diff --git a/Workday/workday-ad-identity-sync-next-steps.md b/Workday/workday-ad-identity-sync-next-steps.md
new file mode 100644
index 0000000..4eefd6c
--- /dev/null
+++ b/Workday/workday-ad-identity-sync-next-steps.md
@@ -0,0 +1,115 @@
+---
+title: "Workday to AD identity sync — next steps backlog"
+description: "Granular execution checklist mapped to 2026 goal milestones and current Workday/Identity MCP artifact status."
+type: "Implementation Backlog"
+version: "v1"
+author: "N. Castaldi"
+date: "2026-04-03"
+---
+
+## Current status snapshot
+
+- Workday artifacts define architecture, phases, and governance clearly.
+- Workday implementation artifacts still indicate unresolved blockers: OAuth grant decision, owner assignment, non-prod tenant access, endpoint mappings, and field allowlist lock.
+- Identity MCP appears production-capable with read-only tools and test scaffolding, which is suitable as the downstream enforcement interface for remediation orchestration.
+- Missing from current docs: measurable KPI instrumentation plan, weekly drift-report automation implementation details, and a sequenced cutover plan to remove manual reconciliation.
+
+## Priority 0: Unblockers that must be closed first
+
+- [ ] Assign a single accountable owner for Workday auth provisioning and approve named backups.
+- [ ] Finalize OAuth grant type and token lifecycle policy (token TTL, refresh behavior, secret rotation frequency).
+- [ ] Provision non-production Workday tenant/API access and confirm connectivity from the MCP runtime host.
+- [ ] Confirm Integration System User and security group permissions for strict read-only domains.
+- [ ] Publish an approved field allowlist and explicit denylist, then version it in source control.
+- [ ] Produce endpoint-to-tool mapping table: tool name, endpoint URL, required params, output shape, and error contract.
+
+## Priority 1: Build Workday MCP to parity with Identity MCP pattern
+
+- [ ] Scaffold project files listed in the implementation plan: server, backend contract, adapter, debug script, tests, and packaging metadata.
+- [ ] Implement memory backend first and add deterministic sample worker records for contract testing.
+- [ ] Implement API backend auth flow with secure secret loading from approved store (no secrets in code or logs).
+- [ ] Implement tool 1 end-to-end: get worker status by authoritative identifier.
+- [ ] Add schema validation to ensure responses include only allowlisted fields.
+- [ ] Implement remaining core tools in sequence: worker profile, org attributes, manager, effective dates.
+- [ ] Add robust adapter behavior for 401, 403, 404, 429, and 5xx responses with safe retry and timeout controls.
+- [ ] Add structured STDERR logging compatible with MCP stdio transport and include invocation audit metadata.
+
+## Priority 2: Identity correlation and mismatch detection
+
+- [ ] Define canonical correlation key precedence (employee ID, then work email, then UPN fallback).
+- [ ] Create a correlation module that compares Workday status against AD/Entra state from Identity MCP.
+- [ ] Implement mismatch categories with deterministic rules:
+- [ ] Terminated in Workday but enabled in AD.
+- [ ] Future-dated hire in Workday but account created too early.
+- [ ] Active in Workday but missing in AD.
+- [ ] Manager mismatch between Workday and AD attributes.
+- [ ] Contractor end date passed but access still active.
+- [ ] Define severity levels and SLA targets per mismatch category.
+- [ ] Add suppression logic for approved exceptions (legal hold, approved delayed start, merger-transition records).
+
+## Priority 3: Automation workflow in Power Automate
+
+- [ ] Create a scheduled flow for daily sync checks and a separate weekly reporting flow.
+- [ ] Build connectors/actions to call Workday MCP and Identity MCP safely with service principal credentials.
+- [ ] Implement idempotent processing so repeated runs do not duplicate tickets or actions.
+- [ ] Add decision branches for each mismatch category and route to the correct remediation path.
+- [ ] Integrate with ticketing workflow for human approval gates before identity changes execute.
+- [ ] Capture full run telemetry: start/end time, processed records, mismatches found, remediations requested, remediations completed.
