44 Vault-account custody of crown jewels
Crown-jewel documents are owned by a locked, licensed account that nobody works from — no mail flow, no OAuth grants, no daily sign-in — and access to them is granted out of it per file, read-only and time-boxed. Because the files sit outside every working user's Drive, compromising a working user does not reach them: the blast radius of a phished employee stops at what they were explicitly and temporarily granted.
Documentation: Transfer Drive files to a new owner as an admin ↗ · Share files and folders in Drive ↗
Caveats
This is a process control — it is carried out offline, so there is no Admin Console walkthrough to show.
Ongoing maintenance
- requires a human Per policy: rotate the sealed credential and update the custody record.
How to verify
Check the custody record for the Vault account, confirm its credential is sealed, and verify the account still holds only the Vault privileges it should.
v0.0.3Preventedition All (1 license) policy #28 · #15, #29 ↗