Least privilege is the security principle that every user, device, or process should get only the minimum access needed to do its job, and nothing more, so a compromised account or stolen badge can only reach a small slice of the system.
Least privilege is a simple idea with big consequences: give each person, account, or device the least amount of access it needs to function, and nothing extra. A receptionist's badge shouldn't open the server room. A regular user account shouldn't be able to install software or read payroll files. The point is to shrink the blast radius. If an attacker gets in through one account, least privilege keeps them boxed into whatever that account was allowed to touch.
In Unit 2, this shows up in how you control physical spaces. A workstation security policy can set tiers of access based on the sensitivity of the data handled there (EK 2.3.A.2). Card readers at different doors mean each badge only opens the entries that employee actually needs (EK 2.3.B.4), and locks on server cabinets and computers keep people away from devices they have no reason to touch (EK 2.3.B.3). Least privilege is the reasoning behind all of those choices: don't hand out access just because it's convenient.
Least privilege lives in Unit 2: Securing Spaces, specifically Topic 2.3 Protecting Physical Spaces. It backs up objective AP Cybersecurity 2.3.A (managerial controls like workstation policies and tiered access) and AP Cybersecurity 2.3.B (picking mitigations for physical vulnerabilities). The whole logic of 2.3.B.1 is matching a control to how an adversary would exploit a weakness, and least privilege is how you decide who gets access in the first place. It's a recurring theme across the course because the same principle applies to physical doors, file permissions, and admin rights alike.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view galleryManagerial Control (Unit 2)
Least privilege is enforced through managerial controls like a workstation security policy. The policy is the document; least privilege is the rule it follows when it decides who's allowed where.
Card Readers and Tiered Access (Unit 2)
Card readers at separate entries (EK 2.3.B.4) are least privilege made physical. Each badge opens only the doors that employee needs, so one stolen badge can't roam the whole building.
Physical Control (Unit 2)
Locks on server cabinets and computers (EK 2.3.B.3) carry out least privilege at the hardware level. If you don't need to touch a device, you shouldn't be able to reach it.
Preventative Control (Unit 2)
Least privilege is mostly preventative thinking. By limiting access before anything goes wrong, you stop attacks from spreading instead of just detecting or fixing them after the fact.
Expect least privilege to show up as the reasoning behind a control, not as a standalone vocabulary word. MCQ stems often describe a scenario (an employee with more access than their role needs, or a badge that opens too many doors) and ask which control or principle fixes it. The right answer usually limits access to the minimum. For a free-response item asking you to recommend mitigations for a physical vulnerability, naming the principle by name and tying it to a concrete control like tiered workstation policies or door-specific card readers earns credit. Always connect it back to the adversary: explain how restricting access prevents or contains the attack (EK 2.3.B.1).
An acceptable use policy says what users are allowed to do with their access (no personal browsing on work devices, no installing unapproved apps). Least privilege decides how much access they get in the first place. One sets the rules of behavior; the other sets the boundaries of reach.
Least privilege means giving every user, device, or account only the minimum access it needs and nothing more.
Its main payoff is shrinking the blast radius, so a compromised account or stolen badge can only reach a small part of the system.
In Unit 2, least privilege drives tiered workstation policies (EK 2.3.A.2), door-specific card readers (EK 2.3.B.4), and locks on cabinets and devices (EK 2.3.B.3).
It's a preventative principle: it stops or contains attacks before they spread rather than detecting or correcting them afterward.
On the exam, name the principle and tie it to a concrete control, then explain how limiting access blocks the adversary.
It's the principle of giving each person, account, or device the smallest amount of access needed to do its job. If you don't need to open a door or read a file to do your work, you shouldn't be able to.
No. Least privilege limits how much access someone gets; an acceptable use policy defines what they're allowed to do with the access they have. One controls reach, the other controls behavior.
Because physical access is access. Tiered workstation policies and card readers that only open certain doors (EK 2.3.A.2, EK 2.3.B.4) apply least privilege to the building, so a stolen badge can't get into the server room.
It's preventative in spirit. By restricting access before anything goes wrong, it stops attacks from spreading, unlike detective controls that just notice an incident after it happens.
Name the principle, recommend a concrete control like role-based door access or device locks, then explain how limiting access prevents or contains the adversary's attack (EK 2.3.B.1).
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.