AC-6 - Least Privilege

AC-6 requires that users, processes, and devices receive only the access needed to perform their authorized functions. Organizations must enforce least privilege by assigning minimal permissions, reviewing and adjusting rights regularly, and removing unnecessary privileges. This limits the attack surface and reduces the potential impact of compromised accounts or software.