diff --git a/docs/risks.md b/docs/risks.md
index b4516ba..8661fbb 100644
--- a/docs/risks.md
+++ b/docs/risks.md
@@ -14,8 +14,7 @@ This file tracks known gaps and risks to address in future iterations.
 - Multiple serializers/model `__str__` paths in non-auth apps still fallback to `user.email`; phone-only users may get poor display/audit clarity.
 
 ## Next Auth Review Points
-- Enforce normalized E.164 phone format at model/DB boundary (constraints, indexing, uniqueness behavior with nullable fields).
-- Add DB-level non-null + format guardrails for `accounts_user.phone_number` to complement service-level normalization.
+- DB-level guardrails for `accounts_user.phone_number` are now enforced (`NOT NULL`, `UNIQUE`, E.164 check constraint).
 - Decide user lifecycle for phone auth (create user before OTP verify vs provisional/pre-user state).
 - Expand abuse prevention beyond per-phone cooldown (IP throttling, device fingerprint, risk signals).
 - Define OAuth account-linking policy (phone/email conflicts, merge rules, trust source).