Least privilege, without the friction

Published on
1 minutes read

Least privilege is one of those ideas everyone nods along to and almost nobody implements. Give people exactly the access they need, nothing more. Simple on a slide. Painful on a Tuesday, when someone is blocked and the fastest fix is to grant them everything “just for now.”

Why it usually fails

It isn’t that people disagree with the principle. It fails because the friction lands on the wrong day. Locking things down creates small blockers now; the risk of over-granting shows up later, invisibly, as access nobody remembers giving. People discount the later, invisible cost every time.

  • “Temporary” admin rights that never get removed
  • One shared account, because setting up proper access was fiddly
  • Everyone in one big group, because it was easier than thinking about roles
Access granted “just for now” is the most permanent thing in most companies.

Make the right thing the easy thing

The trick is to remove the friction, not demand more discipline. That means access built around roles, not individuals:

  • Group by role, grant to groups. Joining a role gives you the whole bundle; leaving it takes the bundle away.
  • Provision on day one. If people start with what they need, they stop hoarding access out of fear of being blocked.
  • Make requests fast. A quick, tracked way to ask for more beats a permanent over-grant every time.
  • Review on a schedule. Access drifts; a periodic look keeps it honest.

The payoff

Done this way, least privilege stops being a fight. Onboarding and offboarding get simpler, audits get boring in the best way, and a compromised account can only reach what its role could — not the whole company. The goal was never to make access hard. It was to make the right access effortless and the wrong access rare.