People assume the §1.132-5(m) security exclusion is for CEOs. Maybe CFOs. Maybe a general counsel during a bad quarter. The assumption is understandable because that's where most ISS engagements land. But the regulation doesn't say "CEO." It doesn't say "C-suite." It doesn't say "named executive officer." It says "employee."
The word choice is deliberate, and it controls the entire analysis. The exclusion is available to any employee of any employer, provided the facts satisfy the bona fide business-oriented security concern standard. The question isn't what title the person holds. The question is why they need security, and whether the answer traces back to their job.
The actual statutory language
The regulation at §1.132-5(m)(2)(i) requires that "the facts and circumstances establish a specific basis for concern regarding the safety of the employee." That's the threshold. Then it gives two illustrative factors:
A threat of death, kidnapping, or serious bodily harm "because of either employee's status as an employee of the employer."
A recent history of violent terrorist activity in the area where the transportation is provided, unless focused on a group that doesn't include the employee.
The first factor carries most of the weight in practice. Read it carefully: the threat has to exist because of the person's status as an employee. Not because they're wealthy. Not because they're famous. Not because they live in a high-crime neighborhood. Because they work for this employer, in this role, and that fact is what generates the security concern.
That's the employee nexus test. Everything else follows from it.
Where the test is easy
A publicly traded company's CFO announces a major restructuring. Layoffs hit 12,000 people. The CFO's name is on the press release, in the proxy, and across every business headline for two weeks. Threatening messages arrive at the corporate office referencing the CFO by name. The local police department opens a file.
The nexus is obvious. The threats exist because of what this person did in their capacity as an employee. Take away the job, and the threats disappear. The concern is business-oriented. An ISS conducted under these facts will document a qualifying concern without difficulty.
Same analysis for a CEO whose company is involved in contentious litigation, a general counsel who becomes the public face of a regulatory fight, or a division president who closes a plant in a community where the company is the largest employer. The threat traces directly to the employment relationship. That's what the regulation is looking for.
Professional athletes: the distinction most people miss
The instinct is to treat professional athletes as a weak case for §1.132-5(m). That instinct is wrong for most of them.
Think about how an athlete becomes a public figure. Before a team signs them, the vast majority are unknown outside their sport's dedicated following. A college quarterback has some regional recognition. An F1 driver coming up through Formula 2 has a niche audience. A minor league pitcher has almost none. Then the team signs them, and everything changes. The team puts them on the field in front of 80,000 people and a national broadcast. The team's media operation schedules them for press conferences, interview obligations, and sponsor appearances. The team prints their name on jerseys sold in retail stores. The team sends them to road games in cities where passionate, sometimes hostile, fan bases know exactly who they are.
All of that visibility is a direct product of the employment relationship. The team created it. The team profits from it. The team requires it as a condition of employment.
Apply the nexus test: if this person were released from the team tomorrow, would the security concern go away? For most professional athletes, the honest answer is yes, or close to it. Cut a starting safety from an NFL roster and within a season he's not getting recognized at a restaurant. Drop an F1 driver from a constructor's lineup and the paddock attention, the travel to Jeddah and São Paulo, the press availability all disappear. The fame was team-generated. The exposure was employer-driven. The threats that attach to that exposure, from obsessive fans, from gambling interests, from people with fixations on public figures in the team's market, trace back to the employment.
That's a qualifying nexus.
Where the analysis shifts is the small number of athletes whose celebrity has become fully portable. A player so famous that the security profile doesn't change when they move between franchises. Someone whose name recognition exists independent of any team affiliation. At that level, the fame follows the person, not the job. The IRS can credibly argue that the security concern isn't generated by the employment relationship because it would exist regardless of which team employs them, or whether any team does.
The line between team-generated visibility and portable personal celebrity isn't always clean. But for the majority of professional athletes, the team made them famous, the team keeps them in the public eye, and the team puts them in the environments where the exposure exists. That's exactly the kind of employment-driven concern the regulation was written for.
