An acting-on-behalf-of chain is the sequence of identities and delegated permissions that lets one principal act through another. For AI agents, this chain matters because it determines who is actually responsible when access is reused, expanded, or misapplied during runtime execution.
Expanded Definition
An acting-on-behalf-of chain is the traceable sequence of principals, tokens, and delegated scopes that allows one identity to perform actions for another. In NHI and agentic AI environments, the chain can span a human approver, a service account, an AI agent, an orchestration platform, and a downstream API. The security question is not only “who initiated the request,” but also “which identity actually exercised the privilege at each step.”
This concept overlaps with delegation, impersonation, token exchange, and session propagation, but it is not identical to any one of them. Definitions vary across vendors, so NHI Management Group treats the chain as an operational accountability construct, not just an authentication detail. The chain should preserve provenance, scope boundaries, and revocation points, especially where NIST Cybersecurity Framework 2.0 principles for access control and auditability apply. In practice, every hop should be explainable after the fact, including where an AI agent used cached credentials or a delegated token to continue execution.
The most common misapplication is assuming the original human requester remains the sole accountable actor, which occurs when delegated privileges are not logged or bounded across runtime hops.
Examples and Use Cases
Implementing acting-on-behalf-of chains rigorously often introduces extra logging, token exchange logic, and policy checks, requiring organisations to weigh traceability against runtime complexity and latency.
- A helpdesk technician uses a privileged workflow to reset access for a user, while the chain records the technician, the approval record, and the target account.
- An AI coding agent calls an internal deployment API through a service account, and the system preserves which human approved the agent’s tool access.
- A workflow engine exchanges a short-lived token for a downstream database action, while The State of Secrets in AppSec shows how weak secret handling can blur who actually exercised the privilege.
- A federated application forwards a request into another domain, and the receiving service validates the original actor, the delegating actor, and the allowed scope before execution.
- An exposed credential is reused by a chain of automated systems, echoing the pattern seen in DeepSeek breach, where inherited access can compound impact when provenance is unclear.
Where token exchange is required, the practical model often aligns with OAuth-style delegation and least-privilege scoping, so the receiving system can distinguish authorisation from origination.
Why It Matters in NHI Security
Acting-on-behalf-of chains are critical because attack paths in NHI environments often exploit overbroad delegation rather than direct compromise. If the chain is not visible, defenders may miss privilege expansion, hidden reuse of long-lived tokens, or an AI agent continuing to act after its authorisation should have ended. That is especially dangerous where secrets are stored across multiple systems and the organisation lacks a single authoritative view of runtime identity.
NHIMG research in The State of Secrets in AppSec reports that organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control. Fragmentation makes it harder to prove which identity acted, under which delegation, and whether the right scope was enforced. For governance teams, this turns a simple access event into an evidentiary problem. The same concern appears in guidance from NIST Cybersecurity Framework 2.0, where auditability and access governance are inseparable from resilience.
Organisations typically encounter this issue only after a suspicious action, leaked token, or agent-driven misuse has already occurred, at which point the acting-on-behalf-of chain becomes operationally unavoidable to reconstruct.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Delegated identity chains are central to traceable NHI authorization and provenance. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must stay bounded across chained identity delegation and reuse. |
| NIST Zero Trust (SP 800-207) | SC-10 | Zero Trust requires continuous verification of the effective actor at each request step. |
Validate the current principal and scope at every hop instead of trusting inherited session context.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 7, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
