AICM AtlasCSA AI Controls Matrix
IAM · Identity & Access Management
IAM-05Cloud & AI Related

Least Privilege

Specification

Employ the least privilege principle when implementing information system access.

Threat coverage

Model manipulation
Data poisoning
Sensitive data disclosure
Model theft
Model/Service Failure
Insecure supply chain
Insecure apps/plugins
Denial of Service
Loss of governance

Architectural relevance

Physical infrastructure
Network
Compute
Storage
Application
Data

Lifecycle

Preparation

Data storage, Resource provisioning, Team and expertise

Development

Design, Supply Chain, Guardrails

Evaluation

Evaluation, Validation/Red Teaming, Re-evaluation

Deployment

AI Services supply chain, Orchestration, AI applications

Delivery

Operations, Maintenance

Retirement

Archiving, Data deletion, Model disposal

Ownership / SSRM

PI

Shared across the supply chain

Shared control ownership refers to responsibilities and activities related to LLM security that are distributed across multiple stakeholders within the AI supply chain, including the Cloud Service Provider (CSP), Model Provider (MP), Orchestrated Service Provider (OSP), Application Provider (AP), and Customer (AIC). These controls require coordinated actions, communication, and governance across all involved parties to ensure their effectiveness.

Model

Shared Cloud Service Provider-Model Provider (Shared CSP-MP)

The CSP and MP are jointly responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer.

Orchestrated

Shared Model Provider-Orchestrated Service Provider (Shared MP-OSP)

The MP and OSP are jointly responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer.

Application

Shared Orchestrated Service Provider-Application Provider (Shared OSP-AP)

The OSP and AP are jointly responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer.

Implementation guidelines

[All Actors]
Best Practices for implementing the Principle of Least Privilege (PoLP) include:
1. LP Infrastructure:  The AI system's infrastructure should be designed and configured with PoLP in mind by limiting the privileges of identities to the bare minimum required for their operation.

2. LP Roles and Permissions: Specific actions, data, and resources each role is required to access to perform their duties should be identified in order to determine the appropriate level of access based for each role/identity (RBAC should be utilized to enforce access control permissions).

3. Permission Change Management: Establish a process for requesting, approving, implementing, and documenting permission changes, to prevent undue privilege escalation. Require justification for changes and maintain an audit log. 

4. LP Access of Administrative Accounts:
i. Administrative accounts (e.g., root or administrator accounts) should have the most restrictive access that is limited to specific tasks and environments, and ensured that they are only used when absolutely necessary
ii. MFA should be enforced for all administrative accounts and any other high-risk access points

5. Sensitive Data Access Limitation:  Access to sensitive data should be restricted to the minimum number of identities required to accomplish their job function.

6. Unused Privileges Revocation: Identities access privileges should be proactively reviewed on a regular basis in order to revoke unused or excessive permissions to maintain the PoLP and reduce the attack surface.

7. LP Access Reviews:
i. Access privileges should be regularly reviewed and assessed to ensure they align with the current job/function requirements, to identify any unnecessary or excessive access and make adjustments accordingly
ii. Automated tools should be implemented to continuously monitor and evaluate the effectiveness of PoLP throughout the AI system

8. Temporary Access Grants: Where possible, temporary access grants with automatic expiration should be used so that persistent access to a resource stays limited to the minimum needed.

9. Comprehensive Access Logging: Log any access to resources including explicit purpose for access, in order to inform which roles need persistent access.

Auditing guidelines

1. Verify CSP’s IAM policies restrict access based on least privilege principles.

2. Assess whether shared responsibilities (e.g., managed services) still enforce minimal access for tenants.

3. Check for continuous access reviews and revocations by CSP across platform layers.

4. Confirm that elevated privileges are temporary and tightly monitored.

From CCM:
1. Examine the policy to determine the least privilege required for each role or user.
2. Evaluate the effectiveness of the implementation and review of policy.

Standards mappings

ISO 42001No Gap
42001 B.3.2 - AI roles and responsibilities
27001 A.5.15 - Access control
27001 A.5.18 - Access rights
27001 A.8.2 - Privileged access rights
Addendum

N/A

EU AI ActPartial Gap
Article 9
Article 10
Article 15
Addendum

Mandate the use of the least privilege principle, and require ongoing review, access right minimization, or role-based enforcement.

NIST AI 600-1Full Gap
No Mapping
Addendum

No explicit reference to the employment of the least privilege principle when implementing information system access is made in the NIST AI 600-1 standard.

BSI AIC4No Gap
C4 DM-01
C4 DM-02
C5 IDM-02
C5 OIS-02
Addendum

N/A

AI-CAIQ questions (1)

IAM-05.1

Are least privilege principles employed when implementing information system access?