Not Delegated Flag

Expanded Definition

The Not Delegated Flag is a directory control that blocks an identity from participating in delegation pathways, which is especially important where service accounts, machine accounts, or privileged automation identities could otherwise be impersonated across systems. In practice, it is part of the broader NHI governance model used to reduce lateral movement and constrain how credentials can be used inside protocols that support delegated access. That makes it closely related to least privilege expectations in NIST Cybersecurity Framework 2.0, even though the flag itself is implemented at the directory-object level rather than as a policy abstraction.

Definitions vary across vendors and directory platforms, but the security intent is consistent: if an identity is not meant to act on behalf of another principal, it should be explicitly excluded from delegation. For NHIs, that distinction matters because tooling may hide the setting for machine accounts while still enforcing it in the underlying object attributes. The most common misapplication is assuming the flag is unset because the console does not show a checkbox, which occurs when administrators rely on UI state instead of querying the directory object directly.

Examples and Use Cases

Implementing the Not Delegated Flag rigorously often introduces operational friction, requiring organisations to weigh delegation flexibility against the security gain of reducing impersonation pathways.

• A service account used for application authentication is marked not delegated so it can connect to its target service, but cannot be used in Kerberos delegation chains.
• A machine account in an Active Directory environment has the attribute enforced even though the admin console does not expose an editable control, so validation must happen at the object level.
• During hardening reviews, identity teams compare delegation settings against the asset’s role to ensure only the minimum set of identities can participate in downstream impersonation.
• After reviewing exposure patterns described in the Ultimate Guide to NHIs, teams may add the flag to reduce the blast radius of overprivileged automation accounts.
• In incident response, analysts confirm whether a compromised identity could have been delegated elsewhere by checking the directory attribute directly rather than trusting the management UI.

Protocol behavior matters here, so teams often pair directory review with identity guidance from the Schneider Electric credentials breach case context and implementation references in NIST Cybersecurity Framework 2.0.

Why It Matters in NHI Security

For NHI programs, the Not Delegated Flag is a practical control for limiting impersonation, constraining blast radius, and preventing privileged automation from being reused in ways that were never intended. This matters because NHIs are frequently overprivileged and difficult to inventory consistently, with NHI Mgmt Group reporting that 97% of NHIs carry excessive privileges and only 5.7% of organisations have full visibility into their service accounts. Those conditions make delegation review a high-value control, not a niche hardening detail.

When the flag is misunderstood, defenders can miss an attack path that only becomes visible after a credential is compromised and used laterally. That is why this setting should be checked alongside service account inventory, directory hardening, and post-incident validation. Organisations typically encounter the need to verify the Not Delegated Flag only after a delegation-enabled identity is abused for lateral movement, at which point the control becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• When does delegated access become too risky for AI agents?
• What is the difference between human delegated access and agentic access?
• When should a privileged account be marked as sensitive and cannot be delegated?
• What is the difference between delegated and autonomous MCP use cases?