diff --git a/pulumi/policy.hujson b/pulumi/policy.hujson
index 580aade..d215ef7 100644
--- a/pulumi/policy.hujson
+++ b/pulumi/policy.hujson
@@ -11,18 +11,11 @@
 	},
 
 	// ============== Access Grants ==============
-	// Note: autogroup:admin doesn't work reliably - use specific emails
-	// Note: dst: ["*"] doesn't work reliably - use explicit tags
 	"grants": [
-		// --- Erich: full access to all infrastructure ---
+		// --- Admins: full access to all infrastructure ---
 		{
-			"src": ["blume.erich@gmail.com"],
-			"dst": ["tag:homelab", "tag:nas"],
-			"ip":  ["*"],
-		},
-		{
-			"src": ["blume.erich@gmail.com"],
-			"dst": ["tag:grafana", "tag:kiwix", "tag:forge", "tag:devpi", "tag:loki", "tag:pg", "tag:feed"],
+			"src": ["autogroup:admin"],
+			"dst": ["*"],
 			"ip":  ["*"],
 		},
 
@@ -77,18 +70,18 @@
 			"dst":    ["autogroup:self"],
 			"users":  ["autogroup:nonroot"],
 		},
-		// Erich can SSH to homelab (for ansible)
+		// Admins can SSH to homelab (for ansible)
 		{
 			"action": "check",
-			"src":    ["blume.erich@gmail.com"],
+			"src":    ["autogroup:admin"],
 			"dst":    ["tag:homelab"],
 			"users":  ["autogroup:nonroot"],
 			"checkPeriod": "12h0m0s",
 		},
-		// Erich can SSH to NAS
+		// Admins can SSH to NAS
 		{
 			"action": "check",
-			"src":    ["blume.erich@gmail.com"],
+			"src":    ["autogroup:admin"],
 			"dst":    ["tag:nas"],
 			"users":  ["autogroup:nonroot"],
 			"checkPeriod": "12h0m0s",