Which TWO principles are essential for implementing least privilege in identity and access management?
Minimum necessary permissions are the core of least privilege.
Why this answer
A is correct because 'minimum necessary permissions' is the core principle of least privilege, ensuring users and processes are granted only the permissions required to perform their authorized tasks. This directly limits the attack surface by preventing access to resources beyond what is strictly needed for a specific role or function.
Exam trap
The trap here is that candidates often confuse 'need-to-know' (which applies to data confidentiality and information disclosure) with 'minimum necessary permissions' (which applies to system access and authorization), or mistakenly think segregation of duties is a subset of least privilege rather than a distinct control.