Give everyone the minimum access they need — and tightly control privileged accounts.
What it actually means
Least privilege applied to the people who can do the most damage. Privileged (admin) functions should be restricted to dedicated administrative accounts that are separate from daily-use accounts, granted only to those who need them, and reviewed regularly. Just-in-time elevation is the gold standard but not required.
Pass or fail — an assessor needs a "yes" to each
- Privileged functions are limited to named/dedicated admin accounts.
- Admins use separate accounts for privileged work vs. daily use.
- Privileged access is reviewed periodically and removed when no longer needed.
What to have ready
- List of privileged accounts and who holds them
- Policy requiring separate admin accounts
- Evidence of periodic privileged-access review (and ideally JIT/PIM logs)
Where teams trip up
- Day-to-day accounts that also carry admin rights
- Shared admin credentials
- Standing privileged access nobody reviews
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →