Permissions that allow one account or service to access another mailbox or its functions. In practice, excessive delegation can become a hidden control plane for reconnaissance, message access, and account recovery abuse if it is not reviewed as part of IAM governance.
Expanded Definition
Mailbox delegation is the assignment of mailbox-level access so one account, role, or service can read, send, manage, or otherwise act within another mailbox. In NHI operations, the term often covers delegated access granted to help desks, executive assistants, automation workflows, and service accounts that perform message processing or workflow actions. The security issue is not delegation itself, but the degree, duration, and visibility of that delegation. When delegation is too broad, it becomes a hidden control plane for message reconnaissance, inbox impersonation, and account recovery abuse. Guidance varies across vendors on how delegation should be modeled, so governance teams should map it carefully to access scope, revocation rules, and monitoring expectations. For a standards-based lens on access governance, NHI teams often anchor to the NIST Cybersecurity Framework 2.0 and treat mailbox delegation as an identity control, not a convenience setting. The most common misapplication is granting broad delegated access to service accounts that were created for automation, which occurs when operational teams bypass review for business urgency.
Examples and Use Cases
Implementing mailbox delegation rigorously often introduces operational friction, requiring organisations to weigh administrative speed against message privacy, impersonation risk, and auditability.
- Executive support staff receive delegated access to a leader’s mailbox to triage scheduling, drafts, and correspondence without sharing the password.
- Help desk teams use delegated access during account recovery to verify recent messages or reset-related mail, which should be time-bound and logged.
- Automation services process inbound mail for ticket creation or notifications, but must be constrained to the minimum folders and actions required.
- Shared mailbox delegation is granted for team inboxes, yet the access list should be reviewed for dormant users and excessive send-as rights.
- Mailbox compromise investigations often start by reviewing delegation chain, especially when unusual message access appears without a direct login event.
Practical governance is stronger when delegated access is inventoried alongside other NHI permissions, then reconciled against the same review discipline used for secrets and service principals. That is why NHI teams often pair mailbox reviews with findings from the State of Secrets in AppSec and threat reporting such as LLMjacking: How Attackers Hijack AI Using Compromised NHIs, where credential abuse and overexposed access paths accelerate compromise. If an organisation is still defining how delegated access should be classified, the practical question is whether the delegate can merely read mail or can also impersonate, forward, recover, or exfiltrate content.
Why It Matters in NHI Security
Mailbox delegation matters because it can function as a durable, low-visibility access path even after passwords are changed or interactive sessions are blocked. Attackers and insiders prefer delegated access when they want persistence without triggering obvious authentication alerts. A delegate with send-as or full-access rights may be able to harvest reset messages, monitor executive communications, or interfere with approval workflows. This creates a governance problem for NHI programs: the mailbox becomes a control surface for human and machine operators alike, but it is often omitted from standard privileged access review cycles. According to GitGuardian & CyberArk, organisations dedicate an average of 32.4% of their security budgets to secrets management and code security, which reflects how expensive hidden access paths have become to contain. That cost logic applies directly to mailbox delegation, where each unmanaged permission can become a silent escalation route. Organisations typically encounter delegated access risk only after an inbox is used for unauthorized resets, at which point mailbox delegation becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret and access sprawl, including overbroad delegated mailbox permissions. |
| NIST CSF 2.0 | PR.AC-4 | Identity and access permissions should be managed with least-privilege discipline. |
| NIST Zero Trust (SP 800-207) | AC-6 | Zero trust minimizes implicit trust and requires least-privilege access enforcement. |
Inventory delegated mailbox rights and remove any access that is not explicitly justified, time-bound, and reviewed.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 7, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
