<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>The Boring CISO</title><description>Practical cybersecurity leadership, explained without the drama. Plain-English articles and a jargon-free glossary covering AI security, fundamentals, leadership and GRC, threats, and tooling.</description><link>https://theboringciso.com/</link><language>en-gb</language><item><title>What Least Privilege Actually Means (and Why Your Admin Count Says Otherwise)</title><link>https://theboringciso.com/articles/what-least-privilege-actually-means/</link><guid isPermaLink="true">https://theboringciso.com/articles/what-least-privilege-actually-means/</guid><description>Least privilege is the most quoted and least practiced principle in security. Here&apos;s what it really asks of you, and how to start applying it this week.</description><pubDate>Wed, 15 Jul 2026 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Ask any security team whether they follow the principle of least privilege and
you&apos;ll get a confident yes. Then ask how many people in the organization hold
standing admin rights, and watch the confidence drain from the room.&lt;/p&gt;
&lt;p&gt;Least privilege is simple to state: &lt;strong&gt;every user, process, and system should
have exactly the access it needs to do its job — and nothing more.&lt;/strong&gt; The gap
between that sentence and everyday practice is where most breaches live.&lt;/p&gt;
&lt;h2&gt;The principle, without the poetry&lt;/h2&gt;
&lt;p&gt;Least privilege has three practical dimensions:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Scope&lt;/strong&gt; — access to &lt;em&gt;which&lt;/em&gt; resources? A payroll analyst needs the payroll
system, not the whole finance share.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Level&lt;/strong&gt; — &lt;em&gt;what kind&lt;/em&gt; of access? Reading a report is not the same as
changing the numbers on it.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Duration&lt;/strong&gt; — access for &lt;em&gt;how long&lt;/em&gt;? The contractor&apos;s account should not
outlive the contract by four years. It usually does.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Most access reviews only look at the first dimension. The second and third are
where the quiet risk accumulates.&lt;/p&gt;
&lt;h2&gt;Why it drifts&lt;/h2&gt;
&lt;p&gt;Nobody sets out to violate least privilege. It erodes:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;People change roles and keep their old access (&quot;just in case&quot;).&lt;/li&gt;
&lt;li&gt;Troubleshooting sessions end with &quot;leave it, it works now.&quot;&lt;/li&gt;
&lt;li&gt;Break-glass admin accounts become everyday-driver admin accounts.&lt;/li&gt;
&lt;li&gt;Groups get nested inside groups until nobody can say what a membership grants.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This drift has a name — &lt;strong&gt;privilege creep&lt;/strong&gt; — and it is a ratchet: access is
easy to grant and socially awkward to remove.&lt;/p&gt;
&lt;h2&gt;A starting point you can actually do&lt;/h2&gt;
&lt;p&gt;You do not need an identity governance platform to begin. You need a list and
some resolve:&lt;/p&gt;
&lt;pre&gt;&lt;code&gt;1. Export every account with admin or elevated rights.
2. For each one, answer: who owns it, what is it for,
   when was it last used?
3. Anything with no owner or no use in 90 days gets
   disabled (not deleted) for two weeks.
4. Nothing broke? Now delete it.
&lt;/code&gt;&lt;/pre&gt;
&lt;p&gt;The disable-first step matters. It converts an irreversible, scary decision
into a reversible, boring one — which means it actually happens.&lt;/p&gt;
&lt;h2&gt;Where to go deeper&lt;/h2&gt;
&lt;p&gt;For the formal treatment, &lt;a href=&quot;https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final&quot;&gt;NIST SP 800-53&lt;/a&gt;
covers least privilege under AC-6, and the
&lt;a href=&quot;https://www.cisa.gov/topics/identity-theft-and-personal-cyber-threats&quot;&gt;CISA guidance on identity security&lt;/a&gt;
is a readable companion. But the principle fits on an index card. The hard part
was never understanding it — it&apos;s saying no to the ratchet, one access request
at a time.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;Least privilege isn&apos;t a project you finish. It&apos;s a habit your organization
either has or doesn&apos;t.&lt;/p&gt;
&lt;/blockquote&gt;
</content:encoded></item></channel></rss>