AC-6

Least Privilege

Access Control

The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned tasks.

High PriorityAI-Relevant Control

Purpose

Limit user access to only the resources necessary to perform their job functions.

AI Relevance

Critical for AI systems to ensure users only have access to necessary models, data, and functions. Prevents privilege escalation in AI environments.

Implementation Guidance

Implement granular access controls, regular privilege reviews, just-in-time access provisioning, and automated privilege escalation detection.

Assessment

Review user privileges, test access controls, verify least privilege compliance, and audit privilege escalation events.

Requirements

  • 1Employ the principle of least privilege for all users
  • 2Employ the principle of least privilege for all processes
  • 3Employ the principle of least privilege for all applications
  • 4Employ the principle of least privilege for all systems
  • 5Employ the principle of least privilege for all networks
  • 6Employ the principle of least privilege for all devices
  • 7Employ the principle of least privilege for all facilities
  • 8Employ the principle of least privilege for all data
  • 9Employ the principle of least privilege for all services

Related Controls

AC-2: Account ManagementAC-3: Access EnforcementAC-4: AC-4IA-2: Identification and Authentication (Organizational Users)

References

NIST SP 800-53 Rev 5NIST Zero Trust Architecture

Framework Context

NIST 800-53 Rev 5

Security and Privacy Controls for Federal Information Systems

Official Documentation →

NIST AI RMF

AI Risk Management Framework

AI RMF Documentation →

OWASP AISVS

AI Security Verification Standard

AISVS Documentation →