One more wrinkle specific to sports: geographic exposure. Professional teams send athletes to cities, countries, and venues as a condition of employment. An F1 team requires its drivers to compete in countries with documented security risks. An NBA team sends players to arenas in cities with high violent crime rates. A soccer club sends its squad to away matches where rival supporters have a documented history of targeting visiting players. The regulation's second illustrative factor, "a recent history of violent terrorist activity... in the geographic area in which the transportation is provided," was written with overseas business travel in mind. But the principle applies whenever an employer sends an employee into a high-risk environment as part of the job.
The owner-promoter: when social media exposure is the job
A fact pattern the regulation's drafters never anticipated but that fits the statutory language well: the founder or co-owner of a consumer brand whose primary job function is promoting the company's products on social media.
This person is on Instagram, TikTok, and YouTube constantly, not because they're a lifestyle influencer in their spare time, but because that's the business model. They're the Chief Brand Officer or Chief Creative Officer. Their employment agreement or operating agreement specifies promotional obligations. The company's revenue is directly tied to the reach of their personal platform. Every post is company content wearing a personal face.
The security exposure that comes from that kind of sustained, high-volume public presence is real and well documented. Threatening messages from people who object to the company's products or positions. Stalking behavior from followers who develop fixations. Doxxing of home addresses tied to product controversies. The threats reference the brand, the products, the business. And the person is in that position because the company put them there, or more precisely, because the company's entire go-to-market strategy depends on them being there.
The nexus argument is strong. The social media exposure is a job function. The company benefits from it, requires it, and in many cases contractually mandates it. The threats that follow from the exposure are tied to business activity. If the person stepped away from the company and stopped promoting its products, the specific exposure that generates the concern would drop.
The complication is when the person was already a public figure before the company existed. A celebrity who launches a beauty brand brings a pre-existing audience and a pre-existing security profile. The ISS has to be honest about what's baseline and what's incremental. But in many of these arrangements, the company dramatically amplifies the person's exposure by putting them in front of the public more frequently, more controversially, and in more contexts than their pre-existing profile required. A social media personality with 2 million followers who launches a supplement brand and grows to 15 million followers while generating product controversy has a very different security profile than they did before the company. The incremental exposure is employer-driven.
The documentation burden is higher than it would be for a traditional C-suite executive. The ISS needs to establish that the social media activity is a business function (employment agreement, job description, board or operating agreement expectations), that the threatening activity references the company and its products rather than just the person's lifestyle, and that the exposure metrics track to business activity. Done correctly, this is a defensible case. Assumed without documentation, it isn't.
One more point on the equity question. The fact that this person owns part of the company doesn't weaken the nexus. Founder-CEOs across the Fortune 500 own significant equity. The regulation applies to "employees," and an owner who also serves as an officer or employee of the company is an employee for purposes of §132. The ownership stake is irrelevant to the nexus analysis. What matters is whether the security concern arises from what the person does in their employment capacity.
The media and entertainment line
Television anchors, on-air talent, and media personalities require the same team-generated versus portable-fame analysis that applies to athletes.
A network news anchor who receives threats because of the network's political coverage has a strong nexus. The threats are about the employer's editorial decisions, and the anchor is the visible representative of those decisions. The network put them in that chair, requires them to deliver that coverage, and benefits from the audience their presence attracts. Change the anchor, and the next person inherits the same exposure. That's employer-driven risk.
A talk show host whose public profile is built entirely around the show the network produces is in a similar position. The show is the job. The audience, the controversy, the attention, all of it flows from the employment relationship.
Compare that with a celebrity who takes a role at a studio or production company but whose public profile exists independently. Their security needs trace to personal fame, not to what any employer asks them to do. If they left the production company, they'd need the same protection. The employment relationship isn't generating the concern.
The line sits where it sits for athletes: did the employer create or materially increase the exposure, or did the person bring it with them? When the employer built the platform, the nexus is there.
Drivers, chauffeurs, and support staff
The regulation's security provisions aren't limited to the person being protected. They can apply to the people providing the protection, too, when those people are employees.
A bodyguard/chauffeur employed by the company doesn't need their own ISS. Their role exists as part of the overall security program for the protected employee. The regulation at §1.132-5(m)(5) specifically addresses bodyguard/chauffeur services, and the exclusion applies to the value of those services when they're part of a qualifying program. The bodyguard/chauffeur must be trained in evasive driving techniques. The regulation is explicit on that point. An untrained driver, regardless of title, doesn't qualify under this provision.