+- [ ] Implement failure handling with retry policy, dead-letter queue pattern, and escalation notifications.
+
+## Priority 4: Automated remediation via Identity MCP
+
+- [ ] Confirm Phase-gate controls so any write actions stay disabled until approvals are complete.
+- [ ] Define remediation action catalog mapped to mismatch categories (disable account, update manager, queue provisioning task).
+- [ ] Add mandatory approval checks (ticket ID, approver identity, timestamp, change reason) before any write path.
+- [ ] Build rollback procedures per remediation type and test rollback on non-production data.
+- [ ] Add post-action validation checks to confirm AD/Entra state now matches Workday source-of-truth.
+
+## Priority 5: Measurement and reporting (SMART metrics)
+
+- [ ] Establish Q1 2026 baseline for mean-time-to-provision (MTTP) using existing onboarding tickets.
+- [ ] Define MTTP formula and data source contract so measurements are reproducible.
+- [ ] Implement weekly identity drift report generation with trend lines by mismatch type.
+- [ ] Add dashboard metrics required for Q3 target tracking:
+- [ ] MTTP reduction percentage versus Q1 baseline.
+- [ ] Total mismatches detected per week.
+- [ ] Percent auto-resolved versus human-resolved mismatches.
+- [ ] Manual reconciliation hours eliminated.
+- [ ] Publish weekly report distribution list and archival location for audit retention.
+
+## Priority 6: Security, compliance, and operational hardening
+
+- [ ] Run a log redaction test to verify no secrets or restricted fields are emitted.
+- [ ] Perform least-privilege review across Workday ISU, MCP host identity, and Power Automate connectors.
+- [ ] Add change-control requirements for schema updates and new tool introduction.
+- [ ] Create a quarterly access recertification checklist for service accounts and app registrations.
+- [ ] Add synthetic monitoring checks for token acquisition, endpoint latency, and tool health.
+- [ ] Create incident response runbook for sync failures, auth failures, and drift-report pipeline outages.
+
+## Priority 7: Delivery plan by quarter
+
+- [ ] Q2 milestone 1: close all unblocking dependencies and complete non-prod end-to-end read-only validation.
+- [ ] Q2 milestone 2: complete Workday MCP core tools plus correlation logic and automated mismatch classification.
+- [ ] Q2 milestone 3: deploy Power Automate daily sync and ticketed approval workflow to pilot scope.
+- [ ] Q3 milestone 1: enable weekly drift reporting to IT Operations with stable SLA performance.
+- [ ] Q3 milestone 2: complete production rollout and retire manual reconciliation process.
+- [ ] Q3 milestone 3: verify at least 30 percent MTTP reduction against Q1 baseline and document evidence.
+
+## Immediate next 10 execution steps
+
+- [ ] Confirm OAuth grant type in writing and record decision in implementation plan.
+- [ ] Request and obtain non-prod Workday API credentials.
+- [ ] Implement and test one Workday MCP tool in API mode.
+- [ ] Lock response schema allowlist in tests.
+- [ ] Define correlation key precedence and test with sample identity data.
+- [ ] Implement first mismatch detector: terminated-in-Workday but active-in-AD.
+- [ ] Stand up daily Power Automate check flow in non-production.
+- [ ] Generate first weekly drift report draft and validate with IT Operations.
+- [ ] Pilot one human-approved remediation path end-to-end.
+- [ ] Capture baseline MTTP and publish first KPI scorecard.
+
+## Suggested status tracking tags
+
+- [ ] Add one tag to each backlog item: BLOCKED, READY, IN_PROGRESS, VALIDATING, DONE.
+- [ ] Add owner and target date to each item before sprint planning.
+- [ ] Review and update this backlog weekly until Q3 completion.
diff --git a/Workday/workday-ad-identity-sync-sprint-board.md b/Workday/workday-ad-identity-sync-sprint-board.md
new file mode 100644
index 0000000..3d31b90
--- /dev/null
+++ b/Workday/workday-ad-identity-sync-sprint-board.md
@@ -0,0 +1,55 @@
+---
+title: "Workday to AD identity sync — sprint board"
+description: "Sprint-ready execution board converted from the next-steps backlog."
