Enterprise access control refinement and flex-auth delegation

docs/enterprise-access-control-integration.md

@@ -315,6 +315,18 @@ Instead:
    deployment needs stronger central policy.
 6. Persist decisions before using this for production agent memory or exports.
 
+## flex-auth Boundary
+
+The preferred long-term shape is a separate `flex-auth` service/repo under the
+NetKingdom authorization umbrella. In that model, Markitect remains a resource
+consumer and policy enforcement point. flex-auth owns the central resource
+registry, enterprise group/role/scope mapping, external PDP adapters, and
+durable decision logs.
+
+The product survey, Keycloak/Entra analysis, and boundary recommendation now
+live in the sibling `flex-auth` repo:
+`flex-auth/docs/flex-auth-authorization-registry-research.md`.
+
 ## Sources
 
 - OpenID Connect Core 1.0: https://openid.net/specs/openid-connect-core-1_0.html