GLOSSARY · FUNDAMENTALS

Least privilege

The principle that every user, process, and system gets exactly the access it needs to do its job, and nothing more.

Least privilege sounds like a policy statement but behaves like a habit. It has three dimensions: scope (which resources), level (what kind of access), and duration (for how long). Most organizations manage the first and quietly lose the other two.

The practical enemy is privilege creep: access accumulates as people change roles, troubleshoot, and “temporarily” elevate, and it is socially awkward to take back. Reviews that only ask “should this person have an account?” miss the level and duration questions where the real risk sits.

A workable starting point is an inventory of elevated accounts with three questions per row: who owns it, what is it for, when was it last used. Disable before deleting; reversible decisions actually get made.