The ability for a machine identity to be represented by another service during authentication or authorisation flows. It is often overlooked because administrators focus on user accounts, but the underlying directory controls apply to computer objects as well, making Tier 0 machines especially important to govern.
Expanded Definition
Computer account delegation is a directory and authentication control that allows one machine identity to act on behalf of another machine identity during an access flow. In NHI governance, it is distinct from ordinary service-to-service authentication because the delegating object often inherits trust decisions that were originally intended for a specific computer account, not a broad workload class. That distinction matters when the account sits in a privileged zone, such as a domain controller, jump server, or other Tier 0 asset. Guidance varies across vendors on implementation details, but the security principle is consistent: delegation should be explicit, bounded, and continuously reviewed, especially where the NIST Cybersecurity Framework 2.0 calls for least privilege and access control discipline. In practice, the control surface includes directory settings, service bindings, and downstream authorization paths that can silently extend trust beyond the intended machine. The most common misapplication is enabling delegation on high-value computer accounts because a service integration fails without first validating whether the delegated path is actually necessary.
Examples and Use Cases
Implementing computer account delegation rigorously often introduces operational friction, because administrators must preserve service continuity while narrowing trust paths and documenting every allowed representation flow.
- A Tier 0 server is permitted to delegate only to a specific directory-backed service, preventing a broader relay path from forming across the environment.
- A backup system uses constrained delegation to authenticate to a file service on behalf of a machine account, but only for the exact protocol and host pair approved in change control.
- A legacy application depends on a computer account to reach downstream SQL resources, requiring engineers to replace unconstrained delegation with a narrower trust scope.
- Identity teams trace unusual access through a service chain and discover that a delegated computer account was allowed to represent another machine identity far beyond its intended role.
- Hardening work on privileged hosts is guided by the governance priorities described in Ultimate Guide to NHIs, while service design is aligned with the access control expectations in NIST Cybersecurity Framework 2.0.
Why It Matters in NHI Security
Computer account delegation becomes a governance problem when machine identities are treated as infrastructure details instead of privileged actors. Delegation can turn one compromised host into a pathway for lateral movement, service impersonation, or sensitive directory access, especially when the account is over-privileged or poorly monitored. NHI Management Group research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which is why delegation paths deserve the same scrutiny as human administrator access. The risk is not only unauthorized access, but also audit ambiguity, because delegated actions can obscure which machine initiated the request and which account actually performed the operation. In mature NHI programs, delegation reviews are paired with privilege inventory, secret hygiene, and Tier 0 segmentation so that representation rights do not become hidden standing privilege. Organisations typically encounter the real impact only after a privileged service behaves unexpectedly or an incident trace reveals that one machine has been acting for another, at which point computer account delegation becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Delegation expands machine trust and can create hidden privilege paths for service accounts. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be managed so delegated machine rights stay least-privileged. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires each delegated request be explicitly authorized, not assumed from host trust. |
Review delegated access rules regularly and remove any machine representation not strictly required.
