How do you audit for least privilege over time?

The idea being tested is managing access as a lifecycle, not a one-time event. To truly maintain least privilege over time, you need a regular process that reviews what each person actually needs, removes rights that are no longer necessary, and keeps a record of any temporary elevations. Periodic permission reviews catch drift as people change roles or projects, ensuring access stays aligned with current responsibilities. Removing unused rights trims the attack surface and reduces the chance of over-privileged accounts being misused or misconfigured. Tracking privilege escalations creates an audit trail, helps detect unnecessary or persistent elevated privileges, and supports timely revocation when those elevations are no longer justified. Together, these practices create ongoing governance that keeps access aligned with policy and risk tolerance. Granting admin rights broadly undermines least privilege, so it’s not appropriate. Ignoring privilege changes lets drift accumulate unchecked. Only reviewing during onboarding misses changes that occur after someone starts and over time.