Specifies fine-grained, app-owned access control layered on the AD roles: capability gating, data-scoping, field/PII-level, and step-up/SoD. Backend-authoritative (per ADR-0001), UI mirrors decisions; extends ADR-0002. Privacy-by-design: data-minimized decision DTOs, server-side PII redaction, audit, deny-by-default. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>