Yeah that's what's called an assume breach/zero trust mindset. In a modern environment you can't rely on the network perimeter being a security boundary, so you need to minimize permissions (so that if an identity is hacked then the blast radius is reduced) and invest in detections and remediation plans.