+type: "Sprint Board"
+version: "v1"
+author: "N. Castaldi"
+date: "2026-04-03"
+source: "workday-ad-identity-sync-next-steps.md"
+---
+
+## Usage
+
+- Update Status using: BLOCKED, READY, IN_PROGRESS, VALIDATING, DONE.
+- Replace placeholder owners and dates during sprint planning.
+- Keep one row per deliverable-sized work item.
+
+## Sprint board
+
+| ID | Work item | Priority | Owner | Target date | Dependency | Definition of done | Verification | Status |
+| --- | --- | --- | --- | --- | --- | --- | --- | --- |
+| WIS-001 | Finalize OAuth grant type and token lifecycle policy | P0 | Unassigned | 2026-04-10 | Security + HRIS decision meeting | Decision record approved and stored in repo | Review signed decision doc and confirm policy values | READY |
+| WIS-002 | Provision non-prod Workday API credentials and tenant access | P0 | Unassigned | 2026-04-12 | WIS-001 | Service account/API client active in non-prod with read-only scope | Run connectivity script and receive valid token + successful API call | READY |
+| WIS-003 | Confirm ISU, security group, and domain read-only permissions | P0 | Unassigned | 2026-04-12 | WIS-002 | Approved least-privilege matrix published | Validate permissions against allowlist and denylist checklist | READY |
+| WIS-004 | Publish field allowlist and explicit denylist in version control | P0 | Unassigned | 2026-04-13 | WIS-003 | Field-scope policy document merged and referenced by tests | Peer review confirms all sensitive domains excluded | READY |
+| WIS-005 | Create endpoint mapping table for all five Workday tools | P0 | Unassigned | 2026-04-14 | WIS-004 | Tool-to-endpoint mapping complete with request/response/error contracts | Trace each tool to endpoint and run contract review | READY |
+| WIS-006 | Scaffold Workday MCP project files to Identity parity | P1 | Unassigned | 2026-04-16 | WIS-005 | Server, backend, adapter, debug script, tests, and pyproject created | Local startup succeeds in memory mode | READY |
+| WIS-007 | Implement memory backend with deterministic worker fixtures | P1 | Unassigned | 2026-04-17 | WIS-006 | Fixtures cover active, terminated, future-dated, contractor cases | Unit tests pass for fixture-driven tool outputs | READY |
+| WIS-008 | Implement API backend token flow with secure secret loading | P1 | Unassigned | 2026-04-18 | WIS-006, WIS-002 | OAuth token acquisition and refresh work with no secrets in code/logs | Integration smoke test obtains token and executes read call | READY |
+| WIS-009 | Implement and validate first tool: getWorkerStatus | P1 | Unassigned | 2026-04-19 | WIS-008, WIS-005 | Tool returns allowlisted fields only with stable schema | Run tool in non-prod and compare to expected schema | READY |
+| WIS-010 | Add allowlist schema validation tests for all tool outputs | P1 | Unassigned | 2026-04-20 | WIS-009, WIS-004 | Automated tests fail on disallowed fields and pass on compliant output | Execute test suite and confirm gate behavior | READY |
+| WIS-011 | Implement remaining tools: worker, org attributes, manager, effective dates | P1 | Unassigned | 2026-04-22 | WIS-009, WIS-010 | All five read-only tools operational in memory and API modes | Run tool-by-tool smoke checks and integration tests | READY |
+| WIS-012 | Add adapter resilience for 401/403/404/429/5xx with retry/timeouts | P1 | Unassigned | 2026-04-23 | WIS-011 | Error handling and backoff logic validated by tests | Mock HTTP scenarios and verify controlled responses | READY |
+| WIS-013 | Define canonical correlation key precedence across Workday and AD | P2 | Unassigned | 2026-04-24 | WIS-011 | Correlation strategy documented and approved | Validate mapping against sample records with edge cases | READY |
+| WIS-014 | Implement mismatch detector: terminated in Workday but active in AD | P2 | Unassigned | 2026-04-25 | WIS-013 | Rule triggers correctly and emits actionable mismatch record | Run detector on test dataset with known outcomes | READY |
