They confuse two different controls. Least privilege limits what an identity can do once access exists, while CBAC determines whether the request should be allowed in the first place. If teams collapse those jobs into one rule set, they usually end up with either over-permissive access or brittle policy that is hard to govern.
Why This Matters for Security Teams
CBAC is useful, but it is not a substitute for least privilege. CBAC answers whether a request should be allowed based on context, while least privilege limits the maximum damage an identity can cause after access exists. Teams get into trouble when they treat context as a complete replacement for scope, because policy can approve a request that still leaves broad standing access in place. That is especially dangerous for NHIs, service accounts, and AI-driven workloads that can retry, chain, or automate actions at machine speed.
Current guidance suggests treating CBAC and least privilege as complementary controls, not competing models. CBAC is strongest at runtime decisioning; least privilege is strongest at reducing blast radius. NHI Mgmt Group has repeatedly highlighted how excessive entitlement and weak lifecycle control drive real exposure, including the broader findings in the Ultimate Guide to NHIs — Key Challenges and Risks. The practical issue is that context can change per request, but privilege often persists long after the context that justified it has disappeared. In practice, many security teams discover this only after a service account or agent has already been allowed to act far beyond its intended scope.
How It Works in Practice
CBAC should be used to decide whether a specific action is appropriate in the moment, while least privilege should define the narrowest standing entitlement an identity can retain. In a clean design, the identity starts with minimal baseline access, then CBAC evaluates request attributes such as workload, resource, location, time, task intent, and risk signals before authorising the operation. The policy decision is then enforced through the control plane, API gateway, PAM layer, or application authorisation service.
This separation matters because a contextual allow decision does not automatically reduce what the identity can do later. If the account already has broad permissions, CBAC may simply become a gate that opens a wider door than necessary. A better pattern is to combine CBAC with just-in-time elevation, short-lived tokens, and strict entitlement scoping. That aligns with the direction described in OWASP Non-Human Identity Top 10 and with the resource-centric trust model in NIST SP 800-207 Zero Trust Architecture.
Operationally, teams usually need to:
- Set the minimum baseline role first, then layer CBAC on top for runtime approval.
- Use CBAC to approve a task, not to justify permanent privilege.
- Issue time-bound access for elevated actions and revoke it automatically when the task ends.
- Review policy logs for repeated denials that indicate the baseline role is too broad or too narrow.
The strongest implementations also bind CBAC to identity proof, request provenance, and resource sensitivity, rather than relying on static tags alone. These controls tend to break down in legacy applications that cannot evaluate context at request time because the authorisation layer has no reliable place to enforce dynamic policy.
Common Variations and Edge Cases
Tighter CBAC often increases policy complexity, so organisations must balance precision against operational overhead. That tradeoff becomes visible when every application invents its own context model, making rules inconsistent and hard to audit. Best practice is evolving, but there is no universal standard for how much context is enough or which attributes should be mandatory across all environments.
One common edge case is emergency access. CBAC may approve a break-glass request, but least privilege should still constrain the scope and lifetime of that access. Another is automation: a CI/CD pipeline or AI agent may have a valid context for one deployment job and an invalid one for the next, so standing entitlements should remain narrow even if the workflow is trusted. NHIMG research on the broader NHI problem shows why this matters, including the persistence of excessive privilege and weak revocation discipline in the Ultimate Guide to NHIs — Key Challenges and Risks. The key lesson is simple: CBAC can reduce unnecessary approvals, but only least privilege reduces the blast radius when a request, token, or workload is compromised.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses overprivileged non-human identities and weak entitlement scope. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must still be limited even when contextual checks are used. |
| NIST Zero Trust (SP 800-207) | Zero trust requires continuous, context-based authorization plus constrained access. |
Minimize standing NHI permissions and pair contextual approval with short-lived elevation.
Related resources from NHI Mgmt Group
- What do teams get wrong about least privilege in privileged access programmes?
- What do teams get wrong when they treat zero trust as an IGA feature?
- What do organisations get wrong when they treat identity verification as a pilot project?
- What do organisations get wrong when they treat human, machine, and AI identities the same?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
