Enterprise access control integration

docs/access-control-policy-gateway.md

@@ -139,6 +139,22 @@ to future backend storage.
 
 ## Adapter Boundaries
 
+Enterprise IAM integration is covered in
+`docs/enterprise-access-control-integration.md`. In that architecture,
+Markitect is the policy enforcement point for Markdown knowledge results, while
+NetKingdom/key-cape-compatible OIDC supplies identity claims and external
+policy engines can act as policy decision points.
+
+Identity and directory integration use these provider-neutral boundaries:
+
+- `IdentityClaimsAdapter` validates OIDC/JWT/SAML material and returns
+  normalized `EnterpriseIdentity`.
+- `DirectoryGroupResolver` resolves group overage or stale directory claims
+  through SCIM/Graph/LDAP/Keycloak-style adapters.
+- `EnterprisePolicyMapper` maps canonical enterprise roles, scopes, and groups
+  to `PolicySubject` labels, trust zones, and allowed actions.
+- `DecisionLogStore` persists durable audit records for policy decisions.
+
 Relationship policies use `RelationshipPolicyAdapter`:
 
 ```text