I was sitting with an office manager a while back, running an access review, which is a fancy way of saying I pulled up the list of who can touch what. We got to the part where I check who has administrator rights on the company’s main system. She figured it would be her and the IT guy. Instead the screen showed every single employee, all the way down to the part-time bookkeeper and the intern who started in March. Everyone was an admin. Nobody had decided this on purpose. It had just accumulated, one “can you give me access real quick” at a time.

If you have watched the Apple TV show Severance, you already know the shape of the fix, even if the show makes it look like a nightmare. So let me make an argument I do not get to make very often: the dystopia is also good security advice.

The premise, for the people who have not watched it

The one-line version: in Severance, a company surgically splits each employee into a work self and a home self, so the two never share a single memory, and inside the office information is compartmentalized so tightly that people barely know what the team next door actually does. The show frames this as deeply creepy, and as drama it is. But strip away the brain surgery and you are left with two ideas security people quietly love. The first is least privilege. The second is segmentation. Each person knows and reaches only what their job requires, and the pieces are kept separate so no single failure exposes everything.

The difference is that in real life you do not need to mutilate anyone’s memory to get there. You just need to stop handing out keys to the whole building because it was easier than cutting the right one.

Least privilege and blast radius, in plain English

Least privilege means every account, every person, and every piece of software gets access to exactly what it needs to do its job, and nothing more. The bookkeeper can see the books. The bookkeeper cannot reset everyone’s passwords or read the owner’s email. That is it. It is not a statement about trust. It is a statement about scope.

Blast radius is the other half. When something goes wrong, and eventually something goes wrong, the blast radius is how much of your business that one failure can reach. If an attacker phishes one employee and that employee can only get to their own files, the damage stops there. If that employee happens to be an admin who can see every mailbox and every record, the attacker now has your whole company. Same phishing email. Wildly different outcome. The only thing that changed was how much that one account was allowed to touch.

Most small businesses I look at have a blast radius the size of the entire company. That is the actual problem. Not that they will get phished, because everyone gets phished eventually, but that one click can light up everything at once.

What oversized access actually looks like

This is rarely some dramatic security hole. It is a pile of small conveniences that nobody ever cleaned up. A few I see in almost every office:

One shared admin login that three people use, so when something breaks nobody can tell who did what. An app you connected to your email two years ago that still has permission to read and send from every mailbox, long after you stopped using it. A new hire who got handed a copy of someone else’s access “to get started,” and now has rights to systems they have never opened. The intern who can pull up payroll because the folder permissions were set once, broadly, and never revisited. None of this was malice. It was momentum. And every one of those is blast radius waiting to go off.

The same thing is true for the software and vendors you connect to your systems, which is its own quiet category of risk. A tool with full access to everything is a single login away from being your worst day. That is worth a separate look, and we wrote one: the weakest link is the vendor you forgot about.

What to actually do

• Give people roles, not keys to the kingdom. Decide what each job actually needs to touch and grant that. A salesperson needs the CRM, not the ability to delete other users. This is role-based access, and it is mostly a one-afternoon conversation about who does what.
• Take away standing admin rights. Almost nobody needs to be an administrator all day. Give admin powers to the one or two people who truly need them, and only when they are doing admin work. The fewer accounts that can change everything, the smaller your worst case.
• Individual logins, never shared ones. Every person gets their own account. Shared logins make it impossible to know who did what, and you cannot cut off one person without locking out everyone. When someone leaves, you want to flip one switch, not change a password five people still know.
• Review access every quarter. Once every three months, pull the list of who can reach what and ask one question per line: does this person still need this? People change roles, projects end, vendors get dropped. Access almost never shrinks on its own, so you have to shrink it on purpose.
• Put MFA on the high-value accounts. Multi-factor authentication, the second step beyond a password, belongs on the accounts that would hurt the most if lost: email, banking, payroll, and any admin account. It will not feel popular at first, and that is normal. We wrote about why your team fights MFA and how to win that one.

Where the show gets it wrong, on purpose

Here is the part that matters, because it is where the metaphor breaks and should break. Severance is dystopian because it uses separation to make people miserable and to treat them as parts to be managed, not as people. That is the opposite of what least privilege is for.

Done right, segmenting access does not mean treating your staff as suspects. It is not surveillance, and it is not a vote of no confidence. It is the same reason a good bank does not let one teller alone move the entire vault. It protects the company, and it protects the employee, because when something goes wrong nobody can credibly point at the person who never had the access in the first place. Good fences make people less anxious, not more. If your security plan only works by assuming everyone is a threat, you have built the wrong thing. The controls that last are the ones people will actually keep.

This is also where the business case lives. Cyber insurers now ask whether you limit admin access and use MFA, and the honest answer changes your premium. The frameworks your bigger customers expect, the kind mapped out in tools like our free NIST Cybersecurity Framework self-check, treat least privilege as table stakes. Containing your blast radius is what lets you pass the audit, win the deal, and sleep at night.

You do not need brain surgery and a creepy basement to get the good part of the idea. You need to know who can touch what, and you need that list to be shorter than it is today. So go pull it up. I promise the version where the intern cannot see payroll is the less dystopian one.

---

Further reading

• From Resolute Security: Why Your Team Fights MFA
• From Resolute Security: The Weakest Link Is the Vendor You Forgot About
• From Resolute Security: The Password Talk
• Resolute Security tools: free NIST Cybersecurity Framework self-check
• CISA Secure Our World
• NIST Cybersecurity Framework
• Not sure where you stand? Take the free 10-minute cyber readiness assessment.