A person or entity permitted to submit a privacy request on someone else’s behalf. The control challenge is verifying that the delegate has valid authority, tracking the request through fulfilment, and preserving evidence so accountability remains with the organisation handling the request.
Expanded Definition
An authorised agent is a delegate who is permitted to act on another person’s behalf when submitting a privacy request, such as access, deletion, correction, or portability. In NHI governance, the term matters because the delegate is not merely a requester; they are a potential control point that can either preserve lawful representation or introduce fraud if authority is not verified.
Definitions vary across vendors and privacy programmes about how much evidence is enough, but the operational requirement is consistent: the organisation must validate authority, scope, and identity before acting. That means confirming the relationship between the principal and the delegate, recording the request path, and retaining evidence that supports accountability after fulfilment. This aligns with the broader identity assurance principles described in the NIST AI Risk Management Framework and the access-control discipline reflected in NIST SP 800-53 Rev 5 Security and Privacy Controls.
The most common misapplication is treating any third-party email or form submission as sufficient proof of delegation, which occurs when organisations accept convenience over verified authority.
Examples and Use Cases
Implementing authorised-agent handling rigorously often introduces verification friction, requiring organisations to balance customer convenience against the risk of unauthorised disclosure or unlawful action.
- A parent submits a deletion request for a minor and the organisation checks the relationship evidence before acting.
- A legal representative files an access request and the case is routed through an approval workflow with retained proof of authority.
- A care provider requests records for a client, and the organisation verifies a signed delegation document before releasing any data.
- A privacy portal accepts third-party submissions only after the delegate identity is validated and the request is linked to the principal’s account history.
- In a high-volume programme, teams use policy-driven screening to flag requests that lack document evidence, then require manual review before fulfilment.
For governance teams, the practical pattern is similar to other delegated-access problems described in the Ultimate Guide to NHIs — 2025 Outlook and Predictions, where proof of authority and auditable handoffs matter more than the convenience of a submission channel. The same evidence discipline appears in the OWASP Agentic AI Top 10, which highlights that delegated execution must be constrained and observable. In privacy operations, the core question is not only who asked, but whether they were actually entitled to ask.
Why It Matters in NHI Security
Authorised-agent workflows become security issues when they are treated as simple customer service steps instead of controlled identity events. If an organisation cannot prove who was allowed to speak for whom, it risks unauthorised disclosure, regulatory findings, and irreversible trust damage. The evidence trail must survive handoff, fulfilment, escalation, and audit review, because the request itself may later become the only proof that a decision was lawful.
This is especially relevant in environments already struggling with identity hygiene. NHIMG reports that 68% of organisations do not know how to fully address NHI risks, and that gap often extends to delegated request handling, where process ownership is fragmented across privacy, legal, and support teams. The same governance mindset is echoed in the Ultimate Guide to NHIs and supported by threat-modelling work such as the CSA MAESTRO agentic AI threat modeling framework, where delegated actions are treated as control-bearing events rather than routine messages.
Organisations typically encounter the consequences only after a disputed privacy request, at which point authorised-agent verification becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | IAL2 | Delegated privacy requests rely on identity proofing and authority verification. |
| NIST CSF 2.0 | PR.AA | Authorised-agent checks support authenticating who may act and under what authority. |
| NIST AI RMF | Risk management guidance applies to delegated decision and action pathways. |
Require sufficient identity proofing before accepting a delegate’s request on another person’s behalf.