diff --git a/infra/base/authentik/bootstrap-prod.yaml b/infra/base/authentik/bootstrap-prod.yaml
index 5195f8e..6250a8c 100644
--- a/infra/base/authentik/bootstrap-prod.yaml
+++ b/infra/base/authentik/bootstrap-prod.yaml
@@ -7,6 +7,94 @@ metadata:
   name: AI Tax Agent — Production Bootstrap
 
 entries:
+  # --- Groups first (so the admin user can reference them) -------------------
+  - model: authentik_core.group
+    state: present
+    identifiers:
+      name: "Administrators"
+    attrs:
+      is_superuser: true
+
+  - model: authentik_core.group
+    state: present
+    identifiers:
+      name: "Tax Reviewers"
+    attrs:
+      is_superuser: false
+
+  - model: authentik_core.group
+    state: present
+    identifiers:
+      name: "Accountants"
+    attrs:
+      is_superuser: false
+
+  - model: authentik_core.group
+    state: present
+    identifiers:
+      name: "Clients"
+    attrs:
+      is_superuser: false
+
+  # --- Admin user ------------------------------------------------------------
+  - model: authentik_core.user
+    state: present
+    identifiers:
+      username: admin
+    attrs:
+      name: "System Administrator"
+      email: admin@app.harkon.co.uk
+      is_active: true
+      is_staff: true
+      is_superuser: true
+      groups:
+        - !Find [authentik_core.group, [name, "Administrators"]]
+
+  # --- Scope mappings (find existing ones and get stable IDs) -----------------
+  - id: scope_openid
+    model: authentik_providers_oauth2.scopemapping
+    identifiers:
+      scope_name: openid
+
+  - id: scope_profile
+    model: authentik_providers_oauth2.scopemapping
+    identifiers:
+      scope_name: profile
+
+  - id: scope_email
+    model: authentik_providers_oauth2.scopemapping
+    identifiers:
+      scope_name: email
+
+  - id: scope_groups
+    model: authentik_providers_oauth2.scopemapping
+    identifiers:
+      scope_name: groups
+
+  - id: scope_offline
+    model: authentik_providers_oauth2.scopemapping
+    identifiers:
+      scope_name: offline_access
+
+  # Helper finders
+  - id: default_signing_key
+    model: authentik_crypto.certificatekeypair
+    state: present
+    identifiers:
+      name: "authentik Self-signed Certificate"
+
+  - id: default_authz_flow
+    model: authentik_flows.flow
+    state: present
+    identifiers:
+      slug: "default-authentication-flow"
+
+  - id: default_inval_flow
+    model: authentik_flows.flow
+    state: present
+    identifiers:
+      slug: "default-invalidation-flow"
+
   # --- AI Tax Agent API (Production) -----------------------------------------
   - model: authentik_providers_oauth2.oauth2provider
     state: present