The principle of least privilege dictates that users, applications, and processes should be granted only the minimum level of access necessary to perform their designated functions. This fundamental security concept reduces the attack surface by limiting what a compromised account or malicious insider can access, thereby containing the potential blast radius of a security incident.
Implementing least privilege requires regular access reviews, role-based access control (RBAC), and timely deprovisioning when roles change. It is a cornerstone requirement across frameworks such as ISO 27001, NIS2, and SOC 2, and works in conjunction with privileged access management to ensure that elevated permissions are tightly controlled and monitored.