PL4-least-privilege · Safe Space IAM scoped read-only by default. DB, Kubernetes, AWS Where does your codebase stand? Click a level to mark your current maturity. 0 Absent Your level Agents run as admin 1 Nascent Your level Mixed scopes 2 Operational Your level Strict least-privilege; write requires **structurally-enforced** elevation — platform-gated (IAM policy-as-code + JIT, credential tenancy, GitOps-triggered grants), not procedural (ticketed approval that then executes with unscoped credentials). See [GitOps JIT privilege elevation](recipes/gitops-jit-privilege-elevation.md) for a known-good shape 3 Compounding Your level Permission requests logged; recurring legitimate elevations get scoped permanent grants; unused permissions auto-revoked ← Previous PL4-environment-isolation Environment isolation Next → PL4-branch-protection Branch protection and source-control write scoping