The need-to-know principle holds that sensitive information should be shared only with people who require it to perform their specific role. It is the primary defense against insider threats — not because employees can’t be trusted, but because limiting access limits the damage from any single point of failure, whether intentional or accidental.