Time to start
If you don't have a role-based security model, you should start researching it and strive to move to RBAC, if only a tiny step at a time. You can start by defining your access control security groups by roles instead of departments. Don't designate HR, IT, and accounting security groups; instead, create security groups for each department based on their roles. Look to your company's organizational chart or job descriptions if you need a beginning point.
Start investigating software that uses an RBAC model. Look at the RBAC tools in your OS, whether it's Windows, Linux, Unix, OS X, Solaris, or something else. Investigate software that can bring role-based access control to your environment. Just use the keywords role-based access control or role-based management in your favorite Internet search engine.
Ask your software vendors what they are doing to facilitate RBAC in your environment with their products. Educate your vendors if they have never heard of it. When the vendor hears it enough or if you have enough dollar votes alone to make it happen, the vendor will become a RBAC proponent. Then everybody wins.
Implementing a RBAC model is a lot of work and a lot of groups, but anything less means you aren't truly implementing least privilege in your environment. Until you have RBAC, least privilege is just something you repeat over and over as a mantra, but can't really accomplish.