Think of: just-enough privilege, granted just-in-time, for a limited time.
Superuser accounts such as root and local administrator, represent a high risk. If compromised, they give the attacker the proverbial keys to the kingdom. They are also anonymous, not tied to any specific individual. Thus accountability of privileged actions is challenging. A best practice is to take them off the playing field — delete them if possible or vault them away for emergency “break-glass” access only.
How do administrators now do their jobs? In a least privilege access control model, they log in with a dedicated account that provides full accountability of their actions. The account has zero administrative privileges, so when they need to execute a command or run an application that requires such privileges, they request it just-in-time. The request is routed (via workflow) to one or more approvers along with sufficient context. If approved, the rights are granted — but only enough to run that specific command or application — just-enough privilege. The additional permissions are also temporary — for a limited time. The requester can specify for how long they need the additional rights, and the approver can adjust that if necessary. The PAM system will automatically revoke the extra rights when the period expires.