contractors or rotating staff
- Mail access granted to automation, ticketing, or AI assistants
Edge cases also matter. A mailbox may be technically owned but operationally orphaned after a reorganisation, merger, or role change. In those cases, the bigger failure is governance ambiguity, not the absence of a checkbox review. For AI-enabled mail triage or agentic workflows, the same principle applies: if a system can read, summarise, route, or send email autonomously, its access should be treated as a non-human identity with explicit expiry and review. For broader lifecycle thinking, the The State of Secrets in AppSec research is a reminder that stale credentials and slow remediation create long-lived exposure, even when confidence in control design is high.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Infrequent reviews let NHI access linger beyond business need. |
| NIST CSF 2.0 | PR.AC-4 | Email delegation and shared access are privilege control problems. |
| NIST CSF 2.0 | PR.DS-5 | Unreviewed forwarding and send-as rights can move data externally. |
Review mailbox and forwarding entitlements regularly and remove excess access at the next attestation cycle.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
