least-privilege
Safeguard articles tagged "least-privilege" — guides, analysis, and best practices for software supply chain and application security.
46 articles
Least-Privilege Tool Scoping for AI Coding Agents
One overprivileged GitHub token let researchers hijack an AI agent into leaking private repo data via a public issue. Scoping tool access closes that gap.
A guide to AWS IAM permissions boundaries for delegated administration
AWS IAM lets any principal with iam:CreateRole and iam:AttachRolePolicy hand themselves admin — permissions boundaries are the one native control built to stop it.
Designing Least-Privilege Kubernetes RBAC: A Practical Guide
CVE-2018-1002105 (CVSS 9.8) let an unauthenticated request reach cluster-admin through pod exec endpoints — most RBAC breaches since trace back to the same handful of over-broad bindings.
What Is Privilege Escalation? A 2026 Explainer
Privilege escalation is how a limited foothold becomes full control. This explainer covers vertical vs. horizontal paths across Linux, containers, and cloud IAM.
Governing MCP tools with per-tenant feature flags
Safeguard's MCP server exposes 650+ tools. Here's how per-tool feature flags keep each tenant scoped to exactly what it needs — with safe defaults and a fail-safe that narrows, never widens, on error.
Securing AI Coding Assistants: Guardrails That Hold
AI coding assistants are in nearly every IDE now. Banning them fails; trusting them blindly fails harder. The middle path is guardrails — technical controls that let assistants move fast without letting them ship the wrong thing.
Database Credential Security (2026 Guide)
Database credentials are the last door between an attacker and your data. This guide covers eliminating static passwords with IAM auth, scoping least privilege, rotating safely, and detecting leaked connection strings.
AWS IAM Security Best Practices: A 2026 Field Guide
IAM is where most AWS breaches actually happen. This field guide covers least privilege, role assumption, permission boundaries, and the policy patterns that keep blast radius small.
Kubernetes RBAC Security: Least Privilege That Actually Holds
Wildcard verbs, cluster-admin bindings, and forgotten service account tokens turn RBAC into a rubber stamp. Here is how to design roles that contain a breach instead of amplifying it.
What Is Agentic Development Security?
When an AI agent can read your repo, run commands, open pull requests, and call external tools on its own, the security model shifts from reviewing code to governing an actor. Here is what agentic development security means and why it is different.
MCP Server Security: 8 Best Practices for 2026
The Model Context Protocol connects AI agents to your tools and data. That power cuts both ways. Here are eight concrete practices for running MCP servers without handing attackers a remote control.
The Principle of Least Privilege, Explained
Least privilege means every user, service, and process gets exactly the access it needs to do its job — and nothing more. Here's why it contains breaches and how to implement it without breaking things.