+| WIS-015 | Implement mismatch detector: future-dated hire prematurely provisioned | P2 | Unassigned | 2026-04-26 | WIS-013 | Rule identifies early-provisioning violations | Validate against future-dated hire scenarios | READY |
+| WIS-016 | Implement mismatch detector: active worker missing in AD | P2 | Unassigned | 2026-04-27 | WIS-013 | Missing-account cases are detected without false positives | Reconcile detector output with manually curated sample set | READY |
+| WIS-017 | Implement mismatch detector: manager mismatch | P2 | Unassigned | 2026-04-28 | WIS-013 | Manager differences flagged with both source values | Compare output to Workday and AD manager fields | READY |
+| WIS-018 | Implement mismatch detector: contractor past end date still active | P2 | Unassigned | 2026-04-29 | WIS-013 | Expired contractor access identified and categorized | Validate with contractor end-date test records | READY |
+| WIS-019 | Build Power Automate daily sync flow (non-prod) | P3 | Unassigned | 2026-05-02 | WIS-011, WIS-014-WIS-018 | Daily flow executes MCP calls and writes run telemetry | Trigger flow manually and by schedule; verify run logs | READY |
+| WIS-020 | Build Power Automate weekly drift reporting flow | P3 | Unassigned | 2026-05-03 | WIS-019 | Weekly report generated, distributed, and archived | Confirm report delivery list receives expected summary | READY |
+| WIS-021 | Add idempotency controls to avoid duplicate tickets/actions | P3 | Unassigned | 2026-05-04 | WIS-019 | Duplicate processing prevented across reruns | Execute repeated test runs and confirm no duplicate artifacts | READY |
+| WIS-022 | Integrate ticket approval gate before remediation execution | P4 | Unassigned | 2026-05-06 | WIS-019, WIS-021 | No remediation executes without valid approval metadata | Attempt unapproved run and confirm hard block | READY |
+| WIS-023 | Define remediation action catalog mapped to mismatch types | P4 | Unassigned | 2026-05-07 | WIS-014-WIS-018 | Action matrix approved by IAM/Security and IT Ops | Review matrix and sign off in change record | READY |
+| WIS-024 | Implement rollback procedures and tests for each remediation action | P4 | Unassigned | 2026-05-09 | WIS-023 | Rollback path documented and successfully tested for each action | Execute rollback drills in non-prod with evidence captured | READY |
+| WIS-025 | Instrument KPI baseline for Q1 2026 MTTP | P5 | Unassigned | 2026-05-10 | Access to historical onboarding tickets | Baseline dataset and formula documented | Recompute baseline independently and match results | READY |
+| WIS-026 | Implement KPI dashboard metrics and weekly trend outputs | P5 | Unassigned | 2026-05-12 | WIS-020, WIS-025 | Dashboard shows MTTP delta, drift volume, resolution mode split, hours saved | Validate dashboard calculations against raw report data | READY |
+| WIS-027 | Enable production logging/redaction and operational monitoring | P6 | Unassigned | 2026-05-14 | WIS-012, WIS-026 | Request-level logs, redaction checks, and health monitors active | Run synthetic checks for auth, latency, and failure paths | READY |
+| WIS-028 | Execute pilot rollout and validate SLA/severity routing | P6 | Unassigned | 2026-05-16 | WIS-022, WIS-027 | Pilot operates without policy violations and with acceptable false-positive rate | 2-week pilot report accepted by IT Operations | READY |
+| WIS-029 | Production cutover and manual reconciliation retirement | P7 | Unassigned | 2026-06-15 | WIS-028 | Automated process is primary; manual reconciliation decommissioned | Confirm no manual reconciliation tasks required for 2 cycles | READY |
+| WIS-030 | Q3 outcome verification and executive evidence pack | P7 | Unassigned | 2026-09-30 | WIS-029 | Evidence shows >=30% MTTP reduction and weekly drift reports running | Validate KPI package against baseline and audit records | READY |
+
+## Notes
+
+- Date placeholders are proposed sequencing dates and should be adjusted to active sprint cadence.
+- If needed, split large items into child stories but preserve the same ID as parent epic prefix.