Standard: EN 304 625 Network Interfaces Clause: 5.2.5.2 MI-ADEF Comment type: Technical Concern: The current MI-ADEF mitigation appears too generic to be consistently assessed across physical, virtual, local, remote, management, diagnostic and host-facing interfaces. A product could claim authorization-by-default while leaving some interface classes or access modes insufficiently covered. Objective: Make authorization-by-default explicit, interface-complete and testable. Suggested contribution: The product shall require explicit authorization by default before any interface permits access to security-relevant assets or sensitive functions. Security-relevant assets include, at minimum, firmware, boot or runtime security configuration, cryptographic keys, credentials, diagnostics that expose sensitive data, and interface control functions that can affect availability or integrity of the host or network. Authorization shall be evaluated at the point of access and shall be bound to the requesting identity or host context, requested asset or function, access mode (read, write, execute, configure), and current security state. Assessment suggestion: For each physical, virtual, local, remote, management, diagnostic and host-facing interface, attempt unauthenticated and unauthorized read, write, execute and configuration operations against each security-relevant asset or function. Verify that default behavior is deny and that permitted access can be traced to an explicit authorization rule or policy. Rationale: This makes the mitigation concrete and assessable. It reduces the risk that diagnostic, virtual, host-facing or management interfaces remain permissive while the product still claims secure-by-default behavior.