Compliance Glossary

What is Least Privilege?

Definition

The principle of least privilege dictates that users, systems, and processes should be granted only the minimum level of access necessary to perform their legitimate functions. Access rights should be regularly reviewed and promptly revoked when no longer needed.

In Depth

Least privilege is a foundational security principle that limits the blast radius of compromised accounts, insider threats, and accidental misuse. Implementing it requires organizations to understand what access each role truly needs — a process that often reveals significant over-provisioning. In cloud environments, least privilege extends beyond user accounts to include service accounts, API keys, IAM roles, and machine identities. AWS, Azure, and GCP all provide tools to analyze actual permission usage and recommend tighter policies. For compliance, least privilege is explicitly or implicitly required by every major framework: SOC 2 evaluates it under logical access controls, ISO 27001 includes it in access control policy requirements, HIPAA mandates the minimum necessary standard for PHI access, and GDPR's data minimization principle extends the concept to data processing. Operationally, implementing least privilege involves conducting access reviews (typically quarterly for privileged access), implementing just-in-time (JIT) access for administrative functions, and using privileged access management (PAM) solutions to vault and monitor elevated credentials.

Related Frameworks

SOC 2
GDPR
HIPAA
ISO 27001

Related Terms

Role-Based Access Control

Role-Based Access Control (RBAC) is an access management model where permissions are assigned to roles rather than individual users, and users are assigned to roles based on their job functions. This simplifies administration and ensures consistent access provisioning.

Access Control

Access control encompasses the policies, procedures, and technical mechanisms that regulate who can view or use resources within a computing environment. It ensures that only authorized individuals can access specific systems, data, or physical locations based on their role and need.

Zero Trust

Zero Trust is a security model based on the principle that no user, device, or network should be inherently trusted, regardless of location. Every access request must be continuously verified based on identity, device posture, and context before granting access.

Multi-Factor Authentication

Multi-factor authentication (MFA) is a security mechanism that requires users to provide two or more independent verification factors to access a system. Factors include something you know (password), something you have (security token), and something you are (biometric).

Compare FrameworksSolutions by Industry

Generate compliance docs with PoliWriter

Stop reading about compliance and start achieving it. PoliWriter generates audit-ready policies customized to your organization in hours.

Get Started Free