What is the need-to-know principle?
Give each person access only to the information they actually require to do their job — nothing more.
* Need-to-know and least privilege shrink the blast radius. *
Need-to-know limits the blast radius of any single compromised account or insider. If an employee can only reach the data their role demands, then a stolen credential or a rogue insider exposes only that slice — not the whole organization.
It's closely related to the principle of least privilege (minimal permissions), with need-to-know focusing specifically on information access. Both shrink the attack surface and contain damage.
Tip: Ask "does this person need this to do their job?" If not, revoke it. Over-broad access is one of the most common findings in security audits.
Go deeper:
Need to know (Wikipedia) — the information-access discipline that limits blast radius.
Principle of least privilege (Wikipedia) — the closely-related minimal-permissions principle.