I've been interested in object capabilities for a while now. For a good introduction into what exactly capabilities are, I'd recommend What are Capabilities by Chip Morningstar - he explains it much better than I'll be able to.
But in short, the security model is based on the possession of references to a resource rather than on the identity of the requester. In other words, "if you don't have it, you can't use it."
This makes it much easier to effectively implement the principle of least authority, because you are able to pass a program (or module, or remote process, or...) only the access it needs to perform its function.
You can keep track of things going on at a human/machine/etc granularity with something like Horton - see Mark Miller's Architectures of Robust Openness. I've written a Horton implementation for Goblins in Guile.