Infosec glossary
Least Privilege
Least privilege is one of the most durable terms in security language, but it still gets watered down into a generic “good access hygiene” phrase. The principle is more useful when it stays tied to limiting permissions to what is actually needed for a task or role.
Why the principle matters
Least privilege matters because broad access creates avoidable risk. The more permissions an identity or system holds without need, the more damage misuse, compromise, or error can cause.
That is why the principle is foundational across identity, zero trust, workload security, and privileged access discussions.
What the principle looks like in practice
In practice, least privilege means asking what access is actually required and removing excess access beyond that. The exact implementation differs by environment, but the security logic stays the same: narrower permissions reduce exposure.
The principle is strongest when explained through task, scope, and blast radius rather than abstract access minimalism.
- Access tied to actual role or task
- Reduced standing privilege
- Narrower blast radius from misuse or compromise
- Applicability across humans and non-human identities
How to keep the term useful
Least privilege is easy to over-generalize because it sounds obviously correct. The better explanation shows where excessive permissions create risk and why tighter access boundaries matter operationally.
That framing keeps the term concrete and makes it easier to link to PAM, zero trust, and workload identity without losing its meaning.
Related reading
The term is clearer when the nearby language is clear too.
Use the pages below when you need adjacent terms, category context, or a longer explanation instead of leaving the definition to stand on its own.
Adjacent terms
Further reading
Sources used to check the definition and terminology
Guides
Where the definition expands into a longer explanation
A practical pre-publish review process for cybersecurity content covering terminology, claims, audience fit, proof, structure, and trust.
How Security Vendors Should Brief External WritersA practical briefing framework for cybersecurity teams working with freelance writers, agencies, or specialist editors on website copy, articles, whitepapers, and proof assets.