AP-01 — Identity-Bound AI Access¶
Strategy Reference¶
- Objective 1 — Universal Identity-Bound AI Access (by month 6)
- Section 3 — Principle 1 (Identity Binding) and Principle 5 (Auditability)
- Section 12, Phase 1 — Identity and role architecture defined and implemented
Goal¶
By month 6, every Feoda employee accesses internal AI exclusively through identity-authenticated agents. Anonymous, shared-credential, or out-of-policy AI usage is eliminated.
Scope¶
In scope: - All AI tools used for Feoda work (chat assistants, coding assistants, internal AI platform, future agents) - All employees, contractors, and consultants performing Feoda work - All offices and regions
Out of scope: - Personal AI use on personal devices unrelated to Feoda work - Client-side AI tools running inside client systems - Third-party tools that incidentally use AI but are not procured for AI capability
Deliverables¶
- Identity & role architecture document — extends
ROADMAP.mdPhase 3 with the AI-specific role taxonomy - SSO integration for every approved AI provider (see AP-03)
- Employee directory of named accounts per provider, reviewed quarterly
- Out-of-policy usage detection — mechanism to flag use of non-approved or anonymous tools
- Communication & enforcement plan — internal announcement, deadline, exception path
Milestones¶
| Milestone | Target Month | Exit Criteria |
|---|---|---|
| Identity architecture drafted and approved | Month 1 | Document approved by Head of Technology |
| SSO live for all approved providers | Month 4 | 100% of approved providers behind SSO |
| Named-account directory published | Month 4 | Directory exists, reviewed by department heads |
| Out-of-policy detection in place | Month 5 | Monitoring active; first review completed |
| Cutover complete | Month 6 | Anonymous and shared-credential access disabled |
Dependencies¶
- AP-03 — Approved Provider List: cannot bind identity to providers that are not yet approved
- AP-05 — Audit Logging Infrastructure: identity binding has limited value without audit trails
- Phase 3 of the platform
ROADMAP.md(Clerk-based unified auth)
Risks & Mitigations¶
| Risk | Mitigation |
|---|---|
| Employees revert to personal accounts to bypass enforcement | Combine policy with detection; named consequences in policy |
| SSO integration not supported by a critical provider | Provider must support SSO to be approved (gate in AP-03) |
| Cost of enterprise tiers higher than budgeted | Capture in cost criteria; phase rollout if needed |
Success Measures¶
- Anonymous / out-of-policy AI usage incidents (target: zero by month 6)
- 100% of approved providers behind SSO
- 100% of relevant roles have named AI agent access
- Quarterly access review completion: 100% on time
Status Log¶
| Date | Status | Notes |
|---|---|---|
| 2026-04-22 | Not Started | Action plan created. Awaiting Phase 1 kickoff. |