The corporate officer who isn't C-suite
The regulation's most overlooked application might be the senior employee who isn't a named executive officer but whose role generates real exposure.
A head of government affairs who testifies before Congress on a politically charged issue. A chief medical officer at a pharmaceutical company during a drug safety controversy. A senior communications executive who becomes the company's public face during a crisis. A plant manager in a community where the company's operations have generated organized opposition.
None of these people would appear in a proxy statement's compensation table. None of them would be the first person a board thinks of when discussing executive security. But each of them can present facts that satisfy the employee nexus test, because the security concern in each case arises directly from what they do for the employer.
Companies that limit their ISS analysis to the CEO and maybe one or two other named officers sometimes miss these cases. The regulation doesn't impose a seniority requirement. It imposes a nexus requirement.
The personal wealth trap
The hardest conversations happen when the security concern is real but the nexus to employment is thin.
A founder-CEO worth $3 billion faces kidnapping risk. Is that risk because they're the CEO, or because they're worth $3 billion? Often both, and the regulation doesn't require that the business nexus be the only reason the concern exists. But it does require that a business-oriented concern be present and documented. If the ISS analysis reveals that the concern would exist regardless of the person's employment, that's a fact the study has to deal with honestly.
The same issue arises with executives who are independently famous before joining a company. A former government official who becomes a corporate board member. A retired military leader who takes a CEO role. A celebrity hired as a brand spokesperson. Each brings a pre-existing security profile to the employment relationship. The question the ISS has to answer is whether the employment itself creates or meaningfully increases the concern, not just whether a concern happens to exist while the person is employed.
A study that documents the pre-existing profile and then identifies specific, incremental risk created by the corporate role is doing the analysis correctly. A study that attributes the entire pre-existing risk to the employment relationship is writing a conclusion the facts don't support.
What the regulation's own examples tell us
The examples in §1.132-5(m)(8) are instructive. Example 1 involves "the president of X, a multinational company" who receives death threats. Example 2 involves "the chief executive officer of Y, a multinational corporation" facing kidnapping attempts in foreign countries. Example 4 involves a company retaining an independent consultant to study the security of "its chief executive officer."
Every example involves a senior corporate officer. None involves an athlete, a media personality, or a celebrity. That doesn't mean those people can't qualify. The regulation uses "employee" throughout the operative text, not "executive." But the examples tell you where the IRS was focused when it wrote the rule, and they tell you that the further you move from that center of gravity, the more the facts have to do the work.
The cost of not asking the question
Most companies that commission an ISS do it for the CEO. Maybe the CFO. They stop there, and nobody asks whether other people in the organization are carrying security costs that would qualify for the same treatment.
The math adds up fast. A sports franchise providing security for four players at $200,000 each is running $800,000 in taxable compensation before the gross-up. Add the gross-up, and the franchise is spending north of $1.2 million on a benefit that, for most of those players, traces directly to what the team asked them to do. A consumer brand paying for its Chief Brand Officer's security, residential hardening, and digital protection at $350,000 a year is writing that check plus another $150,000 or more in gross-up costs, every year, for a person whose entire public exposure is a job function.
That's real money sitting on the table because someone assumed the regulation only applies to the C-suite.
The nexus test doesn't ask about titles. It asks whether the security concern arises from the employment relationship. For the starting quarterback whose team put him on national television, the answer is usually yes. For the founder-CEO who promotes the company's products to 12 million followers because that's the business model, the answer is usually yes. For the chief medical officer who became the public face of a product recall, the answer is usually yes.
Each of those people represents a separate ISS engagement, a separate set of documented facts, and a separate tax savings that compounds every year the program runs. Companies and franchises that are already paying for the security are already bearing the cost. The question is whether they're bearing the tax cost on top of it for no reason.
A scoping call is enough to determine whether the facts support a study. If they do, the path to the exclusion is the same one the regulation provides for any employee. If they don't, you'll know before any engagement begins. Either way, the conversation is worth having for anyone in the organization whose security costs trace back to their role.
This post is for informational purposes and does not constitute tax or legal advice. Readers should consult qualified tax and legal counsel regarding the treatment of specific programs.