Delegation is the transfer of authority from one entity to another, usually with clear limits. In cybersecurity, it lets a user, service, or machine act on behalf of another without sharing the original credentials. Common examples include OAuth consent, API tokens, service accounts, and signed capabilities that restrict what the delegate can do and for how long.
Delegation matters because it is how modern systems balance usability and control. Done well, it supports least privilege: a tool can read one mailbox, call one API, or run one job, but not everything. Done badly, delegation becomes a major attack path. Phished tokens, overly broad scopes, and weak revocation can let attackers inherit trust and move through connected systems. In agentic AI, delegation is especially important because an agent may chain many tools together. Defenders need explicit scopes, audit logs, short lifetimes, and fast revocation so authority can be removed as soon as behavior looks suspicious.



