diff --git a/IMPLEMENTATION_NOTES.md b/IMPLEMENTATION_NOTES.md
new file mode 100644
index 0000000000..2ecdcf522d
--- /dev/null
+++ b/IMPLEMENTATION_NOTES.md
@@ -0,0 +1,10 @@
+# Actions Permissions Implementation Notes
+
+Reading through #24635 and related PRs.
+Need to understand why #23729 and #24554 were rejected.
+
+Key points:
+- Security first
+- Org/repo boundaries
+- No blanket permissions
+