Why YSK: It appears several Lemmy Instances are flagged as suspicious and at least 1 instance intentionally using the name of ransomware. A couple of the big enterprise monitoring suites (Fortiguard, ZScaler) will flag your account and may end up with you being pulled into an office for an explanation, or worse.
TL;DR: Keep browsing to your local instance at work for now.
No, if he’s not in IT it should not be possible - I don’t know what email system you’re using but this person should not have the access you’re saying they do.
I’m not saying it shouldn’t be technically possible (I’m a sysadmin, I know what’s possible in a corporate environment), I’m saying your organization should not make it possible.
If he’s in some leadership position I’d be looking for other employment and/or reporting that person to your corporate compliance officer if you have one.