No More, No Less: Least-Privilege Language Models
Paulius Rauba, Dominykas Seputis, Patrikas Vanagas, Mihaela van der Schaar
TL;DR
The paper reframes safe LM deployment as a least-privilege problem, where per-request privilege limits the internal computations the model can perform without altering base weights. It introduces a monitor–allocator–enforcer stack and Nested Least-Privilege Networks (NLPNs) to realize a reversible, rank-indexed control knob over internal computations, enabling selective suppression of targeted capabilities while preserving utility on other tasks. Through algorithmic and real-model experiments, it demonstrates monotone utility degradation with reduced privilege, highlights frontiers balancing utility, privilege, and overhead, and shows potential for selective suppression of specific knowledge domains. The work argues for a new deployment paradigm where access to internal model capabilities is configurable per user or request, with measurable trade-offs and governance implications for safety and governance.
Abstract
Least privilege is a core security principle: grant each request only the minimum access needed to achieve its goal. Deployed language models almost never follow it, instead being exposed through a single API endpoint that serves all users and requests. This gap exists not because least privilege would be unhelpful; deployments would benefit greatly from reducing unnecessary capability exposure. The real obstacle is definitional and mechanistic: what does "access" mean inside a language model, and how can we enforce it without retraining or deploying multiple models? We take inspiration from least privilege in computer systems and define a class of models called least-privilege language models, where privilege is reachable internal computation during the forward pass. In this view, lowering privilege literally shrinks the model's accessible function class, as opposed to denying access via learned policies. We formalize deployment-time control as a monitor-allocator-enforcer stack, separating (i) request-time signals, (ii) a decision rule that allocates privilege, and (iii) an inference-time mechanism that selects privilege. We then propose Nested Least-Privilege Networks, a shape-preserving, rank-indexed intervention that provides a smooth, reversible control knob. We show that this knob yields policy-usable privilege-utility frontiers and enables selective suppression of targeted capabilities with limited collateral degradation across various policies. Most importantly, we argue for a new deployment paradigm that challenges the premise that language models can only be controlled at the output level.
