Customers would like the ability to restrict a delegate’s usage to a defined set of projects/pipelines, even when those projects span across multiple orgs. Currently, if a delegate is scoped at the account level, it is technically available for all projects and teams. The only workaround today is to place all projects into a dedicated org and scope the delegate there. This is not feasible when the customer’s setup spans multiple orgs. Sample Use Case: Customer has a team that purchased dedicated hardware for CI builds. This hardware should only be used by specific pipelines/projects owned by that team, but their projects span across multiple orgs, so creating a single org to scope the delegate is not an option. Current Behavior: Delegates scoped at the account level are available to all projects. No way to enforce restrictions using OPA, RBAC, or other policy mechanisms. Requested Behavior: Ability to explicitly restrict which orgs/projects/pipelines can use a delegate, even if the delegate is scoped at the account level.