Subscribe to the Non-Human & AI Identity Journal
Home Glossary Governance, Ownership & Risk Call Forwarding
Governance, Ownership & Risk

Call Forwarding

← Back to Glossary
By NHI Mgmt Group Updated July 11, 2026 Domain: Governance, Ownership & Risk

Call forwarding redirects incoming calls from one number to another destination. For identity security, it matters because voice-based OTPs and verification calls can be intercepted if forwarding has been enabled without the user's knowledge.

Expanded Definition

Call forwarding is a telephony feature that reroutes incoming calls from one number to another destination. In identity security, it becomes relevant when organisations still rely on voice callbacks or voice-based one-time passcodes for account recovery, step-up verification, or help desk authentication. Those workflows assume the original number remains under the legitimate user’s control.

Definitions vary across vendors on whether forwarding must be user-configured, carrier-configured, or set through a device setting to count as risky, but the security impact is the same: the call no longer reaches the intended person. For that reason, call forwarding should be treated as an identity control issue, not just a telecom setting, and assessed alongside authentication policy in the NIST Cybersecurity Framework 2.0. In NHI and agentic environments, the concern extends further because voice callbacks may be used to approve access that indirectly protects service accounts, delegated credentials, or admin actions.

The most common misapplication is assuming a phone number proves identity even when forwarding or number-porting controls have not been checked, which occurs when support teams trust callback-based verification without validating call-routing status.

Examples and Use Cases

Implementing call-forwarding checks rigorously often introduces friction for legitimate users, requiring organisations to weigh recovery convenience against the risk of interception and social engineering.

  • A help desk uses voice callbacks for password resets, but an attacker enables forwarding and captures the verification call before the real user answers.
  • A bank flags a change in call-routing settings during step-up authentication and blocks a high-risk transaction until a stronger factor is used.
  • A SOC reviews call-forwarding telemetry after a suspicious SIM swap, then forces account recovery through a managed channel instead of voice-based approval.
  • An NHI operator discovers that an on-call phone used for emergency access is forwarded to an unmanaged destination, creating an approval path outside policy. This risk is easier to understand when viewed alongside the broader NHI control gaps documented in the Ultimate Guide to NHIs.
  • An enterprise bans call-based OTP for privileged workflows and replaces it with phishing-resistant authentication aligned to identity assurance guidance in the NIST Cybersecurity Framework 2.0.

These scenarios show why call forwarding is not just a user convenience feature. It can become an invisible detour around identity verification unless call-routing changes are monitored and treated as security events.

Why It Matters in NHI Security

Call forwarding matters in NHI security because many organisations still mix human voice channels with machine or admin recovery processes. That creates a brittle dependency: if the phone path is diverted, the control no longer binds the request to the intended identity. For NHI governance, this is especially dangerous where a human operator can approve access to a service account, API key, or automation console by phone.

NHI Mgmt Group has found that only 5.7% of organisations have full visibility into their service accounts, and that visibility gap often mirrors weak control over related recovery channels, including voice-based verification. When phone routing is not monitored, forwarding can quietly undermine zero trust assumptions and bypass policy without triggering obvious alerts. The issue also intersects with broader NHI exposure patterns described in the Ultimate Guide to NHIs, especially where excessive privilege and weak offboarding combine with fallback authentication.

Organisations typically encounter the operational impact only after an account takeover, disputed recovery action, or fraud review, at which point call forwarding becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-02Supports controlling secret and recovery-channel abuse that can expose NHI-linked access.
NIST CSF 2.0PR.AC-7Addresses authentication and access mechanisms that must resist call-routing diversion.
NIST SP 800-63IAL/AAL guidanceWarns that phone-based factors are weaker when the number path is not controlled.
NIST Zero Trust (SP 800-207)SP 800-207 principleZero trust requires verifying the actual control of the channel, not assuming it.
CSA MAESTROAgentic workflows must not depend on weak human voice approvals that can be forwarded.

Treat voice callbacks as a recovery secret path and remove them from privileged authentication flows.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org