Subscribe to the Non-Human & AI Identity Journal
Home Glossary Agentic AI & Autonomous Identity Delegated action
Agentic AI & Autonomous Identity

Delegated action

← Back to Glossary
By NHI Mgmt Group Updated July 1, 2026 Domain: Agentic AI & Autonomous Identity

An action performed by one identity on behalf of another, with some authority borrowed from the principal. In agentic environments, delegated action needs explicit scope, auditability, and revocation boundaries because the executor is not the same as the beneficiary.

Expanded Definition

Delegated action is a controlled act performed by one identity on behalf of another, where the executor borrows limited authority from the principal. In NHI and agentic AI environments, the term matters because the actor, the beneficiary, and the policy owner are often different entities.

Definitions vary across vendors, but the security expectation is consistent: delegated action must be bounded by explicit scope, time, and revocation rules. That means the delegate should only receive the minimum authority required, and every execution should be attributable back to the principal that authorised it. This aligns with the least-privilege direction of the NIST Cybersecurity Framework 2.0 and the broader governance concerns described in Ultimate Guide to NHIs.

The most common misapplication is treating delegated action as a standing permission, which occurs when borrowed authority is left active after the task, workflow, or agent session ends.

Examples and Use Cases

Implementing delegated action rigorously often introduces operational friction, requiring organisations to weigh workflow speed against tighter scope control, approvals, and audit overhead.

  • An AI agent is allowed to open a support ticket and attach logs, but not to modify production infrastructure, because its delegated scope is limited to incident triage.
  • A service account receives a short-lived token to rotate a secret on behalf of an application, with the token revoked immediately after the rotation completes.
  • A CI/CD pipeline performs a deployment action under delegated authority from a release manager, while preserving an audit trail that identifies the principal and the exact action taken.
  • An automation workflow uses delegated access to query customer records for a compliance report, but the delegation is constrained to read-only access and a narrow time window.
  • For practical NHI governance context, the risks around broad or lingering borrowed access are discussed in Ultimate Guide to NHIs, while identity assurance patterns are also reflected in NIST Cybersecurity Framework 2.0.

Why It Matters in NHI Security

Delegated action becomes a security issue when organisations cannot prove who authorised the act, what the delegate could do, or when that authority expired. In NHI ecosystems, that gap can turn a routine automation into an invisible privilege path, especially when secrets, service accounts, and AI agents are involved.

NHI Mgmt Group reports that 97% of NHIs carry excessive privileges, a condition that makes poorly scoped delegation especially dangerous because borrowed authority can become broader than intended. The risk is not only abuse, but also forensics failure: if logs do not capture the principal, the delegated subject, and the exact scope, incident response cannot reconstruct what happened. The Ultimate Guide to NHIs also shows that 91.6% of secrets remain valid five days after notification, underscoring how hard it is to unwind exposure once delegation has been abused. Practitioners should treat delegation as a lifecycle control, not just an access pattern, and tie it to revocation, monitoring, and policy review under NIST Cybersecurity Framework 2.0.

Organisations typically encounter delegated-action risk only after a token misuse, agent error, or unauthorized workflow execution, at which point the term becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-05Delegated actions need scoped, auditable, revocable NHI authorization.
NIST CSF 2.0PR.AC-4Least-privilege access management directly governs delegated authority use.
NIST Zero Trust (SP 800-207)Zero Trust requires continuous verification of each delegated request.

Restrict borrowed authority, log every delegated execution, and revoke access when the task ends.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 1, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org