Compliance

Access governance

Least privilege is a product requirement, not just an operational note. This page records the current access policy posture and the remaining work.

Principles

  • Use least privilege.
  • Keep tenant scope explicit.
  • Require MFA for privileged actions.
  • Review access periodically and on offboarding.

Tasks

  • Add periodic access review workflow.
  • Separate support and compliance roles if needed.
  • Add service-account policy and rotation rules.
  • Add offboarding and emergency-access procedures.