It’s great to see an article talking about the principle of least privilege. I think a good application of the ideas of zero trust (something I have yet to see from anything that’s called itself a ‘zero-trust policy’) should pay equal attention to the principle of intentionality: any time that a program performs a privileged operation, it should explicitly choose to do so.

Most systems that I’ve seen try to use role-based access control to approximate this, but that leads to either a lot of role transitions or to overly broadly scoped roles. If I privilege elevate to a role that is effectively omnipotent with a context, I am not respecting the principle of intentionality because I am not saying which rights I want to be exercising when I perform each action. If I need to change to a different role to do any action then I am respecting the principle but I am spending so much time on role transitions that I will hate the system.

Capability systems make it easy to implement this kind of thing but they seem to be incredibly rare among the folks pushing for zero trust.