diff --git a/cc-ci-plan/plan-sso-dep-testing.md b/cc-ci-plan/plan-sso-dep-testing.md
index 9e408b6..a216b0c 100644
--- a/cc-ci-plan/plan-sso-dep-testing.md
+++ b/cc-ci-plan/plan-sso-dep-testing.md
@@ -172,9 +172,14 @@ These are **loop work** under this plan, not deferred:
 
 ## 6. What stays deferred (genuinely operator-input)
 
-- **authentik enrollment + `setup_authentik_realm` backend** (DEFERRED #9) — provider breadth, not
-  blocking any Phase-2 recipe under keycloak. Open question for the operator: do we want
-  cross-provider coverage as part of Phase-2 DONE? If yes, lift; if not, leave deferred.
+- **authentik enrollment + `setup_authentik_realm` backend** (DEFERRED #9) — **RESOLVED (operator,
+  2026-05-29): keycloak is our default SSO provider; default ALL recipe OIDC tests to keycloak.** Do
+  NOT test authentik↔keycloak integration, and do NOT enroll authentik just to "prove pluggability"
+  — **Phase-2 DONE is NOT gated on authentik.** Enroll authentik + add `setup_authentik_realm` ONLY
+  if/when a recipe genuinely **requires** authentik (won't work under keycloak). If a recipe works
+  with keycloak, use keycloak. So DEFERRED #9's re-entry trigger narrows to "a recipe requires
+  authentik" — the cross-provider-coverage trigger is dropped. (E.g. cryptpad: its upstream test
+  uses authentik, but test it under **keycloak** — equally valid.)
 - The `--extra-tests` flag IDEA is **not** a precondition for this plan; OIDC-dep tests are part
   of the default suite for the recipes that need them.