diff --git a/docs/changelog/91173.yaml b/docs/changelog/91173.yaml
new file mode 100644
index 0000000000000..8d86b125a3bdf
--- /dev/null
+++ b/docs/changelog/91173.yaml
@@ -0,0 +1,5 @@
+pr: 91173
+summary: Ensure PKI's `delegated_by_realm` metadata respect run-as
+area: Authentication
+type: bug
+issues: []
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java
index 92b2666dc51c4..83eb2bc05aa7a 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java
@@ -214,7 +214,7 @@ private void buildUser(X509AuthenticationToken token, String principal, ActionLi
                 "pki_delegated_by_user",
                 token.getDelegateeAuthentication().getUser().principal(),
                 "pki_delegated_by_realm",
-                token.getDelegateeAuthentication().getAuthenticatedBy().getName()
+                token.getDelegateeAuthentication().getEffectiveSubject().getRealm().getName()
             );
         } else {
             metadata = Map.of("pki_dn", token.dn());
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java
index 388e95987aec5..092ee92fc0ba5 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java
@@ -414,6 +414,26 @@ public void testAuthenticationDelegationSuccess() throws Exception {
         assertThat(result.getValue().roles().length, is(0));
         assertThat(result.getValue().metadata().get("pki_delegated_by_user"), is("mockup_delegate_username"));
         assertThat(result.getValue().metadata().get("pki_delegated_by_realm"), is("mockup_delegate_realm"));
+
+        // Delegatee is run-as
+        final Authentication runAsAuthentication = AuthenticationTestHelper.builder().realm().build(true);
+        assertThat(runAsAuthentication.isRunAs(), is(true));
+        delegatedToken = X509AuthenticationToken.delegated(new X509Certificate[] { certificate }, runAsAuthentication);
+        realmWithDelegation.expireAll(); // clear the cache so the user is built again
+        result = authenticate(delegatedToken, realmWithDelegation);
+        assertThat(result.getStatus(), equalTo(AuthenticationResult.Status.SUCCESS));
+        assertThat(result.getValue(), is(notNullValue()));
+        assertThat(result.getValue().principal(), is("Elasticsearch Test Node"));
+        assertThat(result.getValue().roles(), is(notNullValue()));
+        assertThat(result.getValue().roles().length, is(0));
+        assertThat(
+            result.getValue().metadata().get("pki_delegated_by_user"),
+            is(runAsAuthentication.getEffectiveSubject().getUser().principal())
+        );
+        assertThat(
+            result.getValue().metadata().get("pki_delegated_by_realm"),
+            is(runAsAuthentication.getEffectiveSubject().getRealm().getName())
+        );
     }
 
     public void testAuthenticationDelegationFailure() throws Exception {