← Glossary·Security

Least Privilege (Principle of)

SOC 2ISO 27001HIPAAPCI DSSNIST

Users and services receive only the minimum access required to perform their function.

The Principle of Least Privilege requires that subjects (users, services, processes) be granted the minimum access rights — both scope and duration — necessary to perform their authorised function. Just-In-Time (JIT) elevation is the modern operational pattern.

Why it matters
Long-lived admin credentials are the most exploited path in breach reports. Cloud over-permissioning (IAM*) is the #1 finding in CSPM scans.

Related terms

RBAC (Role-Based Access Control)
Access control model granting permissions to roles, and assigning users to roles.
User Access Review
Periodic review by data owners confirming each user's access remains appropriate; typically quarterly.
Segregation of Duties (SoD)
Splitting critical tasks across multiple individuals so no single person can execute fraud or untraceable error.

Does your program actually cover Least Privilege (Principle of)?

Run a free ComplianceIQ audit against SOC 2 and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free SOC 2 auditBack to glossary