IT Glossary
The principle of least privilege grants only the minimum access needed. Learn how least privilege works, why it matters, and how Corma enforces it.
July 3, 2026
The principle of least privilege (PoLP) is a security concept stating that every user, account, or process should have only the minimum access rights needed to perform its function, and no more. By limiting permissions to what is strictly necessary, PoLP reduces the attack surface and the potential damage from a compromised account, an insider mistake, or misuse.
After a phishing incident, a company audits access and finds dozens of employees with admin rights they never used. Applying least privilege, those rights are stripped back to role requirements, and elevation becomes request-based. The same breach now touches far less. Least privilege is also a recurring control in ISO 27001 and NIS2, which is why access reviews and PoLP usually move together.
It limits how much damage a compromised account or insider can do, because each identity can only reach what it strictly needs.
Through role-based permissions, just-in-time elevation, and regular access reviews that strip away rights that are no longer required.
It is a core control in frameworks such as ISO 27001, SOC 2, and NIS2, which expect access to be limited and reviewed.