diff --git a/inventory/hosts.yml b/inventory/hosts.yml
index 64e2572..0a140cc 100644
--- a/inventory/hosts.yml
+++ b/inventory/hosts.yml
@@ -1,5 +1,9 @@
 # Targeted inventory — first Docker discovery run
 # 5 hosts manually selected for initial credential testing
+#
+# NOTE: become is NOT set here — play-level become: true in the playbook
+# handles privilege escalation. This prevents ansible_become: true from
+# leaking into delegate_to: localhost tasks on the Semaphore runner.
 
 all:
   hosts:
@@ -9,28 +13,24 @@ all:
       ansible_host: 10.40.40.2
       ansible_user: sam
       ansible_ssh_pass: Lewiss4224@@@
-      ansible_become: true
       ansible_become_pass: Lewiss4224@@@
 
     ubuntu-server-02:
       ansible_host: 10.40.40.3
       ansible_user: sam
       ansible_ssh_pass: Lewiss4224@@@
-      ansible_become: true
       ansible_become_pass: Lewiss4224@@@
 
     sp-ie-containerlab:
       ansible_host: 10.40.40.156
       ansible_user: user
       ansible_ssh_pass: user
-      ansible_become: true
       ansible_become_pass: user
 
     vRouter-Host:
       ansible_host: 10.40.40.184
       ansible_user: user
       ansible_ssh_pass: user
-      ansible_become: true
       ansible_become_pass: user
 
     # ── 192.168.1.0/24 ─────────────────────────────────────────────────────
@@ -38,7 +38,6 @@ all:
       ansible_host: 192.168.1.30
       ansible_user: user
       ansible_ssh_pass: user
-      ansible_become: true
       ansible_become_pass: user
 
   children: