Least privilege security: what IAM teams still miss

TL;DR: Least privilege works only when organisations can continuously reduce accounts, constrain permissions, and measure access drift, according to Opal Security. Without lifecycle discipline and time-bound access, privilege sprawl keeps the attack surface open and makes post-breach investigation harder.

NHIMG editorial — based on content published by Opal Security: Least privilege security is important. But how do you actually implement it?

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

Questions worth separating out

Q: How should security teams implement least privilege without disrupting operations?

A: Start with the systems that matter most, especially crown-jewel applications and data stores.

Q: Why do standing privileges create such a large security gap?

A: Standing privileges matter because they outlive the original need for access.

Q: What do organisations get wrong about just-in-time access?

A: The common mistake is treating JIT as a label rather than an operating model.

Practitioner guidance

• Inventory and remove unnecessary accounts Start by identifying every account, integration, and service identity that can reach sensitive systems.
• Convert broad grants into task-scoped access Rewrite standing entitlements so that higher-risk permissions are only available for a specific task, system, or ticketed workflow.
• Measure access drift on crown-jewel systems Track permanent versus time-bound access, unused permissions over a 30 day window, and high-risk entitlements attached to the most sensitive platforms.

What's in the full article

Opal Security's full blog post covers the operational detail this post intentionally leaves for the source:

• A step-by-step least privilege implementation sequence for reducing accounts and privileges.
• Practical examples of using just-in-time access and time-bound access in day-to-day operations.
• A phased approach for starting with crown-jewel systems before expanding least privilege across the environment.
• Baseline ideas for measuring permanent versus time-bound access over time.

👉 Read Opal Security's guide to implementing least privilege security →

Least privilege security: what IAM teams still miss?

Explore further

View Full Forum →  |  NHI Foundation Course →