When external forwarding is excluded from identity governance, message access can continue after the original account activity should have ended. The result is invisible information leakage, weak offboarding assurance, and a false sense of control coverage. Forwarding rules must be treated as part of the identity and access boundary, not a separate email admin concern.
Why This Matters for Security Teams
External forwarding changes the effective boundary of identity governance because it can keep delivering sensitive mail after the account owner, contractor, or service role should no longer have access. When that rule is invisible to review workflows, offboarding checks look complete while the data path remains open. That is why NHI Management Group treats forwarding as an access-extension control, not just an email preference. The governance failure is rarely obvious until data exposure is investigated after the fact, which is why Ultimate Guide to NHIs is explicit that lifecycle controls and revocation discipline must cover all paths that preserve access. NIST’s NIST Cybersecurity Framework 2.0 also reinforces that identity governance should support ongoing access control, not point-in-time review alone.
In practice, many security teams encounter forwarding abuse only after mail flow has already redirected sensitive information to an external inbox that was never supposed to remain in scope.
How It Works in Practice
Identity governance should enumerate external forwarding rules alongside group membership, mailbox delegation, API keys, and privileged access. The practical reason is simple: forwarding preserves message reach even when the original account is disabled, moved, or assumed to be offboarded. That makes it part of the identity and access boundary, because the business effect is continued disclosure.
In a mature workflow, the governance team should review whether any rule sends mail outside the tenant, who approved it, when it expires, and whether it survives account status changes. That review should be tied to joiner-mover-leaver events, contractor end dates, and privileged mailbox reviews. Where mail platforms support policy, automated checks should flag:
- any external destination not on an approved allowlist
- rules that forward all messages rather than targeted mail
- rules created by users but never re-attested by managers or data owners
- forwarding that remains active after account deprovisioning
The control objective is supported by broader NHI lifecycle guidance in Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs, which treats revocation and offboarding as continuous obligations rather than one-time tasks. For governance teams, the useful question is not only “is the mailbox disabled?” but “does any rule still export its contents?” Current guidance suggests this should be treated as an identity review item even when the forwarding logic is administered in a separate console. These controls tend to break down in hybrid Exchange, legacy email relay, and delegated-admin environments because ownership is split across identity, messaging, and endpoint teams.
Common Variations and Edge Cases
Tighter forwarding control often increases review overhead, requiring organisations to balance leakage reduction against user support friction and exception handling. That tradeoff becomes important for executives, executive assistants, shared mailboxes, mergers, and regulated correspondence. Best practice is evolving, but there is no universal standard for treating every internal forwarding rule as a risk event; the practical distinction is whether the destination leaves the trust boundary or preserves business continuity inside it.
Two edge cases deserve particular attention. First, some accounts are intentionally set to forward after offboarding for legal hold, archive migration, or transition coverage. Those cases need explicit time limits and documented approval, not silent persistence. Second, forwarding can be nested through aliases, distribution lists, or transport rules, so a direct mailbox review may miss the true destination. NHI Management Group’s research links this kind of weak visibility to broader identity control gaps, including the visibility and remediation issues described in Top 10 NHI Issues and the incident patterns discussed in 52 NHI Breaches Analysis. Where identity governance does not inventory nested message-routing rules, review coverage becomes incomplete by design.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-08 | External forwarding extends identity access beyond intended lifecycle. |
| NIST CSF 2.0 | PR.AA-01 | Identity governance must cover access paths that outlive account status. |
| CSA MAESTRO | Workflow controls should prevent hidden message exfiltration paths. |
Inventory forwarding paths and revoke any rule that preserves access past offboarding.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 27, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
