You must be joking! Do you store all your SSH keys in your email? Do IT directors in big companies even have shell access to production servers? Even if, that would show in the audit logs, whereas an RCE is less likely to. And what if the bug is client-side??

They wouldn't have to have access or SSH keys. The position is usually at a level where people don't question requests or have a heightened guard with emails. It wouldn't be difficult to pivot to requesting an account made for some project or including an attachment that compromises a device which you have phone home. This is shown a number of times publicly with phishing emails that lead to breaches, gift cards scams and wire fraud.

In your proposed situation having access to the director of IT's email account is similar to physical access on a server. The RCE might be another layer of access but its not game changing to what is already available.