Permission-Posture Audit

Module 5, Lesson 5.5 · monthly cadence · produces Entry 4 of the capstone inbox-and-calendar log · concept shape + recipe run

What this is. The one-page table at the heart of Lesson 5.5, plus the revocation-ritual reference and the standing question. Not a form to fill out once. A habit you run every month.

How to use. Open every AI service, every agent, and every plugin that has access to your inbox or calendar. List them. For each, answer four questions: what it can see, who built it, why it needs that access, when you last reviewed it. Then run the ritual.

Safety norms — the load-bearing rules of this module.

Drafts, not sends. Least access for the task. A grant without a live task is drift.

Header

Student

Audit date

Account(s) reviewed (email + calendar + any linked storage)

Prior audit date (leave blank for first audit)

The standing question — keep this in view while you audit

Ask it about every row before you move on

If I dropped dead or handed my laptop to a stranger right now, would this grant embarrass me, expose someone else, or cost me money? If yes — reduce it or revoke it today.

The audit table

One row per granted thing. “What” = the scope (read labels / draft mail / full account / read calendar / write calendar). “Who” = the vendor or builder (Cowork, Claude Code, Zapier, a plugin author). “Why” = the live task that justifies this right now. “When reviewed” = today’s date if you kept it, or the date you revoked / reduced it.

	What it can see / do	Who built it	Why it needs this (live task)	When reviewed · action
01
02
03
04
05
06
07
08

The three-habit ritual

HABIT 01

Revoke one-off

Any grant tied to a task that is over. The school-paper agent from February. The one-time summer-job plugin. If the task is done, the access should be gone.

HABIT 02

Reduce recurring

Any grant that is wider than the live task needs. Full-inbox read when a single label would serve. Write-calendar when read-calendar would serve. Narrow every scope you can.

HABIT 03

Re-audit monthly

Put the next audit on the calendar before you close this page. Monthly cadence. Every tool that stays gets reviewed again. Every tool that has no live task gets revoked.

First-audit surprises (optional — only on first run)

Anything you found in your account that you did not remember granting, did not know was still on, or that gave a tool more access than you thought. Name at least one. If you truly find none, write “none found” and initial — but look again first.

Closeout

Every AI tool with access to my email or calendar appears on the table as its own row.

Every row has a live task named in the “Why” column. Any row without a live task was revoked today.

No row has a scope wider than the live task requires. Any over-scoped grant was reduced or a reduction task was queued.

The standing question was asked about every row.

Next audit scheduled on the calendar (one month from today).

Saved as permission-posture-audit-<YYYY-MM-DD>.md under Entry 4 of the capstone log.

A note on cadence

Monthly is the floor, not the ceiling. Run an extra audit any time you install a new AI tool, connect a new plugin, finish a big one-off project, or change devices. The first audit almost always surfaces something you did not expect — a stale OAuth grant, an old experiment, a tool you stopped using but never disconnected. That is not a failure. That is exactly what the audit is for. The habit is the product.

Print this page. Schedule the next audit. Run it every month.