defense 2026

No More, No Less: Least-Privilege Language Models

Paulius Rauba 1, Dominykas Seputis 2,3, Patrikas Vanagas 4, Mihaela van der Schaar 1

1 University of Cambridge

2 Vinted

3 University of Amsterdam

4 Baltic Institute of Advanced Technology

0 citations · 66 references · arXiv
α

Published on arXiv

2601.23157

Prompt Injection

OWASP LLM Top 10 — LLM01

Key Finding

Rank-indexed internal interventions enable selective suppression of targeted dangerous capabilities with limited collateral degradation, establishing a new deployment paradigm beyond output-level control.

Nested Least-Privilege Networks

Novel technique introduced

Least privilege is a core security principle: grant each request only the minimum access needed to achieve its goal. Deployed language models almost never follow it, instead being exposed through a single API endpoint that serves all users and requests. This gap exists not because least privilege would be unhelpful; deployments would benefit greatly from reducing unnecessary capability exposure. The real obstacle is definitional and mechanistic: what does "access" mean inside a language model, and how can we enforce it without retraining or deploying multiple models? We take inspiration from least privilege in computer systems and define a class of models called least-privilege language models, where privilege is reachable internal computation during the forward pass. In this view, lowering privilege literally shrinks the model's accessible function class, as opposed to denying access via learned policies. We formalize deployment-time control as a monitor-allocator-enforcer stack, separating (i) request-time signals, (ii) a decision rule that allocates privilege, and (iii) an inference-time mechanism that selects privilege. We then propose Nested Least-Privilege Networks, a shape-preserving, rank-indexed intervention that provides a smooth, reversible control knob. We show that this knob yields policy-usable privilege-utility frontiers and enables selective suppression of targeted capabilities with limited collateral degradation across various policies. Most importantly, we argue for a new deployment paradigm that challenges the premise that language models can only be controlled at the output level.

Key Contributions

  • Formal definition of least-privilege language models where 'privilege' is reachable internal computation during the forward pass, enabling structural capability restriction rather than output filtering
  • Monitor-allocator-enforcer stack that separates request-time signals, privilege allocation policy, and inference-time enforcement mechanisms
  • Nested Least-Privilege Networks: shape-preserving, rank-indexed weight interventions that provide a smooth, reversible control knob yielding privilege-utility frontiers with selective capability suppression

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llmtransformer
Threat Tags
inference_timegrey_box
Applications
llm deploymentcapability gatingharmful information prevention
Read PDF arXiv DOI

Similar Papers

defense

Building Production-Ready Probes For Gemini

2026 3 cit.
91%
defense

Large Reasoning Models Learn Better Alignment from Flawed Thinking

2025 7 cit.
91%
defense

Matching Ranks Over Probability Yields Truly Deep Safety Alignment

2025 0 cit.
91%
defense

MENTOR: A Metacognition-Driven Self-Evolution Framework for Uncovering and Mitigating Implicit Domain Risks in LLMs

2025 1 cit.
90%
defense

Feature-Guided SAE Steering for Refusal-Rate Control using Contrasting Prompts

2025 0 cit.
90%
defense

$C$-$ΔΘ$: Circuit-Restricted Weight Arithmetic for Selective Refusal

2026 0 cit.
90%
defense

GAVEL: Towards rule-based safety through activation monitoring

2026 0 cit.
90%
defense

SFCoT: Safer Chain-of-Thought via Active Safety Evaluation and Calibration

2026 0 cit.
90%