The IT Nerd

Exclaimer today announced a reminder for organizations to prioritize email communications governance. On World Cloud Security Day, most organizations are focused on securing access to their cloud systems. But far fewer are asking a more difficult question: what happens after a user hits send? According to Exclaimer, one of the most under-governed areas of enterprise communication is outbound email.

Email continues to sit at the center of modern business operations, yet it is also one of the most widely used and least consistently governed communication channels. According to IBM’s Cost of a Data Breach Report 2025, the average data breach in the US now costs $10.22 million, and it takes organizations an average of 258 days to identify and contain an incident. These findings highlight how gaps in visibility and control persist across the enterprise, including in how communication is created and sent.

Cloud security has matured significantly when it comes to controlling access to systems, but governance of communication within those systems hasn’t kept pace. Governance often breaks down at the point of execution, where individual users, manual processes, and fragmented tools create inconsistency and reduce control. Findings from Exclaimer’s State of Business Email 2025 report reinforce how widespread this gap has become, with 83% of organizations reporting issues related to email misuse, inconsistency, or risk.

A shift from access risk to communication risk

Exclaimer, recently named for its leadership in SaaS and cloud workplace culture at the 2025/26 Cloud Awards, says this highlights a broader issue in how businesses approach cloud security.

When 83% of organizations are already experiencing email-related challenges, this shows the issue is no longer awareness, but how consistently organizations can apply control. And control breaks down quickly when critical elements like disclaimers, branding, and compliance messaging are left to individual users to manage and implement. As communication scales, this challenge is only intensifying. IBM’s research shows that one in six data breaches now involve AI-driven attacks, underscoring how quickly the volume and complexity of communication is increasing.

The governance gap in enterprise communication

Findings from Exclaimer’s State of Business Email 2025 report reveal a growing gap between how organizations secure access and how they control communication. While investment in platforms like Microsoft 365 and Google Workspace continues to rise, only 41% have fully integrated email into their broader security and compliance stack.

In regulated industries, this can introduce real exposure, where missing or inconsistent information may fall short of legal or industry-specific requirements. Even outside of compliance risk, inconsistent outbound communication can erode trust, particularly when customers expect accuracy, professionalism, and clarity in every interaction.

Security at scale requires real-time control

As email volumes increase and communication becomes more distributed across users, devices, and AI-assisted tools, ensuring consistency can’t depend on manual action, it requires policy-driven enforcement that operates in real time, across the entire organization.

Learn more at www.exclaimer.com

Here’s some 2026 industry predictions from Karl Bagci, Head of Information Security at email signature management software provider, Exclaimer for your review. 

1. The major 2026 security shift most organizations aren’t prepared for

The biggest unacknowledged shift heading into 2026 is that the authentication layer is no longer the perimeter. Attackers aren’t breaking in, they’re logging in. Session hijacking, token theft, infostealer malware harvesting credentials at scale. Most organizations still treat successful authentication as proof of legitimacy. In 2026, that assumption will cost them. Continuous verification throughout a session, not just at login, is where we need to be and almost nobody’s there yet.

2. Where the shared responsibility model will fail next

The next fault line in the already strained shared-responsibility model will arise from AI features embedded in SaaS. Every vendor is bolting on AI capabilities, often using third-party models and often processing customer data in ways that aren’t transparent. The shared responsibility model assumes clear boundaries. AI blurs them completely. When your CRM’s AI assistant summarizes confidential deal notes and that data trains a model or leaks across tenants, whose responsibility is that? The contracts will say yours. The reality is you had no visibility or control.

3. How attacker behavior will escalate in 2026

The next evolution in attacker strategy will be AI-powered social engineering at scale. Today’s business email compromise (BEC) is still largely manual. Tomorrow’s is automated and personalized. AI scrapes LinkedIn, correlates with breached data, and generates contextually relevant messages for thousands of targets at once. Each one referencing real projects, real colleagues, real details. Attack quality goes up. Volume goes up. Current defenses are calibrated for neither.

4. Why compliance will have to extend beyond email

A major compliance shift is coming for regulated industries as regulators begin questioning why email is compliant, but other business channels are not. Organizations spent years building email retention, disclaimers, legal holds, and audit trails, then moved half their communication to Teams and Slack with none of that infrastructure. Financial services, legal, and healthcare all have strict requirements around communication records. The regulatory expectation is forming and extending compliance controls across all digital communication channels is no longer optional. I believe enforcement will follow.