Authentication, authorisation, encryption at rest and in transit, audit logging, tenant isolation and least-privilege access are part of the design conversation, not a separate workstream. We use the patterns appropriate to your situation and document the threat model so the next team can keep it honest.