IAM, messaging security, and SOC teams all share responsibility because the attack crosses their control boundaries. Identity teams own the login and session signals, messaging teams own forwarding and transport rules, and SOC teams own correlation and response. Shared accountability is essential because no single control layer sees the full chain.
Why This Matters for Security Teams
BEC-driven exfiltration is not just an email problem or just an identity problem. Attackers often begin with a compromised mailbox, then abuse identity controls, forwarding rules, OAuth grants, or session tokens to move data out quietly. That means accountability must follow the control chain, not a single team’s boundary. NIST Cybersecurity Framework 2.0 is useful here because it frames governance, protection, detection, and response as linked responsibilities rather than isolated tools.
In NHI terms, the lesson is the same one visible in the Ultimate Guide to NHIs: identity objects, credentials, and privileges become attack paths when they are not continuously governed. Once an attacker controls an inbox, they can often chain mailbox rules, cloud app consent, and identity sessions to widen access. The 52 NHI Breaches Analysis shows how commonly identity abuse becomes a platform for broader compromise, especially when visibility is fragmented across teams. In practice, many security teams encounter this only after exfiltration has already occurred, rather than through intentional cross-domain detection.
How It Works in Practice
Accountability should be split by control ownership, then joined through shared incident handling. Identity and access management teams are responsible for authentication signals, conditional access, session policy, and token revocation. Messaging security teams own mail flow rules, forwarding restrictions, OAuth app controls, and mailbox auditing. SOC teams own correlation, triage, threat hunting, and response orchestration across identity, email, endpoint, and cloud logs.
This is where current guidance suggests a joint operating model rather than a handoff model. A mailbox compromise may not look severe in isolation, but if it is paired with suspicious consent grants or impossible travel, the risk changes immediately. Security teams should define who can disable inbox forwarding, who can invalidate refresh tokens, who can suspend suspicious identities, and who approves emergency containment. The operational goal is to make sure each team can act quickly on its own layer while also feeding a common incident record.
For implementation, anchor the workflow in authoritative logging and clear ownership maps. The NIST Cybersecurity Framework 2.0 supports this by tying asset visibility, monitoring, and response into a single governance model. The Top 10 NHI Issues is also relevant because credential overreach, weak rotation, and poor visibility often determine whether exfiltration stays contained or spreads.
- Identity teams own account lockout, token revocation, and risky session review.
- Messaging teams own inbox rules, transport rules, external forwarding, and mail trace.
- SOC teams own correlation across email, IdP, endpoint, and cloud activity.
- All teams should share a severity model for suspicious consent, forwarding, and data staging.
These controls tend to break down in federated environments where mail, identity, and cloud apps are administered separately because no single team can see the full kill chain.
Common Variations and Edge Cases
Tighter email and identity controls often increase operational overhead, requiring organisations to balance fast containment against user disruption. That tradeoff becomes sharper in delegated admin models, mergers, and multi-tenant environments where mailbox policy, identity governance, and cloud access are not owned by the same group. Best practice is evolving, but one point is clear: shared accountability does not mean shared ambiguity.
In some environments, messaging security may detect the first malicious action, while identity teams are the only ones able to confirm whether the session was token-based or password-based. In others, the SOC may own initial containment because the relevant evidence spans endpoint telemetry, IdP logs, and mail audit trails. The right model is to pre-assign decision rights before an incident, including who can quarantine mailboxes, disable app consent, and revoke refresh tokens. This matters because mailbox exfiltration often includes non-human credentials, and the Ultimate Guide to NHIs shows how frequently secrets and privileges remain overexposed long enough for attackers to chain them. Where organisations rely on manual escalation or unclear ownership, attackers exploit the delay faster than teams can coordinate.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-01 | Cross-team accountability depends on clear governance and ownership for identity-led BEC response. |
| NIST CSF 2.0 | DE.CM-08 | BEC exfiltration requires correlated monitoring across mailbox and identity activity. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Mailbox abuse often succeeds through stale secrets, sessions, or overprivileged identities. |
Assign explicit owners for identity, email, and SOC actions in the BEC response playbook.
Related resources from NHI Mgmt Group
- Who is accountable when AI-driven fraud bypasses identity controls?
- Who is accountable when malware uses legitimate tools to hide persistence and credential theft?
- Why does identity matter more when vulnerabilities are discovered faster than they can be patched?
- What is the difference between prompt injection risk and identity abuse in agents?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org