Internal Security Access Policy

Least-privilege access, JIT elevation, break-glass and quarterly access reviews — how HookPilot controls who can touch what.

Version 1.0.0Effective May 30, 2026Last reviewed May 30, 2026
Plain-English summary. Almost no one at HookPilot has standing access to production. Access is granted through a ticketed request, scoped to the minimum needed, time-bound, logged, and reviewed every quarter. Break-glass exists for genuine emergencies and triggers an automatic post-incident review.

1. Scope

This policy governs HookPilot Caption Studio LLC personnel and contractor access to: production infrastructure, customer data stores, deployment pipelines, secrets management, billing platform, AI model provider consoles, support tooling, and any system that holds or processes Customer Content.

2. Principles

  • Least privilege — only the access required for the role, not the access available to the role.
  • Just-in-time over standing — temporary, time-bound elevation by default.
  • Separation of duties — code authors do not approve their own production changes.
  • Multi-person rule for destructive actions — production deletion needs a second approver.
  • Audited by default — every access action is logged and replayable.

3. Identity

HookPilot uses a single identity provider with SSO and hardware-key MFA for staff. Contractors get scoped identities tied to their SOW. Shared accounts are prohibited. Service accounts are owned by an engineering team, scoped to a workload, and rotated on a schedule.

4. Role-Based Access Control

Permissions are bundled into roles aligned to the AI department they serve (for example, "Caption Studio Engineer", "AI Music Video Operator", "-HPS Sweep Reviewer"). Role definitions are stored in code, code-reviewed, and version-controlled.

5. JIT Elevation

Elevated access is granted through a ticketed request. Each request specifies the system, the scope, the duration (default 60 minutes), and the reason. Approval requires a second engineer. The elevation auto-expires; renewing requires a new request.

6. Break-Glass

Break-glass credentials exist for genuine emergencies (active SEV-1, identity provider outage, etc.). Use of a break-glass account: (a) triggers a real-time alert to the Codex-HPS role; (b) opens an automatic post-incident review; (c) requires written justification within 24 hours; and (d) results in immediate credential rotation regardless of the outcome.

7. Production Customer Data Access

Customer Content access requires a written customer-impacting reason (support request, security investigation, lawful order). Workspace administrators are notified where appropriate. -HPS Trace and Shield roles can deny access requests that lack proper justification, even from leadership.

8. Logging

Every access action — login, elevation, command, query, download — is logged centrally with immutable retention for 24 months. Logs feed the SIEM consumed by -HPS.

9. Quarterly Access Review

Every quarter, role owners and engineering managers review who has access to what. Stale access is revoked. Findings feed the SOC 2 evidence engine.

10. Off-Boarding

On role change or departure: identity provider session is killed within the hour; SSO group memberships are removed within 24 hours; service-account access transferred or revoked; hardware key and laptop returned per the Device Policy; final access-log review for the prior 90 days.