Table of Contents
Fetching ...

No More, No Less: Least-Privilege Language Models

Paulius Rauba, Dominykas Seputis, Patrikas Vanagas, Mihaela van der Schaar

TL;DR

The paper reframes safe LM deployment as a least-privilege problem, where per-request privilege limits the internal computations the model can perform without altering base weights. It introduces a monitor–allocator–enforcer stack and Nested Least-Privilege Networks (NLPNs) to realize a reversible, rank-indexed control knob over internal computations, enabling selective suppression of targeted capabilities while preserving utility on other tasks. Through algorithmic and real-model experiments, it demonstrates monotone utility degradation with reduced privilege, highlights frontiers balancing utility, privilege, and overhead, and shows potential for selective suppression of specific knowledge domains. The work argues for a new deployment paradigm where access to internal model capabilities is configurable per user or request, with measurable trade-offs and governance implications for safety and governance.

Abstract

Least privilege is a core security principle: grant each request only the minimum access needed to achieve its goal. Deployed language models almost never follow it, instead being exposed through a single API endpoint that serves all users and requests. This gap exists not because least privilege would be unhelpful; deployments would benefit greatly from reducing unnecessary capability exposure. The real obstacle is definitional and mechanistic: what does "access" mean inside a language model, and how can we enforce it without retraining or deploying multiple models? We take inspiration from least privilege in computer systems and define a class of models called least-privilege language models, where privilege is reachable internal computation during the forward pass. In this view, lowering privilege literally shrinks the model's accessible function class, as opposed to denying access via learned policies. We formalize deployment-time control as a monitor-allocator-enforcer stack, separating (i) request-time signals, (ii) a decision rule that allocates privilege, and (iii) an inference-time mechanism that selects privilege. We then propose Nested Least-Privilege Networks, a shape-preserving, rank-indexed intervention that provides a smooth, reversible control knob. We show that this knob yields policy-usable privilege-utility frontiers and enables selective suppression of targeted capabilities with limited collateral degradation across various policies. Most importantly, we argue for a new deployment paradigm that challenges the premise that language models can only be controlled at the output level.

No More, No Less: Least-Privilege Language Models

TL;DR

The paper reframes safe LM deployment as a least-privilege problem, where per-request privilege limits the internal computations the model can perform without altering base weights. It introduces a monitor–allocator–enforcer stack and Nested Least-Privilege Networks (NLPNs) to realize a reversible, rank-indexed control knob over internal computations, enabling selective suppression of targeted capabilities while preserving utility on other tasks. Through algorithmic and real-model experiments, it demonstrates monotone utility degradation with reduced privilege, highlights frontiers balancing utility, privilege, and overhead, and shows potential for selective suppression of specific knowledge domains. The work argues for a new deployment paradigm where access to internal model capabilities is configurable per user or request, with measurable trade-offs and governance implications for safety and governance.

Abstract

Least privilege is a core security principle: grant each request only the minimum access needed to achieve its goal. Deployed language models almost never follow it, instead being exposed through a single API endpoint that serves all users and requests. This gap exists not because least privilege would be unhelpful; deployments would benefit greatly from reducing unnecessary capability exposure. The real obstacle is definitional and mechanistic: what does "access" mean inside a language model, and how can we enforce it without retraining or deploying multiple models? We take inspiration from least privilege in computer systems and define a class of models called least-privilege language models, where privilege is reachable internal computation during the forward pass. In this view, lowering privilege literally shrinks the model's accessible function class, as opposed to denying access via learned policies. We formalize deployment-time control as a monitor-allocator-enforcer stack, separating (i) request-time signals, (ii) a decision rule that allocates privilege, and (iii) an inference-time mechanism that selects privilege. We then propose Nested Least-Privilege Networks, a shape-preserving, rank-indexed intervention that provides a smooth, reversible control knob. We show that this knob yields policy-usable privilege-utility frontiers and enables selective suppression of targeted capabilities with limited collateral degradation across various policies. Most importantly, we argue for a new deployment paradigm that challenges the premise that language models can only be controlled at the output level.
Paper Structure (38 sections, 8 equations, 15 figures, 4 tables, 1 algorithm)

This paper contains 38 sections, 8 equations, 15 figures, 4 tables, 1 algorithm.

Figures (15)

  • Figure 1: Least-privilege inference as an internal control problem.(A) At deployment, the model parameters are fixed, but the amount of internal capability exercised need not be. Separating signals, allocation, and enforcement exposes a concrete action space for controllers: choose how much computation the model is allowed to use for each request. (B) We instantiate enforcement with rank-indexed, shape-preserving interventions that operate inside the forward pass. Together, these panels define a deployer-facing control surface on which allocation policies can be evaluated by utility, privilege cost, and runtime overhead.
  • Figure 2: Privilege--utility frontiers induced by inference-time control. Varying the privilege level $g$ yields a family of deployed policies $\{\pi_{\theta,g}\}$ that trade task utility against a proxy for internal capability (e.g. average rank used). Full-privilege operation occupies the high-capability extreme, while least-privilege policies aim to meet a fixed utility target with minimal average privilege by allocating higher $g$ only to hard or uncertain requests. This frontier is the object optimized by least-privilege inference: minimize privilege subject to a required utility constraint. We show a practical example of this frontier with a language model in Sec. \ref{['sec:studies']}.
  • Figure 3: Taxonomy of deployment-time control mechanisms. (a) Output wrappers filter after full computation; the underlying capability remains reachable via repeated sampling. (b) Adaptive compute varies depth/budget but preserves the model's function class. (c) Activation steering injects a fixed perturbation at a chosen layer. (d) Least Privilege Models (this work): request-time signals determine privilege level $g$, which constrains the rank of internal weight matrices, restricting the reachable function class during inference.
  • Figure 4: Performance on Pythia-1B by rank (privilege) and difficulty level. Accuracy degrades as rank is reduced, with larger drops at higher difficulty, performed on the balanced brackets task. This property is desirable: this means privilege can be selectively tuned to the difficulty of the task.
  • Figure 5: Utility-Privilege trade-offs for five policies on Pythia-1B: Policy comparison across target accuracies (80%, 90%, 95%). At low targets, policies converge to minimal privilege; at higher targets, allocators diverge significantly. Static LP must over-allocate privilege to satisfy worst-case instances; progressive escalation adapts rank to instance difficulty, reducing average privilege at the cost of additional inference passes. The jump variant demonstrates the privilege - overhead trade-off by escalating directly to maximum rank when needed.
  • ...and 10 more figures

Theorems & Definitions (1)

  • Definition 3.1: Privilege as reachability