diff --git a/builtins/en/knowledge/security.md b/builtins/en/knowledge/security.md
index de2b945..b9b9bc8 100644
--- a/builtins/en/knowledge/security.md
+++ b/builtins/en/knowledge/security.md
@@ -186,6 +186,21 @@ fun create(request: CreateRequest) {
 
 When a tenant resolver assumes a specific role (e.g., staff), the endpoint must have corresponding authorization controls. Without authorization, unexpected roles can access the endpoint and cause the resolver to fail.
 
+```kotlin
+// NG - Resolver assumes STAFF but no authorization control
+fun getSettings(): SettingsResponse {
+    val tenantId = tenantResolver.resolve()  // Fails for non-STAFF
+    return settingsService.getByTenant(tenantId)
+}
+
+// OK - Authorization ensures correct role
+@Authorized(roles = ["STAFF"])
+fun getSettings(): SettingsResponse {
+    val tenantId = tenantResolver.resolve()
+    return settingsService.getByTenant(tenantId)
+}
+```
+
 For endpoints with role-based branching, verify that tenant resolution succeeds on all paths.
 
 ## OWASP Top 10 Checklist
diff --git a/builtins/ja/knowledge/security.md b/builtins/ja/knowledge/security.md
index 1e5d91a..d51beea 100644
--- a/builtins/ja/knowledge/security.md
+++ b/builtins/ja/knowledge/security.md
@@ -186,6 +186,21 @@ fun create(request: CreateRequest) {
 
 テナントリゾルバーが特定ロール（例: スタッフ）を前提とする場合、エンドポイントに対応する認可制御が必要。認可なしだと、前提外のロールがアクセスしてリゾルバーが失敗する。
 
+```kotlin
+// NG - リゾルバーが STAFF を前提とするが認可制御なし
+fun getSettings(): SettingsResponse {
+    val tenantId = tenantResolver.resolve()  // STAFF 以外で失敗
+    return settingsService.getByTenant(tenantId)
+}
+
+// OK - 認可制御でロールを保証
+@Authorized(roles = ["STAFF"])
+fun getSettings(): SettingsResponse {
+    val tenantId = tenantResolver.resolve()
+    return settingsService.getByTenant(tenantId)
+}
+```
+
 ロール分岐があるエンドポイントでは、全パスでテナント解決が成功するか検証する。
 
 ## OWASP Top 10 チェックリスト