Classification standards that do not rot: RAG the whole way down

Most classification taxonomies rot. Three tiers, applied harder, is the one that does not.

The three tiers

• Restricted. PII, secrets, regulated data. Default masking, no export, retrieval only with explicit consent.
• Internal. Everything else created inside the company. No masking, no external export.
• Public. Explicitly cleared for outside the company. Default-allow on every downstream.

One tier per dataset. One masking policy per tier. No exceptions, no bespoke categories for the third-floor marketing team. The taxonomy is deliberately boring because the enforcement is the interesting part.