For as long as I’ve been in security, least privilege has been held up as the holy grail. It’s in every framework, every audit checklist, and every security playbook: give users the bare minimum access they need to do their jobs.
On paper, it’s a great idea. In practice? It’s about as realistic as winning the lottery to fund your retirement.
Why least privilege has always been broken
I’ve spent 25 years watching security teams chase least privilege. And I get it. It sounds good. But the truth is, it’s always been broken.
Least privilege was introduced back in the 1970s. Systems were simpler. Identities didn’t change daily. Access models weren’t sprawling across SaaS, IaaS, PaaS, and on-prem all at once. Trying to transplant a decades-old concept into today’s constantly shifting environment doesn’t work.
Think about the modern enterprise:
- People move between teams constantly.
- Apps are added, updated, and deprecated daily, both in the cloud and on premise.
- New types of identities emerge: service accounts, NHIs, contractors, AI agents.
And yet security teams are somehow expected to predict every access need in advance, lock it down, and keep it up to date forever. That’s not security. That’s fantasy.
The real problem: standing permissions
The real risk has never been about whether we achieved “perfect” least privilege. It’s about standing permissions—access that sticks around long after it’s needed. Once a user or system holds standing access to sensitive data or infrastructure, you’ve already lost.
This is where least privilege distracts us. Teams get so focused on designing the “perfect” minimal access model that they actually slow down the business. Developers wait on tickets. Operations teams invent workarounds. And worst of all, stale access lingers, creating bigger risk.
Evolving beyond an old ideal
Instead of clinging to a broken ideal, we need to evolve. Security today isn’t about least privilege, it’s about zero standing access.
That means:
- Just-in-time provisioning: Access is granted when it’s needed, then automatically revoked.
- Step-up approvals: Sensitive actions require extra validation in the moment, not blanket permissions that last forever.
- Full auditability: Every keystroke, every approval, every action logged and reviewable.
If someone needs to drop a production database, that’s fine. But let’s do it with approvals, controls, and visibility. Security’s job isn’t to say “no.” It’s to say “yes, safely.”
The future of access
Least privilege has had a long run, but it’s time to be honest: it never scaled and it was built for a different era.
Today’s organizations need systems designed for complexity, speed, and constant change. That means letting go of least privilege as the north star and building processes that eliminate standing access, enable the business, and scale with reality.
The future is secure access that works. Least privilege is dead, long live zero standing privileges.
