diff --git a/nexus-mcp/src/identity_backend.py b/nexus-mcp/src/identity_backend.py
new file mode 100644
index 0000000..be0b524
--- /dev/null
+++ b/nexus-mcp/src/identity_backend.py
@@ -0,0 +1,22 @@
+from typing import Set
+
+# Fields allowed to be returned to the MCP client
+ALLOWED_USER_FIELDS: Set[str] = {
+    "username",
+    "display_name",
+    "first_name",
+    "last_name",
+    "email",
+    "enabled",
+    "ou",
+    "description",
+    "last_logon_utc",
+    "when_created_utc",
+    "department",
+    "title",
+}
+
+
+class IdentityBackend:
+    """Base interface for Identity Shard backends."""
+    pass
\ No newline at end of file
diff --git a/nexus-mcp/src/shards/identity.py b/nexus-mcp/src/shards/identity.py
index 91037d0..98869e2 100644
--- a/nexus-mcp/src/shards/identity.py
+++ b/nexus-mcp/src/shards/identity.py
@@ -121,6 +121,15 @@ def register(mcp: FastMCP) -> None:
         logger.warning("ad_list_groups: group enumeration not yet implemented in AD backend")
         return []
 
+    @mcp.tool()
+    async def ad_get_user_groups(sam_account_name: str) -> list[str]:
+        """Get all AD groups for a specific user."""
+        if _USE_MOCK:
+            # Mock logic here...
+            return ["Domain Users", "Wheels-IT"]
+        
+        return await _get_ad().get_user_groups(sam_account_name)
+
     @mcp.tool()
     async def ad_get_group_members(group_dn: str) -> list[dict]:
         """Return all members of an Active Directory group by its distinguished name."""