Ask any security team whether they follow the principle of least privilege and you’ll get a confident yes. Then ask how many people in the organization hold standing admin rights, and watch the confidence drain from the room.

Least privilege is simple to state: every user, process, and system should have exactly the access it needs to do its job — and nothing more. The gap between that sentence and everyday practice is where most breaches live.

The principle, without the poetry

Least privilege has three practical dimensions:

  1. Scope — access to which resources? A payroll analyst needs the payroll system, not the whole finance share.
  2. Levelwhat kind of access? Reading a report is not the same as changing the numbers on it.
  3. Duration — access for how long? The contractor’s account should not outlive the contract by four years. It usually does.

Most access reviews only look at the first dimension. The second and third are where the quiet risk accumulates.

Why it drifts

Nobody sets out to violate least privilege. It erodes:

  • People change roles and keep their old access (“just in case”).
  • Troubleshooting sessions end with “leave it, it works now.”
  • Break-glass admin accounts become everyday-driver admin accounts.
  • Groups get nested inside groups until nobody can say what a membership grants.

This drift has a name — privilege creep — and it is a ratchet: access is easy to grant and socially awkward to remove.

A starting point you can actually do

You do not need an identity governance platform to begin. You need a list and some resolve:

1. Export every account with admin or elevated rights.
2. For each one, answer: who owns it, what is it for,
   when was it last used?
3. Anything with no owner or no use in 90 days gets
   disabled (not deleted) for two weeks.
4. Nothing broke? Now delete it.

The disable-first step matters. It converts an irreversible, scary decision into a reversible, boring one — which means it actually happens.

Where to go deeper

For the formal treatment, NIST SP 800-53 covers least privilege under AC-6, and the CISA guidance on identity security is a readable companion. But the principle fits on an index card. The hard part was never understanding it — it’s saying no to the ratchet, one access request at a time.

Least privilege isn’t a project you finish. It’s a habit your organization either has or doesn’t.